Ronadin23

The main problems i'm having that i noticed so far are 2 minutes waiting for the icon to select which user account to log in to upon startup (just at the screen, its blank then takes 2 minutes for the icons to pop up) then I have pop up ads , and also my background is stuck on just blue i can't change it.

Here is my Hijack This Log results:

Logfile of HijackThis v1.99.1
Scan saved at 8:18:07 AM, on 3/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Justin\Desktop\bhodmon1\BHODemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\Program Files\hijackThis\HijackThis.exe\Analyze.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (disabled by BHODemon)
O2 - BHO: (no name) - {46df2e54-540e-440a-9aee-ec32adc61bfd} - C:\WINDOWS\system32\mfcgui.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL (disabled by BHODemon)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (disabled by BHODemon)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (disabled by BHODemon)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL__BHODemonDisabled (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [ResChanger 2005] C:\Program Files\ResChanger 2005\ResChanger2005.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=cbaadbaf-f3cf-4d64-8bdd-0ff8568533a3
O20 - Winlogon Notify: mfcgui - C:\WINDOWS\SYSTEM32\mfcgui.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



Here are my SmitFraudFix Results:

SmitFraudFix v2.144

Scan done at 8:15:20.39, Mon 03/19/2007
Run from C:\Documents and Settings\Justin\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Justin


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Justin\Application Data

C:\Documents and Settings\Justin\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Justin\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Any help is much appreciated. Thank you well in advance for your time and effort.

Ronadin

Ronadin23

Hijack this log file only: Please Help

Logfile of HijackThis v1.99.1
Scan saved at 9:04:24 PM, on 3/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Justin\Desktop\bhodmon1\BHODemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG07.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackThis\HijackThis.exe\Analyze.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (disabled by BHODemon)
O2 - BHO: (no name) - {46df2e54-540e-440a-9aee-ec32adc61bfd} - C:\WINDOWS\system32\mfcgui.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL (disabled by BHODemon)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (disabled by BHODemon)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (disabled by BHODemon)
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\System32\tmpB9.tmp.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL__BHODemonDisabled (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\xxvstu.dll",setvm
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [ResChanger 2005] C:\Program Files\ResChanger 2005\ResChanger2005.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=cbaadbaf-f3cf-4d64-8bdd-0ff8568533a3
O20 - Winlogon Notify: mfcgui - C:\WINDOWS\SYSTEM32\mfcgui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

tetonbob

Hello and Welcome. Apologies for the delay, but the forum is very busy of late.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Download combofix from one of these locations:
   • http://www.techsupportforum.com/sect...s/ComboFix.exe
   • http://download.bleepingcomputer.com/sUBs/ComboFix.exe
   
   
   * IMPORTANT !!! Place it on your Desktop.
   
   
2. Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
   

   "%userprofile%\desktop\combofix.exe" /v mfcgui xxvstu tmpB9.tmp

3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\xxvstu.dll",setvm

Close HijackThis now.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following if they exist:

C:\WINDOWS\System32\lsasss.exe<<<Note this exact spelling!! Three letter "s", not two. This is not the legit Windows file, C:\WINDOWS\system32\lsass.exe, which must NOT be deleted.

If it resists deletion, boot to safe mode and delete from there. To do so, should the need arise, follow these instructions:

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

Please return with results from:

ComboFix (C:\ComboFix.txt)
Panda online scan
DSS (main.txt and extra.txt)

__________________

** PC Safety and Security--What Do I Need? **

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Ronadin23

Hi and thank you so much for your reply. I followed your advice as best I could however pandascan automatically would shut down before completion so I could not attain a log for you. However here are the other two logs you requested.

Thank you for your help so far and soon to come.

"Justin" - 07-03-21 14:14:10 Service Pack 1
ComboFix 07-03-22 - Running from: "C:\Documents and Settings\Justin\desktop"
Command switches used :: /v mfcgui xxvstu tmpB9.tmp

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\mfcgui.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\Program Files\cowabanga\License.txt
C:\Program Files\cowabanga\uninstaller.exe
C:\DOCUME~1\Justin\APPLIC~1.\install.dat
C:\DOCUME~1\Justin\Desktop\internet.lnk
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\wintsu.exe
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
C:\Program Files\Common Files\{3CFB8~1
C:\Program Files\Common Files\{9CFB8~1
C:\Program Files\Common Files\{9CFB8~2
C:\Program Files\cowabanga
C:\Program Files\inetget2
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\Justin
C:\qoobox\purity\DOCUME~1\Justin\APPLIC~1
C:\qoobox\purity\DOCUME~1\Justin\APPLIC~1\from.txt
C:\qoobox\purity\DOCUME~1\Justin\APPLIC~1\YSTEM~1
C:\qoobox\purity\Program Files\DOBE~1
C:\qoobox\purity\Program Files\Common Files\CURITY~1
C:\qoobox\purity\WINDOWS\system32\STEM32~1
C:\qoobox\purity\WINDOWS\system32\YMBOLS~1


((((((((((((((((((((((((((((((( Files Created from 2007-02-21 to 2007-03-21 ))))))))))))))))))))))))))))))))))


2007-03-19 15:50 <DIR> d--h----- C:\DOCUME~1\Justin\APPLIC~1\Move Networks
2007-03-18 18:37 <DIR> d-------- C:\Program Files\UBNet
2007-03-18 15:38 <DIR> d-------- C:\WINDOWS\system32\bak
2007-03-18 12:09 27,238 --a------ C:\WINDOWS\system32\jkhfc.exe
2007-03-18 11:53 8,535 --a------ C:\WINDOWS\system32\vtuttqq.dll
2007-02-25 18:30 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-02-24 03:04 2,322 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-24 03:02 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-02-24 03:02 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-02-24 03:02 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-02-24 03:02 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-02-24 03:02 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-02-24 03:02 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-02-24 02:50 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-02-24 02:48 <DIR> d-------- C:\DOCUME~1\Justin\.housecall6.6
2007-02-24 02:38 <DIR> d-------- C:\DOCUME~1\Justin\APPLIC~1\IrfanView


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-20 20:04 -------- d-------- C:\Program Files\quicktime
2007-03-20 20:04 -------- d-------- C:\Program Files\messenger
2007-03-20 20:04 -------- d-------- C:\Program Files\itunes
2007-03-20 19:32 -------- d-------- C:\Program Files\reschanger 2005
2007-03-19 17:17 -------- d-------- C:\Program Files\owt
2007-03-19 08:06 -------- d-------- C:\Program Files\rhapsody
2007-03-19 08:06 -------- d-------- C:\Program Files\real
2007-03-19 08:05 -------- d-------- C:\DOCUME~1\Justin\APPLIC~1\real
2007-03-18 18:34 -------- d-------- C:\Program Files\golden palace poker
2007-02-20 15:41 1068 --a------ C:\DOCUME~1\Justin\APPLIC~1\adobedlm.log
2007-02-07 21:09 -------- d-------- C:\Program Files\steam
2007-02-06 23:18 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-02-06 23:07 -------- d-------- C:\Program Files\ventrilo
2007-02-06 22:43 -------- d-------- C:\Program Files\teamspeak2_rc2
2007-02-06 22:43 -------- d-------- C:\DOCUME~1\Justin\APPLIC~1\teamspeak2
2007-01-22 12:46 -------- d-------- C:\Program Files\canon
2007-01-22 01:54 -------- d-------- C:\Program Files\comcasttoolbar
2007-01-22 01:46 -------- d-------- C:\Program Files\egames
2007-01-22 01:45 -------- d-------- C:\Program Files\viewpoint
2007-01-22 01:42 -------- d--h----- C:\Program Files\windowsupdate
2007-01-12 10:36 720896 --a------ C:\WINDOWS\iun6002.exe
2007-01-12 10:15 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-01-11 21:51 60416 --a------ C:\WINDOWS\alcfdrtm.exe
2006-12-25 12:46 1389747 --a------ C:\WINDOWS\mall tycoon 2 deluxe uninstaller.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"=""
"ResChanger 2005"="C:\\Program Files\\ResChanger 2005\\ResChanger2005.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"CheckNetworkConnection"="\"C:\\Program Files\\Support.com\\providerComcast\\desktopdoctor.exe\" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=cbaadbaf-f3cf-4d64-8bdd-0ff8568533a3"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"2chkdsk"="rundll32.exe \"C:\\WINDOWS\\xxvstu.dll\",setvm"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"none"="C:\\Program Files\\Video ActiveX Object\\pmsngr.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0



********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-21 14:21:09

forgot this one heres the main

Deckard's System Scanner v20070318.32
Run by Justin on 2007-03-21 at 14:45:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
62: 2007-03-21 19:45:41 UTC - RP62 - Deckard's System Scanner Restore Point
61: 2007-03-21 01:28:41 UTC - RP61 - System Checkpoint
60: 2007-03-19 1333 UTC - RP60 - Removed Rhapsody Player Engine
59: 2007-03-18 17:53:47 UTC - RP59 - System Checkpoint
58: 2007-03-09 21:42:25 UTC - RP58 - System Checkpoint


-- First Restore Point --
1: 2007-01-12 15:24:19 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Justin.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:46:15 PM, on 3/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG07.EXE
C:\Documents and Settings\Justin\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\HIJACK~1.EXE\Justin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (disabled by BHODemon)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL (disabled by BHODemon)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (disabled by BHODemon)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (disabled by BHODemon)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL__BHODemonDisabled (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ResChanger 2005] C:\Program Files\ResChanger 2005\ResChanger2005.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=cbaadbaf-f3cf-4d64-8bdd-0ff8568533a3
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\HIJACK~1.EXE\backups\) -------

backup-20070318-183320-890 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
backup-20070319-060636-564 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20070319-073632-140 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
backup-20070319-074528-940 O2 - BHO: (no name) - {46df2e54-540e-440a-9aee-ec32adc61bfd} - C:\WINDOWS\system32\mfcgui.dll
backup-20070319-075114-109 O2 - BHO: (no name) - {46df2e54-540e-440a-9aee-ec32adc61bfd} - C:\WINDOWS\system32\mfcgui.dll
backup-20070319-075123-908 O2 - BHO: (no name) - {46df2e54-540e-440a-9aee-ec32adc61bfd} - C:\WINDOWS\system32\mfcgui.dll
backup-20070319-075142-137 O2 - BHO: (no name) - {46df2e54-540e-440a-9aee-ec32adc61bfd} - C:\WINDOWS\system32\mfcgui.dll
backup-20070319-075224-691 O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\System32\tmp19.tmp.dll (disabled by BHODemon)
backup-20070319-075527-485 O20 - Winlogon Notify: mfcgui - C:\WINDOWS\SYSTEM32\mfcgui.dll
backup-20070319-075541-338 O20 - Winlogon Notify: mfcgui - C:\WINDOWS\SYSTEM32\mfcgui.dll
backup-20070319-075608-312 O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\ApcMain.exe -m
backup-20070319-075729-899 O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
backup-20070319-080055-679 O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\fcccdc.dll",setvm
backup-20070319-080120-903 O2 - BHO: (no name) - {46df2e54-540e-440a-9aee-ec32adc61bfd} - C:\WINDOWS\system32\mfcgui.dll
backup-20070319-080455-812 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20070319-080848-878 O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (disabled by BHODemon)
backup-20070319-080855-218 O2 - BHO: (no name) - {46df2e54-540e-440a-9aee-ec32adc61bfd} - C:\WINDOWS\system32\mfcgui.dll
backup-20070319-081002-344 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
backup-20070319-081017-966 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
backup-20070319-081027-890 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
backup-20070319-081031-771 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
backup-20070321-142400-459 O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\xxvstu.dll",setvm

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 viasraid - c:\windows\system32\drivers\viasraid.sys
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys
R2 SVKP - c:\windows\system32\svkp.sys
R2 tmcomm - c:\windows\system32\drivers\tmcomm.sys
R3 MTsensor (ATK0110 ACPI UTILITY) - c:\windows\system32\drivers\asacpi.sys

S0 viaagp1 (VIA AGP Filter) - c:\windows\system32\drivers\viaagp1.sys (file missing)
S3 ALCXSENS (Service for WDM 3D Audio Driver) - c:\windows\system32\drivers\alcxsens.sys
S3 yukonwxp (NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter) - c:\windows\system32\drivers\yukonwxp.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 uploadmgr (Upload Manager) - c:\windows\system32\svchost.exe -k netsvcs
R2 WmdmPmSp (Portable Media Serial Number) - c:\windows\system32\svchost.exe -k netsvcs

S2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe
S3 usnsvc (Messenger Sharing USN Journal Reader service) - c:\windows\system32\svchost.exe -k usnsvc


-- Files created between 2007-02-21 and 2007-03-21 -----------------------------

2007-03-21 14:27:52 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1>
2007-03-19 15:50:01 0 d--h----- C:\Documents and Settings\Justin\Application Data\Move Networks<MOVENE~1>
2007-03-18 18:37:03 0 d-------- C:\Program Files\UBNet
2007-03-18 15:38:43 0 d-------- C:\WINDOWS\System32\bak
2007-03-18 12:09:02 27238 --a------ C:\WINDOWS\System32\jkhfc.exe
2007-03-18 11:53:00 8535 --a------ C:\WINDOWS\System32\vtuttqq.dll
2007-02-25 18:30:17 0 d-------- C:\Program Files\Hewlett-Packard<HEWLET~1>
2007-02-24 03:04:08 2322 --a------ C:\WINDOWS\System32\tmp.reg
2007-02-24 03:02:43 79360 --a------ C:\WINDOWS\System32\swxcacls.exe
2007-02-24 03:02:43 40960 --a------ C:\WINDOWS\System32\swsc.exe
2007-02-24 03:02:43 135168 --a------ C:\WINDOWS\System32\swreg.exe
2007-02-24 03:02:43 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe
2007-02-24 03:02:43 53248 --a------ C:\WINDOWS\System32\Process.exe
2007-02-24 03:02:43 51200 --a------ C:\WINDOWS\System32\dumphive.exe
2007-02-24 02:50:22 76560 --a------ C:\WINDOWS\System32\drivers\tmcomm.sys
2007-02-24 02:48:43 0 d-------- C:\Documents and Settings\Justin\.housecall6.6<HOUSEC~1.6>
2007-02-24 02:38:28 0 d-------- C:\Documents and Settings\Justin\Application Data\IrfanView<IRFANV~1>


-- Find3M Report ---------------------------------------------------------------

2007-03-21 08:00:02 0 d-------- C:\Documents and Settings\Justin\Application Data\AVG7
2007-03-20 20:04:41 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-20 20:04:41 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-03-20 20:04:41 0 d-------- C:\Program Files\iTunes
2007-03-20 19:32:50 0 d-------- C:\Program Files\ResChanger 2005<RESCHA~1>
2007-03-19 17:17:11 0 d-------- C:\Program Files\owt
2007-03-19 0835 0 d-------- C:\Program Files\Real
2007-03-19 0827 0 d-------- C:\Program Files\Rhapsody
2007-03-19 08:05:34 0 d-------- C:\Program Files\Common Files\Real
2007-03-19 08:05:17 0 d-------- C:\Documents and Settings\Justin\Application Data\Real
2007-03-18 18:34:21 0 d-------- C:\Program Files\Golden Palace Poker<GOLDEN~1>
2007-02-20 16:23:14 0 d-------- C:\Program Files\Common Files\iizw
2007-02-20 15:41:02 1068 --a------ C:\Documents and Settings\Justin\Application Data\AdobeDLM.log
2007-02-07 21:09:54 0 d-------- C:\Program Files\Steam
2007-02-06 23:18:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-02-06 23:07:24 0 d-------- C:\Program Files\Ventrilo
2007-02-06 22:43:50 0 d-------- C:\Documents and Settings\Justin\Application Data\teamspeak2<TEAMSP~1>
2007-02-06 22:43:49 0 d-------- C:\Program Files\Teamspeak2_RC2<TEAMSP~1>
2007-01-22 12:46:16 0 d-------- C:\Program Files\Canon
2007-01-22 01:54:26 0 d-------- C:\Program Files\ComcastToolbar<COMCAS~1>
2007-01-22 01:46:14 0 d-------- C:\Program Files\eGames
2007-01-22 01:45:49 0 d-------- C:\Program Files\Viewpoint<VIEWPO~1>
2007-01-22 01:42:08 0 d--h----- C:\Program Files\WindowsUpdate<WINDOW~3>
2007-01-12 10:36:43 720896 --a------ C:\WINDOWS\iun6002.exe
2007-01-12 10:15:19 22720 --a------ C:\WINDOWS\System32\emptyregdb.dat<EMPTYR~1.DAT>
2007-01-11 21:51:17 60416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2006-12-25 12:46:31 1389747 --a------ C:\WINDOWS\Mall Tycoon 2 Deluxe Uninstaller.exe<MALLTY~1.EXE>


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"=""
"ResChanger 2005"="C:\\Program Files\\ResChanger 2005\\ResChanger2005.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"CheckNetworkConnection"="\"C:\\Program Files\\Support.com\\providerComcast\\desktopdoctor.exe\" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=cbaadbaf-f3cf-4d64-8bdd-0ff8568533a3"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"none"="C:\\Program Files\\Video ActiveX Object\\pmsngr.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0



-- End of Deckard's System Scanner: finished at 2007-03-21 at 14:46:29 ---------

Attached Files

	ComboFix.txt (7.3 KB, 1 views)
	extra.txt (10.1 KB, 1 views)
	main.txt (14.4 KB, 1 views)

tetonbob

Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

I see you have SmitfraudFix already. This tool is updated frequently, and you don't have the latest updates.

Double-click smitfraudfix.exe to start the tool.
Select option #4 - Check for Updates by typing 4 and press "Enter"

Follow the prompts and make sure your firewall allows access to the internet.

Once the update is complete, Exit SmitfraudFix by typing Q and pressing Enter, once you get back to the main screen.

---------------------------------------------------------------------------------------------

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

• Install AVG Anti Spyware
• Double-click the icon on Desktop to launch AVG
• On the top of the main screen click Shield
• Click the word active to change it to inactive
• On the top of the main screen click Update.
• Then click on Start Update. The update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• We'll use this later.
  
  ---------------------------------------------------------------------------------------------
  
  Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):
  
  
  Quote:

  REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "none"=-

  Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:
  
  Close Notepad.
  
  Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.
  
  ---------------------------------------------------------------------------------------------
  
  Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
  
  ---------------------------------------------------------------------------------------------
  
  Double-click smitfraudfix.exe to start the tool.
  Select option #2 - Clean by typing 2 and press Enter.
  Wait for the tool to complete and disk cleanup to finish.
  You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
  The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.
  
  A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot back into in Safe Mode.
  
  The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
  
  ---------------------------------------------------------------------------------------------
  
  Go to My Computer->Tools->Folder Options->View tab:
  * Under the Hidden files and folders heading, select Show hidden files and folders.
  * Uncheck the Hide protected operating system files (recommended) option.
  * Also make sure there is no checkmark beside Hide file extensions for known file types
  * Click Yes to confirm and then click OK.
  
  
  Delete the following if they exist:
  
  C:\WINDOWS\System32\jkhfc.exe
  C:\WINDOWS\System32\vtuttqq.dll
  
  ---------------------------------------------------------------------------------------------
  
  Clean out your Temporary Internet files.
  
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------


Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

• "Security Info"
• "Warning Message"
• "Security Desktop"
• "Warning Homepage"
• "Desktop Uninstall" or something similar

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Double-click smitfraudfix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name. In your case, it is J2SE Runtime Environment 5.0 Update 4 and J2SE Runtime Environment 5.0 Update 6
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.

• After the install is complete, go back into the Control Panel and double-click the Java Icon.
• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 Checked
  • Downloaded Applets
  • Downloaded Applications
  • Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Then post the following logs in your next reply...

C:\rapport.txt (log from the tool)
AVG Anti-Spyware log
Kaspersky log
Hijackthis log

Let me know how your system is behaving, please.

__________________

** PC Safety and Security--What Do I Need? **

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Ronadin23

Everything seems to be running better and the background problem is fixed so thank you so much! The only problem still remaining is at startup, after the black windows xp loading screen, when it converts to the blue windows xp screen where the different account icons pop up and u choose which one to enter windows under, this screen stays blank with no icons for a good 1 - 2 minutes and the computer is not doing any sort of loading/thinking while it is sitting there. This is only a minor inconvenience so as long as i get all the viruses gone its not a huge deal.

Here are the reports you requested and thank you for everything again.

SmitFraudFix v2.152

Scan done at 7:29:32.37, Thu 03/22/2007
Run from C:\Documents and Settings\Justin\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:59:27 AM 3/22/2007

+ Scan result:



C:\Program Files\ComcastToolbar\comcasttoolbar.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27D73E76-83DE-4C86-8712-A64927C1D821}\RP61\A0007254.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27D73E76-83DE-4C86-8712-A64927C1D821}\RP61\A0007255.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-343818398-1500820517-839522115-1004\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).


::Report end

Attached Files

	rapport.txt (1.2 KB, 1 views)
	Report-Scan-20070322-075927.txt (1.5 KB, 1 views)

Ronadin23

2 more sorry they didn't go through on last one for some reason

Logfile of HijackThis v1.99.1
Scan saved at 9:00:01 AM, on 3/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\hijackThis\HijackThis.exe\Analyze.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (disabled by BHODemon)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL (disabled by BHODemon)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (disabled by BHODemon)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL__BHODemonDisabled (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [ResChanger 2005] C:\Program Files\ResChanger 2005\ResChanger2005.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=cbaadbaf-f3cf-4d64-8bdd-0ff8568533a3
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

-------------

Thursday, March 22, 2007 8:59:00 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 22/03/2007
Kaspersky Anti-Virus database records: 267899


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 51383
Number of viruses found 2
Number of infected objects 7 / 0
Number of suspicious objects 0
Duration of the scan process 00:32:39

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\Justin\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Justin\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Justin\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrCl