Lots of issues

subzerolife · 10-10-2007, 09:27 PM

I have spyware and viruses that just wont go away, and i`m finally looking for help on the issues.

I currently run Ad-Aware, Spybot Search and Destroy, and because my license on AVG ran out and I don`t have the cash to buy a new one, i`ve been using Avira AntiVir for an antivirus. All of these are fully updated, as well.

I use XP Service Pack 2. I would have used the Panda scan but the page "Scan your PC now" linked to was blank.

I am currently doing a dss scan, but it its taking a while, so I will post the results in the morning,

Here is my HijackThis log. Any help would be appreciated :) I know this is all people giving up their free time to help others out. By the way, I do not know why there are like 3 winzips running, I see no indication of them.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:36 PM, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Larry.LARCOMP\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: MSVPS System - {05F79890-CFA6-4D53-87BC-2F390DA6645E} - C:\WINDOWS\bndsrsvk.dll
O2 - BHO: (no name) - {3C1F6EAF-612B-478F-BF2D-6ABD825905A8} - C:\WINDOWS\system32\awvtu.dll (file missing)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: The netadv - {899B0EF2-E0BE-41BA-BB41-0ABFB232813C} - C:\WINDOWS\netadv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [RoamMfcdLiesThis] C:\Documents and Settings\All Users.WINDOWS\Application Data\nurb surf roam mfcd\Hidepure.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [{35-59-95-55-ZN}] c:\windows\system32\qpdsregs.exe FI002
O4 - HKLM\..\Run: [w774c9b8.dll] RUNDLL32.EXE w774c9b8.dll,I2 00024aaf0774c9b8
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NetMeter] C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe
O4 - HKLM\..\Run: [win32069083-32483] C:\WINDOWS\win32069083-32483.exe
O4 - HKLM\..\Run: [ms04839083-324] C:\WINDOWS\ms04839083-324.exe
O4 - HKLM\..\Run: [ms0539083-3248] C:\WINDOWS\ms0539083-3248.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [stratas] lockx.exe
O4 - HKCU\..\Run: [actx1.exe] C:\Documents and Settings\Larry.LARCOMP\Application Data\System Restore\actx1.exe
O4 - HKCU\..\Run: [zqactx1.exe] C:\WINDOWS\System32\zqactx1.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Asbr] "C:\PROGRA~1\COMMON~1\ASKS~1\wuaclt.exe" -vt yax
O4 - HKCU\..\Run: [Waj] C:\WINDOWS\APPATC~1\rundll32.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [My Web Search Community Tools] "C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe"
O4 - HKLM\..\Policies\Explorer\Run: [ishost.exe] ishost.exe
O4 - HKLM\..\Policies\Explorer\Run: [issearch.exe] issearch.exe
O4 - HKLM\..\Policies\Explorer\Run: [kernel32.dll] C:\WINDOWS\system32\isnotify.exe
O4 - HKLM\..\Policies\Explorer\Run: [vpnxgv] C:\DOCUME~1\LARRY~1.LAR\LOCALS~1\Temp\vpnxgv.exe
O4 - HKCU\..\Policies\Explorer\Run: [{ECA35955-07CA-1033-0528-020326200001}] "C:\Program Files\Common Files\{ECA35955-07CA-1033-0528-020326200001}\Update.exe" mc-110-12-0000272
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\eliteunstall.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZJ
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: sptbaxcab - http://www.try2find.com/toolbar/setup/sptbax.cab
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d...APANEL_USA.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://liveca06.rightnowtech.com/7020-b375h/rnl/java
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/in...eanerstart.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_24.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game...nematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://www.systemdoctor.com/download...reeInstall.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\spool32.dll,wbsys.dll
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\ktpul7791.dll (file missing)
O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O21 - SSODL: msvb - {FFC17CE6-92F4-480A-9912-75B005FEA2E3} - C:\WINDOWS\msvb.dll
O21 - SSODL: sysdx - {7A68DD46-B37E-405D-B25D-FDD99C6BC7C5} - C:\WINDOWS\sysdx.dll
O22 - SharedTaskScheduler: {03413bf7-e34c-445b-bfc0-a2b127255871} - incestuously - (no file)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 13859 bytes

subzerolife · 10-11-2007, 06:22 AM

Deckard's System Scanner v20070905.67
Run by Larry on 2007-10-11 08:17:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 8.18 GiB (less than 15%) free.

-- HijackThis (run as Larry.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:44 AM, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Larry.LARCOMP\Desktop\dss.exe
C:\DOCUME~1\LARRY~1.LAR\Desktop\Larry.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: MSVPS System - {05F79890-CFA6-4D53-87BC-2F390DA6645E} - C:\WINDOWS\bndsrsvk.dll
O2 - BHO: (no name) - {3C1F6EAF-612B-478F-BF2D-6ABD825905A8} - C:\WINDOWS\system32\awvtu.dll (file missing)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: The netadv - {899B0EF2-E0BE-41BA-BB41-0ABFB232813C} - C:\WINDOWS\netadv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [RoamMfcdLiesThis] C:\Documents and Settings\All Users.WINDOWS\Application Data\nurb surf roam mfcd\Hidepure.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [{35-59-95-55-ZN}] c:\windows\system32\qpdsregs.exe FI002
O4 - HKLM\..\Run: [w774c9b8.dll] RUNDLL32.EXE w774c9b8.dll,I2 00024aaf0774c9b8
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NetMeter] C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe
O4 - HKLM\..\Run: [win32069083-32483] C:\WINDOWS\win32069083-32483.exe
O4 - HKLM\..\Run: [ms04839083-324] C:\WINDOWS\ms04839083-324.exe
O4 - HKLM\..\Run: [ms0539083-3248] C:\WINDOWS\ms0539083-3248.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [stratas] lockx.exe
O4 - HKCU\..\Run: [actx1.exe] C:\Documents and Settings\Larry.LARCOMP\Application Data\System Restore\actx1.exe
O4 - HKCU\..\Run: [zqactx1.exe] C:\WINDOWS\System32\zqactx1.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Asbr] "C:\PROGRA~1\COMMON~1\ASKS~1\wuaclt.exe" -vt yax
O4 - HKCU\..\Run: [Waj] C:\WINDOWS\APPATC~1\rundll32.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [My Web Search Community Tools] "C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe"
O4 - HKLM\..\Policies\Explorer\Run: [ishost.exe] ishost.exe
O4 - HKLM\..\Policies\Explorer\Run: [issearch.exe] issearch.exe
O4 - HKLM\..\Policies\Explorer\Run: [kernel32.dll] C:\WINDOWS\system32\isnotify.exe
O4 - HKLM\..\Policies\Explorer\Run: [vpnxgv] C:\DOCUME~1\LARRY~1.LAR\LOCALS~1\Temp\vpnxgv.exe
O4 - HKCU\..\Policies\Explorer\Run: [{ECA35955-07CA-1033-0528-020326200001}] "C:\Program Files\Common Files\{ECA35955-07CA-1033-0528-020326200001}\Update.exe" mc-110-12-0000272
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\eliteunstall.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZJ
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: sptbaxcab - http://www.try2find.com/toolbar/setup/sptbax.cab
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d...APANEL_USA.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://liveca06.rightnowtech.com/7020-b375h/rnl/java
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/in...eanerstart.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_24.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game...nematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://www.systemdoctor.com/download...reeInstall.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\spool32.dll,wbsys.dll
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\ktpul7791.dll (file missing)
O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O21 - SSODL: msvb - {FFC17CE6-92F4-480A-9912-75B005FEA2E3} - C:\WINDOWS\msvb.dll
O21 - SSODL: sysdx - {7A68DD46-B37E-405D-B25D-FDD99C6BC7C5} - C:\WINDOWS\sysdx.dll
O22 - SharedTaskScheduler: {03413bf7-e34c-445b-bfc0-a2b127255871} - incestuously - (no file)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 13456 bytes

-- Files created between 2007-09-11 and 2007-10-11 -----------------------------

2013-01-28 22:37:09 102400 --a------ C:\WINDOWS\system32\tsccvid.dll <Not Verified; TechSmith Corporation; TechSmith Screen Capture Codec>
2011-04-20 08:48:49 0 d-------- C:\Program Files\Common Files\Macromedia Shared
2011-04-20 08:47:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Macromedia
2010-12-22 00:22:58 0 d-------- C:\Program Files\HyperSnap 6
2010-09-08 17:32:32 0 d-------- C:\Program Files\Alcohol Soft
2010-08-13 22:56:13 0 d-------- C:\Program Files\ewido anti-spyware 4.0
2010-06-18 15:29:46 0 d-------- C:\Documents and Settings\Lawrence\win32clf
2010-06-16 14:44:14 0 d-------- C:\Documents and Settings\Lawrence\Application Data\NetPumper
2010-03-23 14:58:21 0 d-------- C:\Program Files\Alcohol
2010-03-11 17:29:53 0 d-------- C:\Program Files\Scrabble
2010-03-11 17:28:51 0 d-------- C:\Program Files\TryMedia
2010-03-11 17:28:45 0 d-------- C:\Program Files\PopCap Games
2010-02-04 16:48:33 0 d-------- C:\Program Files\ACARecorder203
2007-10-11 03:00:29 0 d-------- C:\WINDOWS\LastGood
2007-10-09 22:43:34 0 d-------- C:\Program Files\Avira
2007-10-09 22:43:34 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2007-10-09 16:52:33 0 d-------- C:\Program Files\SystemDefender
2007-10-09 16:46:32 49664 --a------ C:\WINDOWS\wsremover.exe
2007-10-09 16:46:32 323584 --a------ C:\WINDOWS\sysdx.dll
2007-10-09 16:46:32 290816 --a------ C:\WINDOWS\msvb.dll <Not Verified; ; msvb>
2007-10-09 16:46:31 79872 --a------ C:\WINDOWS\netadv.dll <Not Verified; ; netadv Module>
2007-10-09 16:46:31 274432 --a------ C:\WINDOWS\bndsrsvk.dll <Not Verified; ; bndsrsvk>
2007-09-17 01:36:44 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-09-17 01:36:43 60273 --a------ C:\WINDOWS\system32\pthreadGC2.dll <Not Verified; Open Source Software community project; >
2007-09-17 01:30:29 0 dr-h----- C:\Documents and Settings\Larry.LARCOMP\Recent
2007-09-17 01:22:57 36864 --a------ C:\WINDOWS\system32\wbsys.dll <Not Verified; Stardock.Net, Inc; WindowBlinds 4.x for x86 machines>
2007-09-17 01:22:54 0 d-------- C:\Program Files\Stardock
2007-09-17 01:22:54 0 d-------- C:\Program Files\Common Files\Stardock

-- Find3M Report ---------------------------------------------------------------

2013-07-05 20:28:17 0 d-------- C:\Program Files\Copystar
2007-10-10 00:48:24 0 d-------- C:\Program Files\MailSkinner
2007-10-09 23:39:16 0 d-------- C:\Documents and Settings\Larry.LARCOMP\Application Data\inter bait
2007-10-09 18:33:01 0 d-------- C:\Program Files\World of Warcraft
2007-09-27 09:54:48 0 d-------- C:\Program Files\UI Central
2007-09-20 02:07:52 0 d-------- C:\Program Files\Steam
2007-09-17 01:22:54 0 d-------- C:\Program Files\Common Files
2007-09-17 00:24:43 0 d-------- C:\Program Files\Winamp
2007-08-22 23:21:51 0 d-------- C:\Documents and Settings\Larry.LARCOMP\Application Data\LimeWire
2007-08-11 09:30:43 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05F79890-CFA6-4D53-87BC-2F390DA6645E}]
10/09/2007 12:47 PM 274432 --a------ C:\WINDOWS\bndsrsvk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C1F6EAF-612B-478F-BF2D-6ABD825905A8}]
C:\WINDOWS\system32\awvtu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [10/16/2002 02:18 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [10/16/2002 02:05 AM]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [05/08/2003 02:34 PM]
"PRONoMgr.exe"="c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [10/23/2002 10:15 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [11/09/2006 04:07 PM]
"RoamMfcdLiesThis"="C:\Documents and Settings\All Users.WINDOWS\Application Data\nurb surf roam mfcd\Hidepure.exe" [12/28/2005 02:31 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/29/2006 10:02 PM]
"{35-59-95-55-ZN}"="c:\windows\system32\qpdsregs.exe" []
"w774c9b8.dll"="w774c9b8.dll" []
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"NetMeter"="C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe" []
"win32069083-32483"="C:\WINDOWS\win32069083-32483.exe" []
"ms04839083-324"="C:\WINDOWS\ms04839083-324.exe" []
"ms0539083-3248"="C:\WINDOWS\ms0539083-3248.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"AtiPTA"="atiptaxx.exe" [02/21/2006 08:05 PM C:\WINDOWS\system32\atiptaxx.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 11:54 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/14/2007 07:05 PM]
"My Web Search Bar"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [10/10/2007 10:48 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"AIM"="C:\Program Files\AIM\aim.exe" [08/01/2006 04:35 PM]
"stratas"="lockx.exe" []
"actx1.exe"="C:\Documents and Settings\Larry.LARCOMP\Application Data\System Restore\actx1.exe" []
"zqactx1.exe"="C:\WINDOWS\System32\zqactx1.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [08/19/2005 11:34 PM]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [05/01/2006 07:55 PM]
"Fraps"="C:\FRAPS\FRAPS.EXE" [04/30/2006 09:46 AM]
"Steam"="c:\program files\steam\steam.exe" [07/09/2007 12:21 AM]
"Asbr"="C:\PROGRA~1\COMMON~1\ASKS~1\wuaclt.exe" []
"Waj"="C:\WINDOWS\APPATC~1\rundll32.exe" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [12/04/2006 06:28 PM]
"My Web Search Community Tools"="C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"stratas"=lockx.exe

C:\Documents and Settings\Larry.LARCOMP\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [9/23/2005 4:36:42 PM]
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [12/15/2006 11:14:25 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ishost.exe"=ishost.exe
"issearch.exe"=issearch.exe
"kernel32.dll"=C:\WINDOWS\system32\isnotify.exe
"vpnxgv"=C:\DOCUME~1\LARRY~1.LAR\LOCALS~1\Temp\vpnxgv.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"=0 (0x0)
"DisallowCpl"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowCpl]
"1"=User Accounts

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{ECA35955-07CA-1033-0528-020326200001}"="C:\Program Files\Common Files\{ECA35955-07CA-1033-0528-020326200001}\Update.exe" mc-110-12-0000272

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"msvb"= {FFC17CE6-92F4-480A-9912-75B005FEA2E3} - C:\WINDOWS\msvb.dll [10/09/2007 12:47 PM 290816]
"sysdx"= {7A68DD46-B37E-405D-B25D-FDD99C6BC7C5} - C:\WINDOWS\sysdx.dll [10/09/2007 12:47 PM 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Telephony]
C:\WINDOWS\system32\ktpul7791.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 12/20/2001 11:34 PM 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjks32]
winjks32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\WINDOWS\system32\spool32.dll,wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\setup.exe /autorun
directx\command- F:\DirectX\dxsetup.exe
setup\command- F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{befc8612-0b81-11db-893a-000802395360}]
AutoRun\command- F:\setup.exe /autorun
directx\command- F:\DirectX\dxsetup.exe
setup\command- F:\setup.exe

-- End of Deckard's System Scanner: finished at 2007-10-11 08:18:14 ------------

tetonbob · 10-13-2007, 07:31 PM

Hello, and Welcome to TSF.

Yuck....you've got evidence of several inactive old infections, as well as a new one. What have you been doing on the internet?

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

I see you have more than one Anti-Virus program installed, AVG and Avira. While this may seem like greater protection, it can cause problems including slowdowns and system hangs. It can also prevent the AV from doing it's job. Choose one to keep and uninstall the other.

Any antivirus program must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

re-install the program -> reboot -> uninstall

-----------------------------------------------------------------------

Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop
Disconnect from the internet....pull the plug!
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: MSVPS System - {05F79890-CFA6-4D53-87BC-2F390DA6645E} - C:\WINDOWS\bndsrsvk.dll
O2 - BHO: (no name) - {3C1F6EAF-612B-478F-BF2D-6ABD825905A8} - C:\WINDOWS\system32\awvtu.dll (file missing)
O3 - Toolbar: The netadv - {899B0EF2-E0BE-41BA-BB41-0ABFB232813C} - C:\WINDOWS\netadv.dll
O4 - HKLM\..\Run: [RoamMfcdLiesThis] C:\Documents and Settings\All Users.WINDOWS\Application Data\nurb surf roam mfcd\Hidepure.exe
O4 - HKLM\..\Run: [{35-59-95-55-ZN}] c:\WINDOWS\system32\qpdsregs.exe FI002
O4 - HKLM\..\Run: [w774c9b8.dll] RUNDLL32.EXE w774c9b8.dll,I2 00024aaf0774c9b8
O4 - HKLM\..\Run: [win32069083-32483] C:\WINDOWS\win32069083-32483.exe
O4 - HKLM\..\Run: [ms04839083-324] C:\WINDOWS\ms04839083-324.exe
O4 - HKLM\..\Run: [ms0539083-3248] C:\WINDOWS\ms0539083-3248.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [stratas] lockx.exe
O4 - HKCU\..\Run: [actx1.exe] C:\Documents and Settings\Larry.LARCOMP\Application Data\System Restore\actx1.exe
O4 - HKCU\..\Run: [zqactx1.exe] C:\WINDOWS\System32\zqactx1.exe
O4 - HKCU\..\Run: [Asbr] "C:\PROGRA~1\COMMON~1\ASKS~1\wuaclt.exe" -vt yax
O4 - HKCU\..\Run: [Waj] C:\WINDOWS\APPATC~1\rundll32.exe
O4 - HKCU\..\Run: [My Web Search Community Tools] "C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe"
O4 - HKLM\..\Policies\Explorer\Run: [ishost.exe] ishost.exe
O4 - HKLM\..\Policies\Explorer\Run: [issearch.exe] issearch.exe
O4 - HKLM\..\Policies\Explorer\Run: [kernel32.dll] C:\WINDOWS\system32\isnotify.exe
O4 - HKLM\..\Policies\Explorer\Run: [vpnxgv] C:\DOCUME~1\LARRY~1.LAR\LOCALS~1\Temp\vpnxgv.exe
O4 - HKCU\..\Policies\Explorer\Run: [{ECA35955-07CA-1033-0528-020326200001}] "C:\Program Files\Common Files\{ECA35955-07CA-1033-0528-020326200001}\Update.exe" mc-110-12-0000272
O4 - Startup: Zeno.lnk = C:\WINDOWS\eliteunstall.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZJ
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: sptbaxcab - http://www.try2find.com/toolbar/setup/sptbax.cab
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d...APANEL_USA.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://liveca06.rightnowtech.com/7020-b375h/rnl/java
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/in...eanerstart.cab
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_24.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://www.systemdoctor.com/download...reeInstall.cab
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\ktpul7791.dll (file missing)
O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O21 - SSODL: msvb - {FFC17CE6-92F4-480A-9912-75B005FEA2E3} - C:\WINDOWS\msvb.dll
O21 - SSODL: sysdx - {7A68DD46-B37E-405D-B25D-FDD99C6BC7C5} - C:\WINDOWS\sysdx.dll
O22 - SharedTaskScheduler: {03413bf7-e34c-445b-bfc0-a2b127255871} - incestuously - (no file)
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Close HijackThis now.

---------------------------------------------------------------------------------------------
Go to -> Run -> paste in the following single line command & click OK

"%userprofile%\desktop\combofix.exe" /killall
Follow the prompts. Type "1" and press Enter to begin the scan.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Re-establish an internet connection.
Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

subzerolife · 10-15-2007, 06:40 PM

Hey, i`ve still got issues, but this is the results.

ComboFix 07-10-15.1 - Larry 2007-10-15 20:20:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.263 [GMT -4:00]
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\Larry.LARCOMP\desktop\combofix.exe
Command switches used :: /killall
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Larry.LARCOMP\Application Data\macromedia\Flash Player\#SharedObjects\3L3QDWRH\www.broadcaster.com
C:\Documents and Settings\Larry.LARCOMP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Larry.LARCOMP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Larry.LARCOMP\Desktop\Error Cleaner.url
C:\Documents and Settings\Larry.LARCOMP\Desktop\Privacy Protector.url
C:\Documents and Settings\Larry.LARCOMP\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Larry.LARCOMP\Favorites\Error Cleaner.url
C:\Documents and Settings\Larry.LARCOMP\Favorites\Privacy Protector.url
C:\Documents and Settings\Larry.LARCOMP\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Larry\Application Data\install.dat
C:\Documents and Settings\Larry\Application Data\install.dat
C:\Documents and Settings\Larry\Application Data\Sskcwrd.dll
C:\Documents and Settings\Larry\Application Data\Sskknwrd.dll
C:\Documents and Settings\Larry\Application Data\Sskuknwrd.dll
C:\Documents and Settings\Larry\Start Menu\Programs\Startup\zeno.lnk
C:\Documents and Settings\Larry\Start Menu\Programs\Startup\zstart.lnk
C:\Program Files\cas
C:\Program Files\Common Files\{ECA35~1
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\asks~1\?asks\
C:\Program Files\Common Files\elitemediagroupoinuninstaller.exe
C:\Program Files\Common Files\uninstall information
C:\Program Files\fcengine
C:\Program Files\fcengine\patterns.dat
C:\Program Files\fcengine\Uninstall.exe
C:\Program Files\Seekmo Programs
C:\WINDOWS\appatc~1
C:\WINDOWS\dat.txt
C:\WINDOWS\keyboard81.dat
C:\WINDOWS\keyboard91.dat
C:\WINDOWS\msvb.dll
C:\WINDOWS\netadv.dll
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\sysdx.dll
C:\WINDOWS\system32\components
C:\WINDOWS\system32\components\flx0.dll
C:\WINDOWS\system32\components\flx1.dll
C:\WINDOWS\system32\components\flx2.dll
C:\WINDOWS\system32\components\flx3.dll
C:\WINDOWS\system32\components\flx6.dll
C:\WINDOWS\system32\components\flx7.dll
C:\WINDOWS\system32\components\flx8.dll
C:\WINDOWS\system32\wintsvit.exe
C:\WINDOWS\system32\wintsvit.exe
C:\WINDOWS\win32069083-324832006.exe
C:\WINDOWS\wsremover.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 )))))))))))))))))))))))))))))))
.

2007-10-15 20:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-15 16:55 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-10-15 16:55 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-10-14 10:24 140,202,521 --a------ C:\Documents and Settings\Larry.LARCOMP\WoW-2.2.3.7359-to-0.3.0.7382-enUS-patch.exe
2007-10-10 23:44 <DIR> d-------- C:\Deckard
2007-10-10 04:33 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-09 22:43 <DIR> d-------- C:\Program Files\Avira
2007-10-09 22:43 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2007-10-09 16:52 <DIR> d-------- C:\Program Files\SystemDefender
2007-09-17 14:23 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 14:23 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 14:22 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 14:22 739,840 --a------ C:\WINDOWS\system32\DivX.dll
2007-09-17 01:36 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-09-17 01:36 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-09-17 01:22 <DIR> d-------- C:\Program Files\Stardock
2007-09-17 01:22 <DIR> d-------- C:\Program Files\Common Files\Stardock
2007-09-17 01:22 36,864 --a------ C:\WINDOWS\system32\wbsys.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-06 00:28 --------- d-----w C:\Program Files\Copystar
2011-04-20 12:48 --------- d-----w C:\Program Files\Common Files\Macromedia Shared
2010-12-22 04:22 --------- d-----w C:\Program Files\HyperSnap 6
2010-09-08 21:32 --------- d-----w C:\Program Files\Alcohol Soft
2010-06-15 12:14 --------- d-----w C:\Documents and Settings\Lawrence\Application Data\Keyhole
2010-03-11 21:28 --------- d-----w C:\Program Files\TryMedia
2007-10-16 00:33 --------- d-----w C:\Program Files\Steam
2007-10-16 00:33 --------- d-----w C:\Documents and Settings\Larry.LARCOMP\Application Data\Xfire
2007-10-16 00:13 --------- d-----w C:\Program Files\Virtools Web Player 3.5
2007-10-15 21:02 --------- d-----w C:\Program Files\DivX
2007-10-15 00:32 --------- d-----w C:\Program Files\World of Warcraft
2007-10-10 03:39 --------- d-----w C:\Documents and Settings\Larry.LARCOMP\Application Data\inter bait
2007-09-27 13:54 --------- d-----w C:\Program Files\UI Central
2007-09-17 04:24 --------- d-----w C:\Program Files\Winamp
2007-08-23 03:21 --------- d-----w C:\Documents and Settings\Larry.LARCOMP\Application Data\LimeWire
2005-02-07 06:17 26,520 -c--a-w C:\Documents and Settings\Lawrence\Application Data\GDIPFONTCACHEV1.DAT
2005-01-12 21:01 70,821 -c--a-w C:\Program Files\Kerrigan Armageddon.scx
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-10-16 02:18]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-10-16 02:05]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 14:34]
"PRONoMgr.exe"="c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-10-23 10:15]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2006-12-29 22:02]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"NetMeter"="C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe" []
"AtiPTA"="atiptaxx.exe" [2006-02-21 20:05 C:\WINDOWS\system32\atiptaxx.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-10 22:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 23:34]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-05-01 19:55]
"Fraps"="C:\FRAPS\FRAPS.EXE" [2006-04-30 09:46]
"Steam"="c:\program files\steam\steam.exe" [2007-07-09 00:21]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2006-12-04 18:28]

C:\Documents and Settings\Larry\Start Menu\Programs\Startup\
OpenOffice.org 1.1.4.lnk - C:\Program Files\OpenOffice\program\quickstart.exe [2004-10-28 01:10:00]

C:\Documents and Settings\Larry.LARCOMP\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-09-23 16:36:42]
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2006-12-15 23:14:25]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 02:05:26]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-04-16 22:55:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 2001-12-20 23:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\WINDOWS\system32\spool32.dll,wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

R0 Copystar;Copystar;C:\WINDOWS\system32\DRIVERS\copystar.sys
R1 nmconpid;nmconpid;C:\WINDOWS\system32\drivers\nmconpid.sys
R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
S3 kbkzrqfni;kbkzrqfni;\??\C:\Documents and Settings\Larry.LARCOMP\Desktop\Yay\kbkzrqfni.sys
S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys
S3 nocashio;nocashio;C:\WINDOWS\system32\drivers\nocashio.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command - F:\setup.exe /autorun
directx\command - F:\DirectX\dxsetup.exe
setup\command - F:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-09 12:39:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-15 07:16:00 C:\WINDOWS\Tasks\NotWhatYouSee.job"
- C:\Music\Not What You See.wma
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-15 20:31:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-15 20:36:32 - machine was rebooted
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:11 PM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\FRAPS\FRAPS.EXE
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Larry.LARCOMP\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NetMeter] C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game...nematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\spool32.dll,wbsys.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9241 bytes

tetonbob · 10-15-2007, 07:25 PM

This machine was pretty messed up, and will take a while to clean.

Before we go to the next step, I need more information.

What is this folder for?

C:\Documents and Settings\Larry.LARCOMP\Desktop\Yay

Create an uninstall list:

Open HiJackThis
Click on the button " Open the Misc Tools section"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notepad file into your post

Download fl.zip
Extract the contents to a new folder on your Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply

subzerolife · 10-15-2007, 08:05 PM

Quote:

Originally Posted by tetonbob

10-10-2007, 09:27 PM	#1 (permalink)
subzerolife Registered User Join Date: Oct 2007 Posts: 13 OS: Windows XP Pro Service Pack 2	Lots of issues I have spyware and viruses that just wont go away, and i`m finally looking for help on the issues. I currently run Ad-Aware, Spybot Search and Destroy, and because my license on AVG ran out and I don`t have the cash to buy a new one, i`ve been using Avira AntiVir for an antivirus. All of these are fully updated, as well. I use XP Service Pack 2. I would have used the Panda scan but the page "Scan your PC now" linked to was blank. I am currently doing a dss scan, but it its taking a while, so I will post the results in the morning, Here is my HijackThis log. Any help would be appreciated :) I know this is all people giving up their free time to help others out. By the way, I do not know why there are like 3 winzips running, I see no indication of them. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:25:36 PM, on 10/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\Larry.LARCOMP\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: MSVPS System - {05F79890-CFA6-4D53-87BC-2F390DA6645E} - C:\WINDOWS\bndsrsvk.dll O2 - BHO: (no name) - {3C1F6EAF-612B-478F-BF2D-6ABD825905A8} - C:\WINDOWS\system32\awvtu.dll (file missing) O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O3 - Toolbar: The netadv - {899B0EF2-E0BE-41BA-BB41-0ABFB232813C} - C:\WINDOWS\netadv.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [RoamMfcdLiesThis] C:\Documents and Settings\All Users.WINDOWS\Application Data\nurb surf roam mfcd\Hidepure.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [{35-59-95-55-ZN}] c:\windows\system32\qpdsregs.exe FI002 O4 - HKLM\..\Run: [w774c9b8.dll] RUNDLL32.EXE w774c9b8.dll,I2 00024aaf0774c9b8 O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [NetMeter] C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe O4 - HKLM\..\Run: [win32069083-32483] C:\WINDOWS\win32069083-32483.exe O4 - HKLM\..\Run: [ms04839083-324] C:\WINDOWS\ms04839083-324.exe O4 - HKLM\..\Run: [ms0539083-3248] C:\WINDOWS\ms0539083-3248.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\RunServices: [stratas] lockx.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [stratas] lockx.exe O4 - HKCU\..\Run: [actx1.exe] C:\Documents and Settings\Larry.LARCOMP\Application Data\System Restore\actx1.exe O4 - HKCU\..\Run: [zqactx1.exe] C:\WINDOWS\System32\zqactx1.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [Asbr] "C:\PROGRA~1\COMMON~1\ASKS~1\wuaclt.exe" -vt yax O4 - HKCU\..\Run: [Waj] C:\WINDOWS\APPATC~1\rundll32.exe O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKCU\..\Run: [My Web Search Community Tools] "C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe" O4 - HKLM\..\Policies\Explorer\Run: [ishost.exe] ishost.exe O4 - HKLM\..\Policies\Explorer\Run: [issearch.exe] issearch.exe O4 - HKLM\..\Policies\Explorer\Run: [kernel32.dll] C:\WINDOWS\system32\isnotify.exe O4 - HKLM\..\Policies\Explorer\Run: [vpnxgv] C:\DOCUME~1\LARRY~1.LAR\LOCALS~1\Temp\vpnxgv.exe O4 - HKCU\..\Policies\Explorer\Run: [{ECA35955-07CA-1033-0528-020326200001}] "C:\Program Files\Common Files\{ECA35955-07CA-1033-0528-020326200001}\Update.exe" mc-110-12-0000272 O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O4 - Startup: Zeno.lnk = C:\WINDOWS\eliteunstall.exe O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZJ O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O15 - Trusted Zone: .elitemediagroup.net O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O16 - DPF: sptbaxcab - http://www.try2find.com/toolbar/setup/sptbax.cab O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d...APANEL_USA.cab O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://liveca06.rightnowtech.com/7020-b375h/rnl/java O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0002.exe O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/in...eanerstart.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_24.cab O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123 O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game...nematycoon.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://www.systemdoctor.com/download...reeInstall.cab O20 - AppInit_DLLs: C:\WINDOWS\system32\spool32.dll,wbsys.dll O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\ktpul7791.dll (file missing) O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing) O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file) O21 - SSODL: msvb - {FFC17CE6-92F4-480A-9912-75B005FEA2E3} - C:\WINDOWS\msvb.dll O21 - SSODL: sysdx - {7A68DD46-B37E-405D-B25D-FDD99C6BC7C5} - C:\WINDOWS\sysdx.dll O22 - SharedTaskScheduler: {03413bf7-e34c-445b-bfc0-a2b127255871} - incestuously - (no file) O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm -- End of file - 13859 bytes Last edited by subzerolife : 10-10-2007 at 09:52 PM.*

10-13-2007, 07:31 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 26,752 OS: 2000 Pro; XP Pro; XP Home	Re: Lots of issues Hello, and Welcome to TSF. Yuck....you've got evidence of several inactive old infections, as well as a new one. What have you been doing on the internet? Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- I see you have more than one Anti-Virus program installed, AVG and Avira. While this may seem like greater protection, it can cause problems including slowdowns and system hangs. It can also prevent the AV from doing it's job. Choose one to keep and uninstall the other. Any antivirus program must be removed via add/remove program. For any program that doesn't have an add/remove entry, you will have to do this: re-install the program -> reboot -> uninstall ----------------------------------------------------------------------- Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe * IMPORTANT !!! Place combofix.exe on your Desktop Disconnect from the internet....pull the plug! Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R3 - Default URLSearchHook is missing O2 - BHO: MSVPS System - {05F79890-CFA6-4D53-87BC-2F390DA6645E} - C:\WINDOWS\bndsrsvk.dll O2 - BHO: (no name) - {3C1F6EAF-612B-478F-BF2D-6ABD825905A8} - C:\WINDOWS\system32\awvtu.dll (file missing) O3 - Toolbar: The netadv - {899B0EF2-E0BE-41BA-BB41-0ABFB232813C} - C:\WINDOWS\netadv.dll O4 - HKLM\..\Run: [RoamMfcdLiesThis] C:\Documents and Settings\All Users.WINDOWS\Application Data\nurb surf roam mfcd\Hidepure.exe O4 - HKLM\..\Run: [{35-59-95-55-ZN}] c:\WINDOWS\system32\qpdsregs.exe FI002 O4 - HKLM\..\Run: [w774c9b8.dll] RUNDLL32.EXE w774c9b8.dll,I2 00024aaf0774c9b8 O4 - HKLM\..\Run: [win32069083-32483] C:\WINDOWS\win32069083-32483.exe O4 - HKLM\..\Run: [ms04839083-324] C:\WINDOWS\ms04839083-324.exe O4 - HKLM\..\Run: [ms0539083-3248] C:\WINDOWS\ms0539083-3248.exe O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S O4 - HKLM\..\RunServices: [stratas] lockx.exe O4 - HKCU\..\Run: [stratas] lockx.exe O4 - HKCU\..\Run: [actx1.exe] C:\Documents and Settings\Larry.LARCOMP\Application Data\System Restore\actx1.exe O4 - HKCU\..\Run: [zqactx1.exe] C:\WINDOWS\System32\zqactx1.exe O4 - HKCU\..\Run: [Asbr] "C:\PROGRA~1\COMMON~1\ASKS~1\wuaclt.exe" -vt yax O4 - HKCU\..\Run: [Waj] C:\WINDOWS\APPATC~1\rundll32.exe O4 - HKCU\..\Run: [My Web Search Community Tools] "C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe" O4 - HKLM\..\Policies\Explorer\Run: [ishost.exe] ishost.exe O4 - HKLM\..\Policies\Explorer\Run: [issearch.exe] issearch.exe O4 - HKLM\..\Policies\Explorer\Run: [kernel32.dll] C:\WINDOWS\system32\isnotify.exe O4 - HKLM\..\Policies\Explorer\Run: [vpnxgv] C:\DOCUME~1\LARRY~1.LAR\LOCALS~1\Temp\vpnxgv.exe O4 - HKCU\..\Policies\Explorer\Run: [{ECA35955-07CA-1033-0528-020326200001}] "C:\Program Files\Common Files\{ECA35955-07CA-1033-0528-020326200001}\Update.exe" mc-110-12-0000272 O4 - Startup: Zeno.lnk = C:\WINDOWS\eliteunstall.exe O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZJ O15 - Trusted Zone: .elitemediagroup.net O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O16 - DPF: sptbaxcab - http://www.try2find.com/toolbar/setup/sptbax.cab O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d...APANEL_USA.cab O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://liveca06.rightnowtech.com/7020-b375h/rnl/java O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0002.exe O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/in...eanerstart.cab O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_24.cab O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123 O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://www.systemdoctor.com/download...reeInstall.cab O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\ktpul7791.dll (file missing) O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing) O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file) O21 - SSODL: msvb - {FFC17CE6-92F4-480A-9912-75B005FEA2E3} - C:\WINDOWS\msvb.dll O21 - SSODL: sysdx - {7A68DD46-B37E-405D-B25D-FDD99C6BC7C5} - C:\WINDOWS\sysdx.dll O22 - SharedTaskScheduler: {03413bf7-e34c-445b-bfc0-a2b127255871} - incestuously - (no file) O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm Close HijackThis now. --------------------------------------------------------------------------------------------- Go to -> Run -> paste* in the following single line command & click OK "%userprofile%\desktop\combofix.exe" /killall Follow the prompts. Type "1" and press Enter to begin the scan. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. --------------------------------------------------------------------------------------------- Re-establish an internet connection. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

10-15-2007, 06:40 PM	#4 (permalink)
subzerolife Registered User Join Date: Oct 2007 Posts: 13 OS: Windows XP Pro Service Pack 2	Re: Lots of issues Hey, i`ve still got issues, but this is the results. ComboFix 07-10-15.1 - Larry 2007-10-15 20:20:43.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.263 [GMT -4:00] Script execution time was exceeded on script "C:\ComboFix\osid.vbs". Script execution was terminated. Running from: C:\Documents and Settings\Larry.LARCOMP\desktop\combofix.exe Command switches used :: /killall . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Larry.LARCOMP\Application Data\macromedia\Flash Player\#SharedObjects\3L3QDWRH\www.broadcaster.com C:\Documents and Settings\Larry.LARCOMP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\Larry.LARCOMP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\Documents and Settings\Larry.LARCOMP\Desktop\Error Cleaner.url C:\Documents and Settings\Larry.LARCOMP\Desktop\Privacy Protector.url C:\Documents and Settings\Larry.LARCOMP\Desktop\Spyware&Malware Protection.url C:\Documents and Settings\Larry.LARCOMP\Favorites\Error Cleaner.url C:\Documents and Settings\Larry.LARCOMP\Favorites\Privacy Protector.url C:\Documents and Settings\Larry.LARCOMP\Favorites\Spyware&Malware Protection.url C:\Documents and Settings\Larry\Application Data\install.dat C:\Documents and Settings\Larry\Application Data\install.dat C:\Documents and Settings\Larry\Application Data\Sskcwrd.dll C:\Documents and Settings\Larry\Application Data\Sskknwrd.dll C:\Documents and Settings\Larry\Application Data\Sskuknwrd.dll C:\Documents and Settings\Larry\Start Menu\Programs\Startup\zeno.lnk C:\Documents and Settings\Larry\Start Menu\Programs\Startup\zstart.lnk C:\Program Files\cas C:\Program Files\Common Files\{ECA35~1 C:\Program Files\Common Files\asks~1 C:\Program Files\Common Files\asks~1\?asks\ C:\Program Files\Common Files\elitemediagroupoinuninstaller.exe C:\Program Files\Common Files\uninstall information C:\Program Files\fcengine C:\Program Files\fcengine\patterns.dat C:\Program Files\fcengine\Uninstall.exe C:\Program Files\Seekmo Programs C:\WINDOWS\appatc~1 C:\WINDOWS\dat.txt C:\WINDOWS\keyboard81.dat C:\WINDOWS\keyboard91.dat C:\WINDOWS\msvb.dll C:\WINDOWS\netadv.dll C:\WINDOWS\rs.txt C:\WINDOWS\search_res.txt C:\WINDOWS\sysdx.dll C:\WINDOWS\system32\components C:\WINDOWS\system32\components\flx0.dll C:\WINDOWS\system32\components\flx1.dll C:\WINDOWS\system32\components\flx2.dll C:\WINDOWS\system32\components\flx3.dll C:\WINDOWS\system32\components\flx6.dll C:\WINDOWS\system32\components\flx7.dll C:\WINDOWS\system32\components\flx8.dll C:\WINDOWS\system32\wintsvit.exe C:\WINDOWS\system32\wintsvit.exe C:\WINDOWS\win32069083-324832006.exe C:\WINDOWS\wsremover.exe . ((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 ))))))))))))))))))))))))))))))) . 2007-10-15 20:14 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-15 16:55 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe 2007-10-15 16:55 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe 2007-10-14 10:24 140,202,521 --a------ C:\Documents and Settings\Larry.LARCOMP\WoW-2.2.3.7359-to-0.3.0.7382-enUS-patch.exe 2007-10-10 23:44 <DIR> d-------- C:\Deckard 2007-10-10 04:33 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-10-09 22:43 <DIR> d-------- C:\Program Files\Avira 2007-10-09 22:43 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira 2007-10-09 16:52 <DIR> d-------- C:\Program Files\SystemDefender 2007-09-17 14:23 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2007-09-17 14:23 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll 2007-09-17 14:22 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll 2007-09-17 14:22 739,840 --a------ C:\WINDOWS\system32\DivX.dll 2007-09-17 01:36 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll 2007-09-17 01:36 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-09-17 01:22 <DIR> d-------- C:\Program Files\Stardock 2007-09-17 01:22 <DIR> d-------- C:\Program Files\Common Files\Stardock 2007-09-17 01:22 36,864 --a------ C:\WINDOWS\system32\wbsys.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-07-06 00:28 --------- d-----w C:\Program Files\Copystar 2011-04-20 12:48 --------- d-----w C:\Program Files\Common Files\Macromedia Shared 2010-12-22 04:22 --------- d-----w C:\Program Files\HyperSnap 6 2010-09-08 21:32 --------- d-----w C:\Program Files\Alcohol Soft 2010-06-15 12:14 --------- d-----w C:\Documents and Settings\Lawrence\Application Data\Keyhole 2010-03-11 21:28 --------- d-----w C:\Program Files\TryMedia 2007-10-16 00:33 --------- d-----w C:\Program Files\Steam 2007-10-16 00:33 --------- d-----w C:\Documents and Settings\Larry.LARCOMP\Application Data\Xfire 2007-10-16 00:13 --------- d-----w C:\Program Files\Virtools Web Player 3.5 2007-10-15 21:02 --------- d-----w C:\Program Files\DivX 2007-10-15 00:32 --------- d-----w C:\Program Files\World of Warcraft 2007-10-10 03:39 --------- d-----w C:\Documents and Settings\Larry.LARCOMP\Application Data\inter bait 2007-09-27 13:54 --------- d-----w C:\Program Files\UI Central 2007-09-17 04:24 --------- d-----w C:\Program Files\Winamp 2007-08-23 03:21 --------- d-----w C:\Documents and Settings\Larry.LARCOMP\Application Data\LimeWire 2005-02-07 06:17 26,520 -c--a-w C:\Documents and Settings\Lawrence\Application Data\GDIPFONTCACHEV1.DAT 2005-01-12 21:01 70,821 -c--a-w C:\Program Files\Kerrigan Armageddon.scx . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-10-16 02:18] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-10-16 02:05] "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 14:34] "PRONoMgr.exe"="c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-10-23 10:15] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2006-12-29 22:02] "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [] "NetMeter"="C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe" [] "AtiPTA"="atiptaxx.exe" [2006-02-21 20:05 C:\WINDOWS\system32\atiptaxx.exe] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-10 22:48] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24] "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 23:34] "RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-05-01 19:55] "Fraps"="C:\FRAPS\FRAPS.EXE" [2006-04-30 09:46] "Steam"="c:\program files\steam\steam.exe" [2007-07-09 00:21] "BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2006-12-04 18:28] C:\Documents and Settings\Larry\Start Menu\Programs\Startup\ OpenOffice.org 1.1.4.lnk - C:\Program Files\OpenOffice\program\quickstart.exe [2004-10-28 01:10:00] C:\Documents and Settings\Larry.LARCOMP\Start Menu\Programs\Startup\ OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-09-23 16:36:42] Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2006-12-15 23:14:25] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 02:05:26] WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-04-16 22:55:20] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableCAD"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "DisallowCpl"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB] C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 2001-12-20 23:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"= C:\WINDOWS\system32\spool32.dll,wbsys.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Notification Packages"= scecli scecli R0 Copystar;Copystar;C:\WINDOWS\system32\DRIVERS\copystar.sys R1 nmconpid;nmconpid;C:\WINDOWS\system32\drivers\nmconpid.sys R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS S3 kbkzrqfni;kbkzrqfni;\??\C:\Documents and Settings\Larry.LARCOMP\Desktop\Yay\kbkzrqfni.sys S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys S3 nocashio;nocashio;C:\WINDOWS\system32\drivers\nocashio.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] AutoRun\command - F:\setup.exe /autorun directx\command - F:\DirectX\dxsetup.exe setup\command - F:\setup.exe . Contents of the 'Scheduled Tasks' folder "2007-10-09 12:39:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" "2007-10-15 07:16:00 C:\WINDOWS\Tasks\NotWhatYouSee.job" - C:\Music\Not What You See.wma . ************************************************************************ catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-15 20:31:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ . Completion time: 2007-10-15 20:36:32 - machine was rebooted . --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:39:11 PM, on 10/15/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM\aim.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\FRAPS\FRAPS.EXE C:\Program Files\BitTorrent\bittorrent.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Larry.LARCOMP\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [NetMeter] C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Search - ?p=ZJ O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game...nematycoon.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O20 - AppInit_DLLs: C:\WINDOWS\system32\spool32.dll,wbsys.dll O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 9241 bytes

10-15-2007, 07:25 PM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 26,752 OS: 2000 Pro; XP Pro; XP Home	Re: Lots of issues This machine was pretty messed up, and will take a while to clean. Before we go to the next step, I need more information. What is this folder for? C:\Documents and Settings\Larry.LARCOMP\Desktop\Yay Create an uninstall list: Open HiJackThis Click on the button " Open the Misc Tools section" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Copy and past the List from the notepad file into your post Download fl.zip Extract the contents to a new folder on your Desktop. Within the folder, locate & double-click fl.bat. It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message. Last edited by tetonbob : 10-15-2007 at 07:27 PM.