Tech Support Forum - View Single Post

Kicks · 05-12-2007, 09:52 PM

Thanks again! My pc is doing better and better! You guys are the best!
the logs...

OTMoveIt
C:\WINDOWS\SYSTEM32\ihkmp.bak2 moved successfully.
C:\WINDOWS\SYSTEM32\ihkmp.ini2 moved successfully.
C:\WINDOWS\SYSTEM32\ihkmp.bak1 moved successfully.
C:\WINDOWS\SYSTEM32\accdd.ini2 moved successfully.
C:\WINDOWS\SYSTEM32\rifakdn.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\rifakdn.dll moved successfully.
C:\WINDOWS\SYSTEM32\tz***ke.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\tz***ke.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\bbdacadfbcebcd.dll
C:\WINDOWS\SYSTEM32\bbdacadfbcebcd.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\bbdacadfbcebcd.dll moved successfully.
C:\WINDOWS\SYSTEM32\zpcxcyc.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\zpcxcyc.dll moved successfully.
C:\WINDOWS\SYSTEM32\cpiicbc.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\cpiicbc.dll moved successfully.
C:\WINDOWS\system32\accdd.bak2 moved successfully.
C:\WINDOWS\system32\accdd.bak1 moved successfully.
C:\WINDOWS\system32\ywdlat.dll unregistered successfully.
C:\WINDOWS\system32\ywdlat.dll moved successfully.
C:\WINDOWS\system32\xgokgxl.dll unregistered successfully.
C:\WINDOWS\system32\xgokgxl.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qvcjvfj.dll
C:\WINDOWS\system32\qvcjvfj.dll NOT unregistered.
C:\WINDOWS\system32\qvcjvfj.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\clhrzsb.dll
C:\WINDOWS\system32\clhrzsb.dll NOT unregistered.
C:\WINDOWS\system32\clhrzsb.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\dntopsd.dll
C:\WINDOWS\system32\dntopsd.dll NOT unregistered.
C:\WINDOWS\system32\dntopsd.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\phyeppn.dll
C:\WINDOWS\system32\phyeppn.dll NOT unregistered.
C:\WINDOWS\system32\phyeppn.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nwqajmf.dll
C:\WINDOWS\system32\nwqajmf.dll NOT unregistered.
C:\WINDOWS\system32\nwqajmf.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qeeddch.dll
C:\WINDOWS\system32\qeeddch.dll NOT unregistered.
C:\WINDOWS\system32\qeeddch.dll moved successfully.
C:\Program Files\Enigma Software Group moved successfully.
C:\Program Files\Ultimate Cleaner moved successfully.
C:\WINDOWS\system32\jgnxjbj.dll unregistered successfully.
C:\WINDOWS\system32\jgnxjbj.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\trdqsad.dll
C:\WINDOWS\system32\trdqsad.dll NOT unregistered.
C:\WINDOWS\system32\trdqsad.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\winuk.dll
C:\WINDOWS\winuk.dll NOT unregistered.
C:\WINDOWS\winuk.dll moved successfully.
C:\WINDOWS\mstasks4.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\mfqwx.dll
C:\WINDOWS\mfqwx.dll NOT unregistered.
C:\WINDOWS\mfqwx.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\mfcca.dll
C:\WINDOWS\mfcca.dll NOT unregistered.
C:\WINDOWS\mfcca.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\javamf.dll
C:\WINDOWS\javamf.dll NOT unregistered.
C:\WINDOWS\javamf.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\javago32.dll
C:\WINDOWS\javago32.dll NOT unregistered.
C:\WINDOWS\javago32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\ieli.dll
C:\WINDOWS\ieli.dll NOT unregistered.
C:\WINDOWS\ieli.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\hsyua.dll
C:\WINDOWS\hsyua.dll NOT unregistered.
C:\WINDOWS\hsyua.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\crsk32.dll
C:\WINDOWS\crsk32.dll NOT unregistered.
C:\WINDOWS\crsk32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\crge32.dll
C:\WINDOWS\crge32.dll NOT unregistered.
C:\WINDOWS\crge32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\apidx.dll
C:\WINDOWS\apidx.dll NOT unregistered.
C:\WINDOWS\apidx.dll moved successfully.
Folder move failed. C:\Program Files\Common Files\qrwf\qrwfh scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Common Files\qrwf\qrwfd\vocabulary scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Common Files\qrwf\qrwfd\class-barrel scheduled to be moved on reboot.
C:\Program Files\Common Files\qrwf\qrwfd moved successfully.
C:\Program Files\Common Files\qrwf moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ungpwhe.dll
C:\WINDOWS\system32\ungpwhe.dll NOT unregistered.
C:\WINDOWS\system32\ungpwhe.dll moved successfully.
C:\WINDOWS\system32\rqaatzc.dll unregistered successfully.
C:\WINDOWS\system32\rqaatzc.dll moved successfully.

Created on 05/12/2007 16:52:41

SMITFraud

SmitFraudFix v2.179

Scan done at 17:11:48.39, Sat 05/12/2007
Run from C:\Documents and Settings\Ocha\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\.protected Deleted
C:\WINDOWS\d3??.dll Deleted
C:\DOCUME~1\Ocha\STARTM~1\Programs\Startup\.protected Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: NameServer=85.255.113.90,85.255.112.5
HKLM\SYSTEM\CS3\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: NameServer=85.255.113.90,85.255.112.5
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="csvde.exe"

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

AVG
(umm... the file is like 1600 lines and the attachment option isn't working for me right now)

Incident Status Location

Adware:adware/ncase Not disinfected c:\temp\salm.log
Adware:adware/searchaid Not disinfected c:\windows\system32\sdknh32.exe
Spyware:spyware/betterinet Not disinfected c:\windows\inf\biini.inf
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Ocha\Application Data\Lycos
Adware:adware/elitebar Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/ieplugin Not disinfected Windows Registry
Adware:adware/favoriteman Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Adware:adware/ezula Not disinfected Windows Registry
Adware:Adware/DollarRevenue Not disinfected C:\contacts.pif
Virus:Trj/Agent.EKU Disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Ocha\LOCALS~1\Temp\mst62.tmp
Adware:Adware/WinAntivirus2006 Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Ocha\LOCALS~1\Temp\rtltyckk.dll
Potentially unwanted tool:Application/UltimateDefender Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Ocha\LOCALS~1\Temp\__uia__.exe
Adware:Adware/Yazzle Not disinfected C:\Deckard\System Scanner\backup\WINDOWS\temp\win80A1.tmp.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Ocha\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ocha\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\Ocha\Desktop\SmitfraudFix\restart.exe
Security Risk:HackTool/Gendel.A Not disinfected C:\gendel32.exe
Adware:Adware/NavHelper Not disinfected C:\Program Files\WAV to MP3 Encoder\NH20040517.4a.EE.exe
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1162OinUninstaller.exe.vir
Virus:Trj/Agent.EKU Disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\winrvc32.dll.vir
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22ACTRESS+FROM+OLD+NAVY+COMMERCIAL%22692.xml:xqmkp
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22DOS-J%2243.xml:fqifl
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22HANZO+FAQ%22758.xml:tzajj
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22I+AM+A+BUNNY%222.xml:whsja
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22LETTER+STENCIL%22357.xml:wrcdu
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22MY+LITTLE+FANTASY+MP3%22&422.xml:prjhy
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22SHOOTER+MAKER%22+HELP391.xml:voqiw
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%2788+M6930.xml:tuieu
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_+SITE%3AWWW.CLUB-HARDBALL.COM+AVA177.xml:iapdi
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_+SITE%3AWWW.CLUB-HARDBALL.COM+BLACK&157.xml:xawiy
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_SEVEN+REASONS+WHY+SCORELAND+IS+%231948.xml:aklnd
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_SEVEN+REASONS+WHY+SCORELAND+IS+%231948.xml:cukkd
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_THE+MAID%27S+STORY+DOWNLOAD+HENTAI871.xml:sdbry
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_TOPLOADER+%22TIME+OF+MY+LIFE%22&882.xml:uilcq
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\KB817778.log:katlu
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\KB822603.log:ftpnq
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\OEWABLog.txt:wuujz
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\TWUNK_16(9).EXE:tudxh

Deckard's System Scanner v20070426.43
Run by Ocha on 2007-05-12 at 21:42:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Ocha.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:42:20 PM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Ocha\Desktop\dss.exe
C:\DOCUME~1\Ocha\Desktop\Ocha.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {E0BE586C-7C66-4909-94D6-D18BBBDD6373} (????????????) - http://app.filebank.co.jp/setup/win/fbx2.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

-- Files created between 2007-04-12 and 2007-05-12 -----------------------------

2007-05-12 19:45:20 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-12 19:45:13 0 d-------- C:\WINDOWS\LastGood
2007-05-10 23:38:15 996 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-10 23:37:31 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-05-10 23:37:31 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-05-10 23:37:31 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-09 22:56:41 0 d-------- C:\Documents and Settings\Ocha\Application Data\Symantec
2007-05-09 21:06:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-05-09 21:05:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-05-09 21:05:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-05-09 18:49:43 0 d-------- C:\Program Files\Norton 360
2007-05-09 18:44:48 0 d-------- C:\Program Files\Symantec
2007-05-09 18:43:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-05-09 18:41:33 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-05-09 04:18:48 0 dr-h----- C:\$VAULT$.AVG
2007-05-09 03:03:07 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-04 16:35:00 0 d-------- C:\Documents and Settings\Ocha\Application Data\AVG7
2007-05-04 16:34:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-05-04 16:34:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-05-04 14:34:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-04-14 03:58:25 0 d-------- C:\Program Files\GUILTY GEAR XX #RELOAD

-- Find3M Report ---------------------------------------------------------------

2007-05-12 20:48:48 0 d-------- C:\Program Files\AIM95
2007-05-11 03:11:09 13358 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-09 20:05:00 0 d-------- C:\Documents and Settings\Ocha\Application Data\WeatherBug
2007-05-03 11:37:35 0 d-------- C:\Program Files\WAV to MP3 Encoder
2007-04-26 19:44:01 0 d-------- C:\Program Files\mIRC
2007-04-25 13:12:37 0 d-------- C:\Documents and Settings\Ocha\Application Data\uTorrent
2007-03-23 11:48:49 0 d-------- C:\Program Files\Windows Media Connect 2
2007-03-04 22:22:37 149504 --a------ C:\WINDOWS\UNWISE.EXE
2007-03-04 22:22:33 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2007-03-04 22:22:05 0 --a------ C:\WINDOWS\test
2007-03-04 22:22:04 0 --a------ C:\WINDOWS\sysxr32.dll
2007-03-04 22:21:41 7473 --a------ C:\WINDOWS\plqca.dat
2007-03-04 22:21:38 3547 --a------ C:\WINDOWS\oncsc.dat
2007-03-04 22:21:38 0 --a----c- C:\WINDOWS\ofqd.exe
2007-03-04 22:21:34 0 --a----c- C:\WINDOWS\n_xdrfqf.dat
2007-03-04 22:21:34 29256 --a------ C:\WINDOWS\n_aqcvyu.dat
2007-03-04 22:21:34 29256 --a------ C:\WINDOWS\n_aakuom.dat
2007-03-04 22:21:33 0 --a----c- C:\WINDOWS\ntiy.dll
2007-03-04 22:21:32 335 --a------ C:\WINDOWS\nsreg.dat
2007-03-04 22:21:32 45056 --a------ C:\WINDOWS\NCUNINST.EXE <Not Verified; Northern Codeworks; Uninstall>
2007-03-04 22:20:55 8192 --a------ C:\WINDOWS\d3dx.dat
2007-03-04 22:19:32 0 --a----c- C:\WINDOWS\b2_t_%22NEKKETSU+KOUHA+KUNIO-KUN
2007-03-03 17:13:06 2 --a------ C:\1145084210
2007-02-19 15:45:33 155648 --a------ C:\WINDOWS\system32\PoporuAgent.exe <Not Verified; (?) ?? ??????; ??? ?? ?? ????>
2007-02-19 15:45:33 106496 --a------ C:\WINDOWS\system32\PoporuAgent.dll <Not Verified; (?) ?? ??????; ??? ?? ?? ????>

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"Sonic RecordNow!"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"=""
"{6FE732D5-666F-4331-94BF-5AA3DA9C0B4B}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="csvde.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ \0scecli\0scecli\0scecli\0scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bridge"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\Downloaded Program Files\\bridge.dll\",Load"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

-- End of Deckard's System Scanner: finished at 2007-05-12 at 21:43:10 ---------

05-12-2007, 09:52 PM	#6 (permalink)
Kicks Registered User Join Date: Mar 2007 Posts: 20 OS: XP	Re: Crazy Popups and Spyware now no Desktop Thanks again! My pc is doing better and better! You guys are the best! the logs... OTMoveIt C:\WINDOWS\SYSTEM32\ihkmp.bak2 moved successfully. C:\WINDOWS\SYSTEM32\ihkmp.ini2 moved successfully. C:\WINDOWS\SYSTEM32\ihkmp.bak1 moved successfully. C:\WINDOWS\SYSTEM32\accdd.ini2 moved successfully. C:\WINDOWS\SYSTEM32\rifakdn.dll unregistered successfully. C:\WINDOWS\SYSTEM32\rifakdn.dll moved successfully. C:\WINDOWS\SYSTEM32\tz*ke.dll unregistered successfully. C:\WINDOWS\SYSTEM32\tz*ke.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\bbdacadfbcebcd.dll C:\WINDOWS\SYSTEM32\bbdacadfbcebcd.dll NOT unregistered. C:\WINDOWS\SYSTEM32\bbdacadfbcebcd.dll moved successfully. C:\WINDOWS\SYSTEM32\zpcxcyc.dll unregistered successfully. C:\WINDOWS\SYSTEM32\zpcxcyc.dll moved successfully. C:\WINDOWS\SYSTEM32\cpiicbc.dll unregistered successfully. C:\WINDOWS\SYSTEM32\cpiicbc.dll moved successfully. C:\WINDOWS\system32\accdd.bak2 moved successfully. C:\WINDOWS\system32\accdd.bak1 moved successfully. C:\WINDOWS\system32\ywdlat.dll unregistered successfully. C:\WINDOWS\system32\ywdlat.dll moved successfully. C:\WINDOWS\system32\xgokgxl.dll unregistered successfully. C:\WINDOWS\system32\xgokgxl.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\qvcjvfj.dll C:\WINDOWS\system32\qvcjvfj.dll NOT unregistered. C:\WINDOWS\system32\qvcjvfj.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\clhrzsb.dll C:\WINDOWS\system32\clhrzsb.dll NOT unregistered. C:\WINDOWS\system32\clhrzsb.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\dntopsd.dll C:\WINDOWS\system32\dntopsd.dll NOT unregistered. C:\WINDOWS\system32\dntopsd.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\phyeppn.dll C:\WINDOWS\system32\phyeppn.dll NOT unregistered. C:\WINDOWS\system32\phyeppn.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\nwqajmf.dll C:\WINDOWS\system32\nwqajmf.dll NOT unregistered. C:\WINDOWS\system32\nwqajmf.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\qeeddch.dll C:\WINDOWS\system32\qeeddch.dll NOT unregistered. C:\WINDOWS\system32\qeeddch.dll moved successfully. C:\Program Files\Enigma Software Group moved successfully. C:\Program Files\Ultimate Cleaner moved successfully. C:\WINDOWS\system32\jgnxjbj.dll unregistered successfully. C:\WINDOWS\system32\jgnxjbj.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\trdqsad.dll C:\WINDOWS\system32\trdqsad.dll NOT unregistered. C:\WINDOWS\system32\trdqsad.dll moved successfully. LoadLibrary failed for C:\WINDOWS\winuk.dll C:\WINDOWS\winuk.dll NOT unregistered. C:\WINDOWS\winuk.dll moved successfully. C:\WINDOWS\mstasks4.exe moved successfully. LoadLibrary failed for C:\WINDOWS\mfqwx.dll C:\WINDOWS\mfqwx.dll NOT unregistered. C:\WINDOWS\mfqwx.dll moved successfully. LoadLibrary failed for C:\WINDOWS\mfcca.dll C:\WINDOWS\mfcca.dll NOT unregistered. C:\WINDOWS\mfcca.dll moved successfully. LoadLibrary failed for C:\WINDOWS\javamf.dll C:\WINDOWS\javamf.dll NOT unregistered. C:\WINDOWS\javamf.dll moved successfully. LoadLibrary failed for C:\WINDOWS\javago32.dll C:\WINDOWS\javago32.dll NOT unregistered. C:\WINDOWS\javago32.dll moved successfully. LoadLibrary failed for C:\WINDOWS\ieli.dll C:\WINDOWS\ieli.dll NOT unregistered. C:\WINDOWS\ieli.dll moved successfully. LoadLibrary failed for C:\WINDOWS\hsyua.dll C:\WINDOWS\hsyua.dll NOT unregistered. C:\WINDOWS\hsyua.dll moved successfully. LoadLibrary failed for C:\WINDOWS\crsk32.dll C:\WINDOWS\crsk32.dll NOT unregistered. C:\WINDOWS\crsk32.dll moved successfully. LoadLibrary failed for C:\WINDOWS\crge32.dll C:\WINDOWS\crge32.dll NOT unregistered. C:\WINDOWS\crge32.dll moved successfully. LoadLibrary failed for C:\WINDOWS\apidx.dll C:\WINDOWS\apidx.dll NOT unregistered. C:\WINDOWS\apidx.dll moved successfully. Folder move failed. C:\Program Files\Common Files\qrwf\qrwfh scheduled to be moved on reboot. Folder move failed. C:\Program Files\Common Files\qrwf\qrwfd\vocabulary scheduled to be moved on reboot. Folder move failed. C:\Program Files\Common Files\qrwf\qrwfd\class-barrel scheduled to be moved on reboot. C:\Program Files\Common Files\qrwf\qrwfd moved successfully. C:\Program Files\Common Files\qrwf moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\system32\ungpwhe.dll C:\WINDOWS\system32\ungpwhe.dll NOT unregistered. C:\WINDOWS\system32\ungpwhe.dll moved successfully. C:\WINDOWS\system32\rqaatzc.dll unregistered successfully. C:\WINDOWS\system32\rqaatzc.dll moved successfully. Created on 05/12/2007 16:52:41 SMITFraud SmitFraudFix v2.179 Scan done at 17:11:48.39, Sat 05/12/2007 Run from C:\Documents and Settings\Ocha\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\.protected Deleted C:\WINDOWS\d3??.dll Deleted C:\DOCUME~1\Ocha\STARTM~1\Programs\Startup\.protected Deleted C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected Deleted »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: NameServer=85.255.113.90,85.255.112.5 HKLM\SYSTEM\CS3\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: DhcpNameServer=192.168.10.1 HKLM\SYSTEM\CS3\Services\Tcpip\..\{39B3E711-6226-4DC3-B27D-58675AED8FF2}: NameServer=85.255.113.90,85.255.112.5 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.10.1 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="csvde.exe" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End AVG (umm... the file is like 1600 lines and the attachment option isn't working for me right now) Incident Status Location Adware:adware/ncase Not disinfected c:\temp\salm.log Adware:adware/searchaid Not disinfected c:\windows\system32\sdknh32.exe Spyware:spyware/betterinet Not disinfected c:\windows\inf\biini.inf Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Ocha\Application Data\Lycos Adware:adware/elitebar Not disinfected Windows Registry Adware:adware/wupd Not disinfected Windows Registry Adware:adware/ieplugin Not disinfected Windows Registry Adware:adware/favoriteman Not disinfected Windows Registry Adware:adware/ist.istbar Not disinfected Windows Registry Adware:adware/exact.bargainbuddy Not disinfected Windows Registry Adware:adware/ezula Not disinfected Windows Registry Adware:Adware/DollarRevenue Not disinfected C:\contacts.pif Virus:Trj/Agent.EKU Disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Ocha\LOCALS~1\Temp\mst62.tmp Adware:Adware/WinAntivirus2006 Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Ocha\LOCALS~1\Temp\rtltyckk.dll Potentially unwanted tool:Application/UltimateDefender Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Ocha\LOCALS~1\Temp\__uia__.exe Adware:Adware/Yazzle Not disinfected C:\Deckard\System Scanner\backup\WINDOWS\temp\win80A1.tmp.exe Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Ocha\Desktop\ComboFix.exe[ComboFixT\nircmd.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ocha\Desktop\SmitfraudFix\Process.exe Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\Ocha\Desktop\SmitfraudFix\restart.exe Security Risk:HackTool/Gendel.A Not disinfected C:\gendel32.exe Adware:Adware/NavHelper Not disinfected C:\Program Files\WAV to MP3 Encoder\NH20040517.4a.EE.exe Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1162OinUninstaller.exe.vir Virus:Trj/Agent.EKU Disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\winrvc32.dll.vir Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22ACTRESS+FROM+OLD+NAVY+COMMERCIAL%22692.xml:xqmkp Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22DOS-J%2243.xml:fqifl Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22HANZO+FAQ%22758.xml:tzajj Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22I+AM+A+BUNNY%222.xml:whsja Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22LETTER+STENCIL%22357.xml:wrcdu Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22MY+LITTLE+FANTASY+MP3%22&422.xml:prjhy Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%22SHOOTER+MAKER%22+HELP391.xml:voqiw Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_%2788+M6930.xml:tuieu Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_+SITE%3AWWW.CLUB-HARDBALL.COM+AVA177.xml:iapdi Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_+SITE%3AWWW.CLUB-HARDBALL.COM+BLACK&157.xml:xawiy Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_SEVEN+REASONS+WHY+SCORELAND+IS+%231948.xml:aklnd Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_SEVEN+REASONS+WHY+SCORELAND+IS+%231948.xml:cukkd Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_THE+MAID%27S+STORY+DOWNLOAD+HENTAI871.xml:sdbry Adware:Adware/SearchAid Not disinfected C:\WINDOWS\b2_t_TOPLOADER+%22TIME+OF+MY+LIFE%22&882.xml:uilcq Adware:Adware/SearchAid Not disinfected C:\WINDOWS\KB817778.log:katlu Adware:Adware/SearchAid Not disinfected C:\WINDOWS\KB822603.log:ftpnq Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe Adware:Adware/SearchAid Not disinfected C:\WINDOWS\OEWABLog.txt:wuujz Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe Adware:Adware/SearchAid Not disinfected C:\WINDOWS\TWUNK_16(9).EXE:tudxh Deckard's System Scanner v20070426.43 Run by Ocha on 2007-05-12 at 21:42:12 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Ocha.exe) ------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 9:42:20 PM, on 5/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\AIM95\aim.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Ocha\Desktop\dss.exe C:\DOCUME~1\Ocha\Desktop\Ocha.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB O16 - DPF: {E0BE586C-7C66-4909-94D6-D18BBBDD6373} (????????????) - http://app.filebank.co.jp/setup/win/fbx2.cab O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -- Files created between 2007-04-12 and 2007-05-12 ----------------------------- 2007-05-12 19:45:20 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-05-12 19:45:13 0 d-------- C:\WINDOWS\LastGood 2007-05-10 23:38:15 996 --a------ C:\WINDOWS\system32\tmp.reg 2007-05-10 23:37:31 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS> 2007-05-10 23:37:31 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility> 2007-05-10 23:37:31 51200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-05-09 22:56:41 0 d-------- C:\Documents and Settings\Ocha\Application Data\Symantec 2007-05-09 21:06:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7 2007-05-09 21:05:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback 2007-05-09 21:05:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla 2007-05-09 18:49:43 0 d-------- C:\Program Files\Norton 360 2007-05-09 18:44:48 0 d-------- C:\Program Files\Symantec 2007-05-09 18:43:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec 2007-05-09 18:41:33 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-05-09 04:18:48 0 dr-h----- C:\$VAULT$.AVG 2007-05-09 03:03:07 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-05-04 16:35:00 0 d-------- C:\Documents and Settings\Ocha\Application Data\AVG7 2007-05-04 16:34:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-05-04 16:34:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-05-04 14:34:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2007-04-14 03:58:25 0 d-------- C:\Program Files\GUILTY GEAR XX #RELOAD -- Find3M Report --------------------------------------------------------------- 2007-05-12 20:48:48 0 d-------- C:\Program Files\AIM95 2007-05-11 03:11:09 13358 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2007-05-09 20:05:00 0 d-------- C:\Documents and Settings\Ocha\Application Data\WeatherBug 2007-05-03 11:37:35 0 d-------- C:\Program Files\WAV to MP3 Encoder 2007-04-26 19:44:01 0 d-------- C:\Program Files\mIRC 2007-04-25 13:12:37 0 d-------- C:\Documents and Settings\Ocha\Application Data\uTorrent 2007-03-23 11:48:49 0 d-------- C:\Program Files\Windows Media Connect 2 2007-03-04 22:22:37 149504 --a------ C:\WINDOWS\UNWISE.EXE 2007-03-04 22:22:33 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE> 2007-03-04 22:22:05 0 --a------ C:\WINDOWS\test 2007-03-04 22:22:04 0 --a------ C:\WINDOWS\sysxr32.dll 2007-03-04 22:21:41 7473 --a------ C:\WINDOWS\plqca.dat 2007-03-04 22:21:38 3547 --a------ C:\WINDOWS\oncsc.dat 2007-03-04 22:21:38 0 --a----c- C:\WINDOWS\ofqd.exe 2007-03-04 22:21:34 0 --a----c- C:\WINDOWS\n_xdrfqf.dat 2007-03-04 22:21:34 29256 --a------ C:\WINDOWS\n_aqcvyu.dat 2007-03-04 22:21:34 29256 --a------ C:\WINDOWS\n_aakuom.dat 2007-03-04 22:21:33 0 --a----c- C:\WINDOWS\ntiy.dll 2007-03-04 22:21:32 335 --a------ C:\WINDOWS\nsreg.dat 2007-03-04 22:21:32 45056 --a------ C:\WINDOWS\NCUNINST.EXE <Not Verified; Northern Codeworks; Uninstall> 2007-03-04 22:20:55 8192 --a------ C:\WINDOWS\d3dx.dat 2007-03-04 22:19:32 0 --a----c- C:\WINDOWS\b2_t_%22NEKKETSU+KOUHA+KUNIO-KUN 2007-03-03 17:13:06 2 --a------ C:\1145084210 2007-02-19 15:45:33 155648 --a------ C:\WINDOWS\system32\PoporuAgent.exe <Not Verified; (?) ?? ??????; ??? ?? ?? ????> 2007-02-19 15:45:33 106496 --a------ C:\WINDOWS\system32\PoporuAgent.dll <Not Verified; (?) ?? ??????; ??? ?? ?? ????> -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\"" "WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1" "AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl" "Sonic RecordNow!"="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoCDBurning"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"="" "{6FE732D5-666F-4331-94BF-5AA3DA9C0B4B}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "system"="csvde.exe" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ \0scecli\0scecli\0scecli\0scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="bridge" "hkey"="HKLM" "command"="rundll32.exe \"C:\\WINDOWS\\Downloaded Program Files\\bridge.dll\",Load" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 Usnsvc REG_MULTI_SZ usnsvc\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 -- End of Deckard's System Scanner: finished at 2007-05-12 at 21:43:10 ---------