Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Newby Bombarded With Spyware Pop-ups
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 04-24-2007, 11:36 AM   #1 (permalink)
Registered User
 
Join Date: Apr 2007
Location: united kingdom
Posts: 16
OS: Win XP


Newby Bombarded With Spyware Pop-ups
So glad to find a site that looks like it may finally be able to help me.
You have probably seen it all before,
I'm having trouble with popups and trojans. here are some of the popups that have been coming up.
A very bad one is the first; amaena. It brings me to fake antivirus and antispyware download pages.
Mostly a page for WinAntiVirus Pro 2007 and WinAntiSpyware 2006, that say my current antivirus/spyware protection is ineffective and that my system is inefected.

Please help me fix this, I have carried out the 5 required steps and here comes my logs -

PANDA LOG -

Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\User\Cookies\user@atdmt[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\User\Cookies\user@cassava[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\User\Cookies\user@drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\User\Cookies\user@errorsafe[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\User\Cookies\user@mediaplex[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\User\Cookies\user@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\User\Cookies\user@stats1.reliablestats[2].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\User\Cookies\user@systemdoctor[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\User\Cookies\user@winantispyware[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\User\Cookies\user@winantivirus[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\User\Cookies\user@www.drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\User\Cookies\user@www.errorsafe[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\User\Cookies\user@www.myaffiliateprogram[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\User\Cookies\user@www.winantiviruspro[1].txt
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\01234567\installdrivecleanerstart[1].exe
Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\WINDOWS\system32\dllcache\win32\csrss.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\hggdbaw.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\hgghfeb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ljjigeb.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\pmnolll.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\urqrrqo.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\yayawts.dll *********************************************************
DECKARDS MAIN.TXT LOG -

Deckard's System Scanner v20070423.42
Run by User on 2007-04-24 at 17:16:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-04-24 16:16:44 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as User.exe) ------------------------------------------------

Unable to find log (file not found).

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SRTSP - c:\windows\system32\drivers\srtsp.sys <Verified; Symantec Corporation; AutoProtect; 10.1; 10.1.4.1>
R1 SRTSPX - c:\windows\system32\drivers\srtspx.sys <Verified; Symantec Corporation; AutoProtect; 10.1; 10.1.4.1>
R3 alcan5wn (SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)) - c:\windows\system32\drivers\alcan5wn.sys <Verified; THOMSON; SpeedTouch USB; 301.0.0.12; 301.0.0.12>
R3 alcaudsl (SpeedTouch ADSL Modem ATM Transport) - c:\windows\system32\drivers\alcaudsl.sys <Verified; THOMSON; SpeedTouch USB; 301.0.0.12; 301.0.0.12>
R3 ALCXSENS (Service for WDM 3D Audio Driver) - c:\windows\system32\drivers\alcxsens.sys <Verified; Sensaura; ; ; 5.10.00.3513>

S2 BCMNTIO - c:\progra~1\checkit\diagno~1\bcmntio.sys (file missing)
S2 MAPMEM - c:\progra~1\checkit\diagno~1\mapmem.sys (file missing)
S3 AmeAtmPc - c:\windows\system32\drivers\ameatmpc.sys (file missing)
S3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ913; 9.13.15.6; 1.89.108.2>
S3 FXDRV - d:\fxdrv.sys (file missing)
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 SDdriver - c:\windows\system32\drivers\sddriver.sys <Not Verified; Symantec Corporation; Norton Speed Disk; 7.00.0.24; 7.00.0.24>
S3 SISNIC (SiS PCI Fast Ethernet Adapter Driver) - c:\windows\system32\drivers\sisnic.sys <Verified; SiS Corporation; NDIS 5.1 NIC Driver; 1.16.00.05; 1.16.00.05 built by: WinDDK>
S3 SRTSPL - c:\windows\system32\drivers\srtspl.sys <Verified; Symantec Corporation; AutoProtect; 10.1; 10.1.4.1>
S3 zlportio (ZLPORTIO - Allow user access to I/O ports) - c:\windows\system32\zlportio.sys <Not Verified; SpecoSoft; SpecoSoft zlportio; 1, 0, 0, 1; 1, 0, 0, 1>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 LiveUpdate Notice Ex (LiveUpdate Notice Service Ex) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon <Verified; Symantec Corporation; Symantec Security Technologies; 106.1.2.2; 106.1.2.2>
R2 Speed Disk service - c:\progra~1\norton~1\norton~1\speedd~1\nopdb.exe <Not Verified; Symantec Corporation; Norton Speed Disk; 7.00.0.24; 7.00.0.24>

S2 FirebirdGuardianDefaultInstance (Firebird Guardian - DefaultInstance) - c:\program files\firebird\firebird_1_5\bin\fbguard.exe -s (file missing)
S2 LiveUpdate Notice Service - "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifeng.dll" <Verified; Symantec Corporation; LiveUpdate Notice; 1.2; 1.2.0.18>
S3 FirebirdServerDefaultInstance (Firebird Server - DefaultInstance) - c:\program files\firebird\firebird_1_5\bin\fbserver.exe -s (file missing)


-- Scheduled Tasks -------------------------------------------------------------

2007-04-20 20:01:14 528 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - User.job
2007-04-16 12:08:51 290 --a------ C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job


-- Files created between 2007-03-24 and 2007-04-24 -----------------------------

2007-04-24 17:03:58 0 d-------- C:\ie-spyad
2007-04-24 17:01:37 536811 --a------ C:\ie-spyad.exe
2007-04-24 16:54:10 0 d-------- C:\Program Files\SpywareGuard
2007-04-24 16:44:33 0 d-------- C:\Program Files\SpywareBlaster
2007-04-24 09:05:12 764570 ---hs---- C:\WINDOWS\system32\bccdd.ini2
2007-04-24 08:58:17 131604 --a------ C:\WINDOWS\system32\xalcibup.dll
2007-04-23 18:04:41 0 d-------- C:\WINDOWS\BDOSCAN8
2007-04-23 17:52:28 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-04-22 15:39:22 0 d-------- C:\Documents and Settings\User\Application Data\Lavasoft
2007-04-22 15:38:46 0 d-------- C:\Program Files\Lavasoft
2007-04-20 19:38:14 758028 ---hs---- C:\WINDOWS\system32\bccdd.bak2
2007-04-19 21:18:13 0 d-------- C:\Documents and Settings\User\Application Data\Microgaming
2007-04-19 21:18:00 0 d-------- C:\WINDOWS\system32\FlashAX
2007-04-19 19:38:03 773477 ---hs---- C:\WINDOWS\system32\bccdd.bak1
2007-04-19 19:36:34 281172 ---hs---- C:\WINDOWS\system32\ddccb.dll
2007-04-19 14:52:44 0 d-------- C:\VundoFix Backups
2007-04-19 13:23:43 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys <Not Verified; GRISOFT, s.r.o.; AVG7 Clean Driver; 1.0.0.14; 1.0.0.14>
2007-04-18 17:15:55 0 d-------- C:\kav
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-04-18 14:26:22 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-04-18 14:26:22 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-04-18 14:26:22 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-04-18 14:26:22 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-04-18 14:26:22 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-04-18 14:26:22 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-04-18 11:18:08 0 d-------- C:\Program Files\Enigma Software Group
2007-04-17 17:24:35 0 d-------- C:\WINDOWS\Prefetch
2007-04-16 14:24:22 0 d-------- C:\Program Files\Motorola Phone Tools
2007-04-16 14:14:14 26694 --a------ C:\WINDOWS\system32\hggdbaw.dll
2007-04-16 14:14:03 26694 --a------ C:\WINDOWS\system32\pmnolll.dll
2007-04-16 13:24:12 26694 --a------ C:\WINDOWS\system32\ljjigeb.dll
2007-04-16 13:24:00 26694 --a------ C:\WINDOWS\system32\yayawts.dll
2007-04-16 13:14:20 26694 --a------ C:\WINDOWS\system32\urqrrqo.dll
2007-04-16 13:14:20 26694 --a------ C:\WINDOWS\system32\hgghfeb.dll
2007-04-15 15:00:31 7864320 --a------ C:\Documents and Settings\User\ntuser.dat
2007-04-12 21:48:17 0 d-------- C:\WINDOWS\pss
2007-04-12 21:35:27 280676 ---hs---- C:\WINDOWS\system32\pmkhf.dll
2007-04-11 15:41:35 0 d-------- C:\Program Files\PartyGaming
2007-04-10 17:50:54 0 d-------- C:\Program Files\Poker Indicator
2007-04-10 13:17:42 0 d-------- C:\Program Files\pokerkant
2007-04-07 19:27:32 0 d-------- C:\Program Files\Poker Pal Pro Edition
2007-04-06 19:29:42 0 d-------- C:\Program Files\Poker-Spy
2007-04-03 16:24:35 0 d-------- C:\Program Files\EmpirePokerMaster
2007-04-03 09:47:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-04-02 22:57:20 0 d-------- C:\Program Files\Magic Holdem
2007-04-02 19:32:29 0 d-------- C:\Program Files\Norton AntiVirus
2007-04-02 19:28:36 0 d-------- C:\Program Files\Norton SystemWorks
2007-04-02 14:46:19 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2007-03-28 22:57:59 0 d-------- C:\WINDOWS\system32\URTTemp
2007-03-25 1643 0 d-------- C:\WINDOWS\A5W_DATA


-- Find3M Report ---------------------------------------------------------------

2007-04-24 16:09:26 0 d-------- C:\Program Files\Messenger
2007-04-24 1634 0 d-------- C:\Program Files\iTunes
2007-04-24 16:05:55 0 d-------- C:\Program Files\Google
2007-04-24 16:05:02 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-23 18:44:56 0 d-------- C:\Program Files\PacificPoker
2007-04-22 15:37:43 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-21 14:55:07 0 d-------- C:\Documents and Settings\User\Application Data\uTorrent
2007-04-20 00:44:14 0 d-------- C:\Program Files\MSN Messenger
2007-04-19 14:40:04 0 d-------- C:\Program Files\Calorie-Count.com Toolbar
2007-04-16 14:24:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-07 19:24:17 0 d-------- C:\Program Files\CyberLink
2007-04-03 11:23:05 0 d-------- C:\Program Files\Common Files\{1CFBFD37-07D0-2057-0722-04070903002c}
2007-04-02 22:49:18 0 d-------- C:\Program Files\Google Toolbar
2007-04-02 22:13:22 0 d-------- C:\Program Files\Symantec
2007-04-02 22:13:13 48776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL <Verified; Symantec Corporation; SYMEVENT; 12.3.0.15; 12.3.0.15>
2007-04-02 18:15:10 0 d-------- C:\Documents and Settings\User\Application Data\Symantec
2007-03-21 09:51:22 0 d-------- C:\Program Files\Java
2007-03-15 15:34:57 0 d-------- C:\Program Files\Thomson
2007-03-15 12:23:16 497496 --a------ C:\WINDOWS\system32\XceedZip.dll <Verified; Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com; Xceed Zip Compression Library; 6.0.6621.0; 6.0.6621.0>
2007-03-15 12:19:58 526184 --a------ C:\WINDOWS\system32\XceedCry.dll <Verified; Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com; Xceed Encryption Library; 1.1.6461.0; 1.1.6461.0>
2007-03-12 17:30:45 0 d-------- C:\Program Files\Motorola Phone Tools(2)
2007-03-12 17:30:37 0 d-------- C:\Program Files\LiveUpdate
2007-03-12 17:30:14 0 d-------- C:\Program Files\Motorola Phone Tools(2)(2)
2007-03-12 17:28:46 0 d-------- C:\Program Files\Motorola Phone Tools(3)
2007-03-05 13:34:28 676224 --a------ C:\WINDOWS\system32\OGACheckControl.DLL
2007-03-04 16:43:12 0 d-------- C:\Program Files\Common Files\{3CFBFD37-07D0-2057-0722-04070903002c}
2007-03-03 17:18:03 0 d-------- C:\Documents and Settings\User\Application Data\Ahead
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\USA Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Titan Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Prestige Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Poker.com
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Noble Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\CDPoker
2007-02-27 10:55:04 0 d-------- C:\Program Files\Yadu Digital
2007-02-09 18:22:24 8022 ---hs---- C:\WINDOWS\system32\uttss.ini2


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
{7E7CF20E-AAC3-4698-91F3-4CE05D055AAd} C:\WINDOWS\system32\xalcibup.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll
{BC5D816C-7FA8-4815-9B0B-0D6F73D5EFF2} C:\WINDOWS\system32\ddccb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"PrintDrive"="rundll32.exe \"C:\\WINDOWS\\system32\\bxoxpoce.dll\",setvm"
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"AAW"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe\" \"+b1\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9796007A-181E-4C97-99EB-7F71B8989A7B}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccb
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghffc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttu

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-04-24 at 17:40:23 ----

**********************************************************

DECKARDS EXTRA.TEXT LOG -

Deckard's System Scanner v20070423.42
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) XP 2400+
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 255.48 MiB / 72.96 MiB
Pagefile Memory (total/avail): 618.75 MiB / 331.96 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1949.1 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19.1 GiB total, 4.4 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton AntiVirus v2007 (Symantec Corporation)
AV: Norton AntiVirus v2007 (Symantec Corporation)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USER-NDO1LQJK5G
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User
LOGONSERVER=\\USER-NDO1LQJK5G
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
TMP=C:\DOCUME~1\User\LOCALS~1\Temp
USERDOMAIN=USER-NDO1LQJK5G
USERNAME=User
USERPROFILE=C:\Documents and Settings\User
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

User (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Software Update --> MsiExec.exe /I{5B433733-BB31-4B40-BCBA-DDED37626641}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Avanquest update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -l0x9 -removeonly
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AxCrypt (Remove Only) --> "C:\Program Files\Axon Data\AxCrypt\AxCryptU.exe"
Calorie-Count.com Toolbar --> regsvr32 /u /s "C:\Program Files\Calorie-Count.com Toolbar\toolbar.dll"
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
Connection Keep Alive --> MsiExec.exe /I{77364F85-6219-4CB8-AAA0-6D53368D683D}
Driver Wizard by 62NDS Solutions --> uninst62.exe "C:\Program Files\Driver Wizard\INSTALL.LOG"
EmpirePoker --> "C:\Program Files\EmpirePokerMaster\EmpirePoker\Uninstall.exe" "C:\Program Files\EmpirePokerMaster\EmpirePoker\install.log"
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HijackThis 1.99.1 --> C:\HJT\HijackThis.exe /uninstall
Hoyle Friday Night Poker --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A17FD8C6-1AC2-46E7-AD0A-70C602C3504D}\setup.exe" -l0x9 -removeonly
InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
iPod for Windows 2006-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033
iTunes --> MsiExec.exe /I{5878FF02-3B8F-4309-B4E5-0D3DB6F2E8E6}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Lavasoft VX2 Cleaner --> C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\INSTALL.LOG
LimeWire PRO 4.9.14 --> "C:\LimeWire\uninstall.exe"
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Microsoft Office 2000 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Motorola Phone Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonly
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
MSRedist --> MsiExec.exe /I{D1725BDB-BA2B-4503-A8CB-F5C835D743FA}
My DSC --> C:\Program Files\InstallShield Installation Information\{225af9a1-b556-88d5-94aa-0010b5426419}\setup.exe
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nero Digital --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Nero Media Player --> C:\WINDOWS\UNNMP.exe /UNINSTALL
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton AntiVirus (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{830D8CBD-C668-49e2-A969-C2C2106332E0}_14_0_5_89\{830D8CBD-C668-49e2-A969-C2C2106332E0}.exe" /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
Norton Cleanup --> MsiExec.exe /I{CA31120D-2101-484D-9FF1-195DE96FE346}
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
Norton SystemWorks --> MsiExec.exe /I{71E7B3F5-CFAF-4C1E-B494-528E28707937}
Norton SystemWorks --> MsiExec.exe /I{9E23C48E-5483-4971-BA50-089F2FABCD66}
Norton SystemWorks (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{71E7B3F5-CFAF-4C1E-B494-528E28707937}\{71E7B3F5-CFAF-4C1E-B494-528E28707937}.exe" /X
Norton Utilities --> MsiExec.exe /I{6A7867BA-B7CA-4CC9-ACAB-85BA46865EE5}
NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI
Pacific Poker --> C:\PROGRA~1\PACIFI~1\UNWISE.EXE C:\PROGRA~1\PACIFI~1\INSTALL.LOG
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PartyPoker --> "C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe" "C:\Program Files\PartyGaming\PartyPoker\install.log"
QuickTime --> MsiExec.exe /I{55BF0E5F-EA8E-4C13-A8B4-9E4857F5A2DE}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SpeedTouch USB Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D41FAAA9-8048-4906-86B2-9AADEA1FA0B7}\Setup.exe" /l0009 -Control_Panel
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
Symantec Technical Support Web Controls --> MsiExec.exe /X{5FCDE341-328B-434B-9F21-AF5BADB57852}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Yahoo! Anti-Spy --> C:\PROGRA~1\Yahoo!\Common\unypsr.exe
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- End of Deckard's System Scanner: finished at 2007-04-24 at 17:40:23 ----

**********************************************************

Please help - other than throw computer out of the window, what do I do next ???
JOHNNYMACK is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 04-28-2007, 03:34 AM   #2 (permalink)
Registered User
 
Join Date: Apr 2007
Location: united kingdom
Posts: 16
OS: Win XP


Re: Newby Bombarded With Spyware Pop-ups
Does No-one Want To Help Me ??
Bump
JOHNNYMACK is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-28-2007, 06:43 AM   #3 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,673
OS: XP Pro, Vista, Ubuntu 8.10


Re: Newby Bombarded With Spyware Pop-ups
Hello and Welcome. Apologies for any delay in replying, but we have been rather busy lately.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-28-2007, 06:49 AM   #4 (permalink)
Registered User
 
Join Date: Apr 2007
Location: united kingdom
Posts: 16
OS: Win XP


Re: Newby Bombarded With Spyware Pop-ups
Thanks for the reply - utmost faith in you,

Waiting in anticipation.

J.T.
JOHNNYMACK is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-28-2007, 04:51 PM   #5 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,673
OS: XP Pro, Vista, Ubuntu 8.10


Re: Newby Bombarded With Spyware Pop-ups
Hello again

P2P - I see you have P2P software <Limewire> installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

=======================================================

Please disable Spywareguard, as it may hinder the removal of some entries. You can re-enable it after you're clean.
  • Right click the running icon of Spywareguard located in the system tray
  • Go to Menu > File > Exit and confirm the programs close.

=======================================================

Downloads

Download combofix from here.

**Save it directly to your desktop**

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

==================================================

Run Hijackthis and post that log here.

==================================================

Please provide the following logs with your next post:

C:\ComboFix.txt
Hijackthis log

Also include an update on how your system is running
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-29-2007, 04:00 AM   #6 (permalink)
Registered User
 
Join Date: Apr 2007
Location: united kingdom
Posts: 16
OS: Win XP


Re: Newby Bombarded With Spyware Pop-ups
Thanks Clark - here are the logs -

Computer does seem to be running a little bit quicker,
Still freezes an awful lot more than usual and still get the odd anti spyware pop up.

One thing, when I did the HJT Scan I did not delete anything from the log it produced, should I have ??



COMBOFIX LOG is like this ..................

"User" - 07-04-29 3:25:16 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\User\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\hggdbaw.dll
C:\WINDOWS\system32\hgghfeb.dll
C:\WINDOWS\system32\ljjigeb.dll
C:\WINDOWS\system32\pmnolll.dll
C:\WINDOWS\system32\urqrrqo.dll
C:\WINDOWS\system32\yayawts.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{1CFBF~1
C:\Program Files\Common Files\{3CFBF~1


((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-29 ))))))))))))))))))))))))))))))))))


2007-04-27 22:52 784,821 --ahs---- C:\WINDOWS\system32\bccdd.ini2
2007-04-26 11:43 132,660 --a------ C:\WINDOWS\system32\swkjhpnb.dll
2007-04-24 17:16 <DIR> d-------- C:\Deckard
2007-04-24 17:03 <DIR> d-------- C:\ie-spyad
2007-04-24 17:01 536,811 --a------ C:\ie-spyad.exe
2007-04-24 16:54 <DIR> d-------- C:\Program Files\SpywareGuard
2007-04-24 16:44 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-04-23 18:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-23 17:52 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-22 15:39 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Lavasoft
2007-04-22 15:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-20 19:38 787,089 --ahs---- C:\WINDOWS\system32\bccdd.bak2
2007-04-19 21:18 <DIR> d-------- C:\WINDOWS\system32\FlashAX
2007-04-19 21:18 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Microgaming
2007-04-19 19:38 786,677 --ahs---- C:\WINDOWS\system32\bccdd.bak1
2007-04-19 14:52 <DIR> d-------- C:\VundoFix Backups
2007-04-19 13:23 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-18 17:15 <DIR> d-------- C:\kav
2007-04-18 14:26 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-18 11:18 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-04-17 17:24 <DIR> d-------- C:\WINDOWS\Prefetch
2007-04-17 12:25 9,728 --a------ C:\WINDOWS\system32\rwnh.dll
2007-04-17 12:25 10,752 --a------ C:\WINDOWS\system32\smtpapi.dll
2007-04-16 14:24 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2007-04-15 15:00 8,126,464 --a------ C:\DOCUME~1\User\ntuser.dat
2007-04-12 21:48 <DIR> d-------- C:\WINDOWS\pss
2007-04-11 15:41 <DIR> d-------- C:\Program Files\PartyGaming
2007-04-10 17:50 <DIR> d-------- C:\Program Files\Poker Indicator
2007-04-10 13:17 <DIR> d-------- C:\Program Files\pokerkant
2007-04-07 19:27 <DIR> d-------- C:\Program Files\Poker Pal Pro Edition
2007-04-06 19:29 <DIR> d-------- C:\Program Files\Poker-Spy
2007-04-03 16:24 <DIR> d-------- C:\Program Files\EmpirePokerMaster
2007-04-03 09:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-04-02 22:57 <DIR> d-------- C:\Program Files\Magic Holdem
2007-04-02 19:32 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-04-02 19:28 <DIR> d-------- C:\Program Files\Norton SystemWorks
2007-04-02 14:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Symantec Temporary Files
2007-03-28 22:57 <DIR> d-------- C:\WINDOWS\system32\URTTemp


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-28 14:50 -------- d-------- C:\Program Files\pacificpoker
2007-04-28 14:49 -------- d-------- C:\DOCUME~1\User\APPLIC~1\utorrent
2007-04-24 16:09 -------- d-------- C:\Program Files\messenger
2007-04-24 16:06 -------- d-------- C:\Program Files\itunes
2007-04-24 16:05 -------- d-------- C:\Program Files\google
2007-04-22 15:37 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-04-20 00:44 -------- d-------- C:\Program Files\msn messenger
2007-04-16 14:24 22768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
2007-04-16 14:24 -------- d--h----- C:\Program Files\installshield installation information
2007-04-07 19:24 -------- d-------- C:\Program Files\cyberlink
2007-04-02 22:49 -------- d-------- C:\Program Files\google toolbar
2007-04-02 22:13 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-04-02 22:13 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-04-02 22:13 -------- d-------- C:\Program Files\symantec
2007-04-02 18:15 -------- d-------- C:\DOCUME~1\User\APPLIC~1\symantec
2007-03-19 11:55 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 15:34 -------- d-------- C:\Program Files\thomson
2007-03-15 12:23 497496 --a------ C:\WINDOWS\system32\xceedzip.dll
2007-03-15 12:19 526184 --a------ C:\WINDOWS\system32\xceedcry.dll
2007-03-12 17:30 -------- d-------- C:\Program Files\motorola phone tools(2)(2)
2007-03-12 17:30 -------- d-------- C:\Program Files\motorola phone tools(2)
2007-03-12 17:30 -------- d-------- C:\Program Files\liveupdate
2007-03-12 17:28 -------- d-------- C:\Program Files\motorola phone tools(3)
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-05 13:34 676224 --a------ C:\WINDOWS\system32\ogacheckcontrol.dll
2007-02-27 11:00 0 --a------ C:\WINDOWS\poker.com
2007-02-09 18:22 8022 --ahs---- C:\WINDOWS\system32\uttss.ini2
2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll
{6C679AA8-2AA7-46A9-BEA7-52E8F46CF21C} C:\WINDOWS\system32\ddccb.dll [x]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll
{D651AFF4-9590-424d-BD1E-8E33E090DFB3} C:\WINDOWS\system32\uipnaitx.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\swkjhpnb.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccb
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghffc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttu

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - User.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-29 03:28:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-29 3:28:53
C:\ComboFix-quarantined-files.txt ... 07-04-29 03:28

HJT LOG is now like this -------

Logfile of HijackThis v1.99.1
Scan saved at 10:57:01, on 29/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23E381E5-8478-41AF-A278-F6C212F45F9C} - (no file)
O2 - BHO: (no name) - {308385CC-A3C9-4840-876A-A09D8361E824} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {6C679AA8-2AA7-46A9-BEA7-52E8F46CF21C} - C:\WINDOWS\system32\ddccb.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E7CF20E-AAC3-4698-91F3-4CE05D055AAd} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\uipnaitx.dll (file missing)
O2 - BHO: XBTP00788 - {F4674901-44F3-436d-A4E6-B1849CFFA72E} - (no file)
O2 - BHO: (no name) - {F6F8094A-7159-400E-9BA3-0BA01D206126} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\swkjhpnb.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra 'Tools' menuitem: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1151879318531
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151879295750
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{378DAB05-8789-4F9B-A642-101CA7712A12}: NameServer = 62.24.222.134 62.24.222.135
O17 - HKLM\System\CS2\Services\Tcpip\..\{378DAB05-8789-4F9B-A642-101CA7712A12}: NameServer = 62.24.222.134 62.24.222.135
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll (file missing)
O20 - Winlogon Notify: hgghffc - hgghffc.dll (file missing)
O20 - Winlogon Notify: ssttu - C:\WINDOWS\System32\ssttu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (file missing)
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--------------------------------------------------------------------------

Waiting further but thanks for so far.

J.T.
Last edited by JOHNNYMACK; 04-29-2007 at 04:07 AM.
JOHNNYMACK is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-30-2007, 07:39 AM   #7 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,673
OS: XP Pro, Vista, Ubuntu 8.10


Re: Newby Bombarded With Spyware Pop-ups
Apologizes for the delay in replying. I was unexpectedly occupied all day yesterday.


Quote:
One thing, when I did the HJT Scan I did not delete anything from the log it produced, should I have ??
No, at that point I simply wanted to see the log.

======================================================

Please disable Spywareguard, as it may hinder the removal of some entries. You can re-enable it after you're clean.
  • Right click the running icon of Spywareguard located in the system tray
  • Go to Menu > File > Exit and confirm the programs close.

======================================================

Before fixing anything, Please download the Suspicious File Packer --> http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.

Paste the following list of filepaths into the Suspicious File Packer window:

C:\WINDOWS\system32\swkjhpnb.dll

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site --> http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.

=======================================================

I see you already have AVG Antispyware. You will need to update AVG Anti-Spyware to the latest definition files.
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly.

========================================================

Click > Start > Control Panel > Add / Remove Programs and uninstall the following program (if it exists):

J2SE Runtime Environment 5.0 Update 3

=====================================================

Reboot

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

=====================================================

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O2 - BHO: (no name) - {23E381E5-8478-41AF-A278-F6C212F45F9C} - (no file)
O2 - BHO: (no name) - {308385CC-A3C9-4840-876A-A09D8361E824} - (no file)
O2 - BHO: (no name) - {6C679AA8-2AA7-46A9-BEA7-52E8F46CF21C} - C:\WINDOWS\system32\ddccb.dll (file missing)
O2 - BHO: (no name) - {7E7CF20E-AAC3-4698-91F3-4CE05D055AAd} - (no file)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\uipnaitx.dll (file missing)
O2 - BHO: XBTP00788 - {F4674901-44F3-436d-A4E6-B1849CFFA72E} - (no file)
O2 - BHO: (no name) - {F6F8094A-7159-400E-9BA3-0BA01D206126} - (no file)
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\swkjhpnb.dll",realset
O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll (file missing)
O20 - Winlogon Notify: hgghffc - hgghffc.dll (file missing)
O20 - Winlogon Notify: ssttu - C:\WINDOWS\System32\ssttu.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

=======================================================

Delete the following Files indicated in RED if they still exist.

C:\WINDOWS\system32\bccdd.ini2
C:\WINDOWS\system32\bccdd.bak2
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\uttss.ini2
C:\WINDOWS\system32\ swkjhpnb.dll

=======================================================

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (if present)
  • Cleanup! All Users
  • Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.
Click OK
Press the CleanUp! button to start the program and reboot back into safe mode when prompted.

=======================================================

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware

======================================================

Reboot

Reboot your system in Normal Mode.

======================================================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

=======================================================

Run Deckard's System Scanner (DSS) again
  1. Close all applications and windows.
  2. Double-click on DSS.exe to run it, and follow the prompts.
  3. When the scan is complete, one text file will open - main.txt
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your reply.

=======================================================

Please provide the following logs with your next post:

AVG Anti-Spyware report
Kaspersky report
C:\Deckard\System Scanner\main.txt
new Hijackthis log

Also include an update on how your system is running
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Last edited by Ried; 04-30-2007 at 08:10 AM.
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-30-2007, 10:03 AM   #8 (permalink)
Registered User
 
Join Date: Apr 2007
Location: united kingdom
Posts: 16
OS: Win XP


Re: Newby Bombarded With Spyware Pop-ups
Clark - thanks, I have gone into my AVG and I am hitting a problem, It seems the trial version I had has expired, can you post me the link to get it again.
I have deleted it from my system altogether so once I get the link I can re-install and carry out the rest of the instructions.

Many thanks

J T
JOHNNYMACK is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-02-2007, 10:19 AM   #9 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,443
OS: 2000 Pro; XP Pro; XP Home


Re: Newby Bombarded With Spyware Pop-ups
Hi J T -

Sorry for the delay.

AVG Anti-Spyware remains a viable utility long after the trial runs out. You should have been able to use the manual updater....

Here's the setup instructions:

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the main Status screen, under Your Computer's Security, click Resident Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Run the scan according to Clark76's instructions in his last post.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-02-2007, 10:32 AM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,443
OS: 2000 Pro; XP Pro; XP Home


Re: Newby Bombarded With Spyware Pop-ups
Note:

If you receive an error when trying to update, use this direct link to the full current updates package, download the file, and allow it to install to the same directory as the program.

http://download.ewido.net/avgas-sign...ll-current.exe
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-02-2007, 04:27 PM   #11 (permalink)
Registered User
 
Join Date: Apr 2007
Location: united kingdom
Posts: 16
OS: Win XP


Re: Newby Bombarded With Spyware Pop-ups
Hi there again and thanks for the help Teton.

Managed to get AVG again.

Followed everything to the letter and here are the scans you requested -

AVG Anti - Spyware report =

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:13:45 02/05/2007

+ Scan result:



C:\QooBox\Quarantine\C\WINDOWS\system32\hggdbaw.dll.vir -> Adware.Virtumonde : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\hgghfeb.dll.vir -> Adware.Virtumonde : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\ljjigeb.dll.vir -> Adware.Virtumonde : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnolll.dll.vir -> Adware.Virtumonde : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\urqrrqo.dll.vir -> Adware.Virtumonde : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\yayawts.dll.vir -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{E3470C5B-CFEA-4303-B38C-EEE6BD48A644}\RP6\A0015502.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{E3470C5B-CFEA-4303-B38C-EEE6BD48A644}\RP6\A0015503.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{E3470C5B-CFEA-4303-B38C-EEE6BD48A644}\RP6\A0015504.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{E3470C5B-CFEA-4303-B38C-EEE6BD48A644}\RP6\A0015505.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{E3470C5B-CFEA-4303-B38C-EEE6BD48A644}\RP6\A0015506.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{E3470C5B-CFEA-4303-B38C-EEE6BD48A644}\RP6\A0015507.dll -> Adware.Virtumonde : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B2.tmp -> TrackingCookie.Atdmt : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B3.tmp -> TrackingCookie.Com : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B4.tmp -> TrackingCookie.Doubleclick : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B5.tmp -> TrackingCookie.Mediaplex : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B6.tmp -> TrackingCookie.Pointroll : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B7.tmp -> TrackingCookie.Zedo : Cleaned.


::Report end

_________________________________________________________________

Kaspersky Report =

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 02, 2007 10:04:08 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/05/2007
Kaspersky Anti-Virus database records: 311513
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 44698
Number of viruses found: 5
Number of infected objects: 7 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:07:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-05-02_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D2C3F9E.exe Infected: not-a-virus:AdWare.Win32.Softomate.af skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7F683BF2.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\7D62685B.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\F8D2D580.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User\Desktop\Anti Virus Scanners\requested-files[2007-04-30_15_25].cab/C:/WINDOWS/system32/swkjhpnb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\Documents and Settings\User\Desktop\Anti Virus Scanners\requested-files[2007-04-30_15_25].cab CAB: infected - 1 skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\ntuser.dat Object is locked skipped
C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E3470C5B-CFEA-4303-B38C-EEE6BD48A644}\RP11\A0016124.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{E3470C5B-CFEA-4303-B38C-EEE6BD48A644}\RP12\A0016146.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\System Volume Information\_restore{E3470C5B-CFEA-4303-B38C-EEE6BD48A644}\RP12\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dllcache\win32\csrss.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

--------------------------------------------------------------------------

DSS Main Text =

Deckard's System Scanner v20070426.43
Run by User on 2007-05-02 at 22:10:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
8: 2007-05-02 21:10:49 UTC - RP13 - Deckard's System Scanner Restore Point
7: 2007-05-02 16:19:59 UTC - RP12 - Removed J2SE Runtime Environment 5.0 Update 3
6: 2007-05-01 18:47:06 UTC - RP11 - System Checkpoint
5: 2007-04-30 17:47:25 UTC - RP10 - Installed AVG 7.5
4: 2007-04-30 17:46:23 UTC - RP9 - Removed AVG 7.5


-- First Restore Point --
1: 2007-04-28 10:46:42 UTC - RP6 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:12:18, on 02/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra 'Tools' menuitem: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1151879318531
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151879295750
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{378DAB05-8789-4F9B-A642-101CA7712A12}: NameServer = 62.24.252.135 62.24.252.134
O17 - HKLM\System\CS2\Services\Tcpip\..\{378DAB05-8789-4F9B-A642-101CA7712A12}: NameServer = 62.24.252.135 62.24.252.134
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (file missing)
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070502-175717-378 O20 - Winlogon Notify: hgghffc - hgghffc.dll (file missing)
backup-20070502-175717-526 O2 - BHO: (no name) - {6C679AA8-2AA7-46A9-BEA7-52E8F46CF21C} - C:\WINDOWS\system32\ddccb.dll (file missing)
backup-20070502-175717-558 O2 - BHO: XBTP00788 - {F4674901-44F3-436d-A4E6-B1849CFFA72E} - (no file)
backup-20070502-175717-693 O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll (file missing)
backup-20070502-175717-736 O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\uipnaitx.dll (file missing)
backup-20070502-175717-746 O2 - BHO: (no name) - {308385CC-A3C9-4840-876A-A09D8361E824} - (no file)
backup-20070502-175717-825 O2 - BHO: (no name) - {F6F8094A-7159-400E-9BA3-0BA01D206126} - (no file)
backup-20070502-175717-921 O2 - BHO: (no name) - {7E7CF20E-AAC3-4698-91F3-4CE05D055AAd} - (no file)
backup-20070502-175717-945 O20 - Winlogon Notify: ssttu - C:\WINDOWS\System32\ssttu.dll (file missing)
backup-20070502-175717-954 O2 - BHO: (no name) - {23E381E5-8478-41AF-A278-F6C212F45F9C} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S2 BCMNTIO - c:\progra~1\checkit\diagno~1\bcmntio.sys (file missing)
S2 MAPMEM - c:\progra~1\checkit\diagno~1\mapmem.sys (file missing)
S3 AmeAtmPc - c:\windows\system32\drivers\ameatmpc.sys (file missing)
S3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ913>
S3 FXDRV - d:\fxdrv.sys (file missing)
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 SDdriver - c:\windows\system32\drivers\sddriver.sys <Not Verified; Symantec Corporation; Norton Speed Disk>
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
S3 zlportio (ZLPORTIO - Allow user access to I/O ports) - c:\windows\system32\zlportio.sys <Not Verified; SpecoSoft; SpecoSoft zlportio>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Speed Disk service - c:\progra~1\norton~1\norton~1\speedd~1\nopdb.exe <Not Verified; Symantec Corporation; Norton Speed Disk>

S2 FirebirdGuardianDefaultInstance (Firebird Guardian - DefaultInstance) - c:\program files\firebird\firebird_1_5\bin\fbguard.exe -s (file missing)
S3 FirebirdServerDefaultInstance (Firebird Server - DefaultInstance) - c:\program files\firebird\firebird_1_5\bin\fbserver.exe -s (file missing)


-- Scheduled Tasks -------------------------------------------------------------

2007-04-27 20:00:49 528 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - User.job
2007-04-16 12:08:51 290 --a------ C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job


-- Files created between 2007-04-02 and 2007-05-02 -----------------------------

2007-05-02 19:50:42 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-02 19:50:40 0 d-------- C:\WINDOWS\LastGood
2007-04-30 16:57:02 0 d-------- C:\Documents and Settings\User\Application Data\AVG7
2007-04-30 16:56:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-04-30 16:55:49 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-04-27 22:52:16 784821 --ahs---- C:\WINDOWS\system32\bccdd.ini2
2007-04-24 17:03:58 0 d-------- C:\ie-spyad
2007-04-24 17:01:37 536811 --a------ C:\ie-spyad.exe
2007-04-24 16:54:10 0 d-------- C:\Program Files\SpywareGuard
2007-04-24 16:44:33 0 d-------- C:\Program Files\SpywareBlaster
2007-04-23 18:04:41 0 d-------- C:\WINDOWS\BDOSCAN8
2007-04-23 17:52:28 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-04-22 15:39:22 0 d-------- C:\Documents and Settings\User\Application Data\Lavasoft
2007-04-22 15:38:46 0 d-------- C:\Program Files\Lavasoft
2007-04-20 19:38:14 787089 --ahs---- C:\WINDOWS\system32\bccdd.bak2
2007-04-19 21:18:13 0 d-------- C:\Documents and Settings\User\Application Data\Microgaming
2007-04-19 21:18:00 0 d-------- C:\WINDOWS\system32\FlashAX
2007-04-19 19:38:03 786677 --ahs---- C:\WINDOWS\system32\bccdd.bak1
2007-04-19 14:52:44 0 d-------- C:\VundoFix Backups
2007-04-18 17:15:55 0 d-------- C:\kav
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-04-18 14:26:22 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-04-18 14:26:22 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-04-18 14:26:22 364544 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-04-18 14:26:22 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-04-18 14:26:22 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-04-18 14:26:22 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-04-18 11:18:08 0 d-------- C:\Program Files\Enigma Software Group
2007-04-17 17:24:35 0 d-------- C:\WINDOWS\Prefetch
2007-04-16 14:24:22 0 d-------- C:\Program Files\Motorola Phone Tools
2007-04-15 15:00:31 8126464 --a------ C:\Documents and Settings\User\ntuser.dat
2007-04-12 21:48:17 0 d-------- C:\WINDOWS\pss
2007-04-11 15:41:35 0 d-------- C:\Program Files\PartyGaming
2007-04-10 17:50:54 0 d-------- C:\Program Files\Poker Indicator
2007-04-10 13:17:42 0 d-------- C:\Program Files\pokerkant
2007-04-07 19:27:32 0 d-------- C:\Program Files\Poker Pal Pro Edition
2007-04-06 19:29:42 0 d-------- C:\Program Files\Poker-Spy
2007-04-03 16:24:35 0 d-------- C:\Program Files\EmpirePokerMaster
2007-04-03 09:47:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-04-02 22:57:20 0 d-------- C:\Program Files\Magic Holdem
2007-04-02 19:32:29 0 d-------- C:\Program Files\Norton AntiVirus
2007-04-02 19:28:36 0 d-------- C:\Program Files\Norton SystemWorks
2007-04-02 14:46:19 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files


-- Find3M Report ---------------------------------------------------------------

2007-05-02 19:57:47 0 d-------- C:\Program Files\PacificPoker
2007-05-01 07:20:41 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-28 14:49:41 0 d-------- C:\Documents and Settings\User\Application Data\uTorrent
2007-04-24 16:09:26 0 d-------- C:\Program Files\Messenger
2007-04-24 1634 0 d-------- C:\Program Files\iTunes
2007-04-24 16:05:55 0 d-------- C:\Program Files\Google
2007-04-22 15:37:43 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-20 00:44:14 0 d-------- C:\Program Files\MSN Messenger
2007-04-19 14:40:04 0 d-------- C:\Program Files\Calorie-Count.com Toolbar
2007-04-16 14:24:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-07 19:24:17 0 d-------- C:\Program Files\CyberLink
2007-04-02 22:49:18 0 d-------- C:\Program Files\Google Toolbar
2007-04-02 22:13:22 0 d-------- C:\Program Files\Symantec
2007-04-02 18:15:10 0 d-------- C:\Documents and Settings\User\Application Data\Symantec
2007-03-21 09:51:22 0 d-------- C:\Program Files\Java
2007-03-15 15:34:57 0 d-------- C:\Program Files\Thomson
2007-03-12 17:30:45 0 d-------- C:\Program Files\Motorola Phone Tools(2)
2007-03-12 17:30:37 0 d-------- C:\Program Files\LiveUpdate
2007-03-12 17:30:14 0 d-------- C:\Program Files\Motorola Phone Tools(2)(2)
2007-03-12 17:28:46 0 d-------- C:\Program Files\Motorola Phone Tools(3)
2007-03-03 17:18:03 0 d-------- C:\Documents and Settings\User\Application Data\Ahead
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\USA Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Titan Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Prestige Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Poker.com
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Noble Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\CDPoker
2007-02-09 18:22:24 8022 --ahs---- C:\WINDOWS\system32\uttss.ini2


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



End of Deckard's System Scanner: finished at 2007-05-02 at 22:13:03

--------------------------------------------------------------------------


system does seem to be running a lot better but still freezes occasionally,
thanks for everything so far.

Awaiting further.

J.T.
JOHNNYMACK is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-04-2007, 10:46 AM   #12 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,673
OS: XP Pro, Vista, Ubuntu 8.10


Re: Newby Bombarded With Spyware Pop-ups
I am sorry to not have responded sooner. For some reason my email notification is not working for your thread

============================================

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\ QooBox
C:\Documents and Settings\User\Desktop\Anti Virus Scanners\ requested-files[2007-04-30_15_25].cab
C:\WINDOWS\system32\dllcache\win32\ csrss.exe
C:\WINDOWS\system32\ bccdd.ini2
C:\WINDOWS\system32\ bccdd.bak2
C:\WINDOWS\system32\ bccdd.bak1
C:\WINDOWS\system32\ uttss.ini2

If any of the files resist deletion then reboot into safe mode to delete them. Then reboot into normal mode.

=============================================

Please take a look in this folder
C:\WINDOWS\system32\dllcache\ win32 and tell me if there any files or folders in there. If there are any then please list them.

==============================================

Next, I need you to empty your Norton AntiVirus Quarantine within Norton.

=============================================

Run Deckard's System Scanner (DSS) again
  1. Close all applications and windows.
  2. Double-click on DSS.exe to run it, and follow the prompts.
  3. When the scan is complete, one text file will open - main.txt
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your reply.

Also include an update on how your system is running
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-05-2007, 04:52 AM   #13 (permalink)
Registered User
 
Join Date: Apr 2007
Location: united kingdom
Posts: 16
OS: Win XP


Re: Newby Bombarded With Spyware Pop-ups
Clark,

Many thanks for the reply.

I will work through your instructions and reply to them methodically, probably the best way.

1) C:\QooBox folder ------------- found and deleted.

2) C:\Documents and Settings\User\Desktop\Anti Virus Scanners\requested- files[2007-04-30_15_25].cab ------------- found and deleted.

3) C:\WINDOWS\system32\dllcache\win32\csrss.exe

This is where things get strange, when I manually go into my c drive, then windows, then system 32, there is no dllcache folder or file.
I can find C, then I can find Windows, then I can find system 32, but there is no dllcache in the folder.
I have ran a search on csrss.exe and there is a file in the
C:\WINDOWS\system32 folder (C:\WINDOWS\system32\csrss.exe) but that is the only place I can find it.

Also I have searched for the files -

C:\WINDOWS\system32\bccdd.ini2
C:\WINDOWS\system32\bccdd.bak2
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\uttss.ini2

and there is no trace of them.


4) As previously stated there is no folder C:\WINDOWS\system32\dllcache\win32.

5) Norton Anti-Virus Quarrantine emptied.

6) Stand by, about to run DSS again ............................
JOHNNYMACK is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-05-2007, 05:28 AM   #14 (permalink)
Registered User
 
Join Date: Apr 2007
Location: united kingdom
Posts: 16
OS: Win XP


Re: Newby Bombarded With Spyware Pop-ups
DSS SCAN as requested -

Deckard's System Scanner v20070426.43
Run by User on 2007-05-05 at 11:53:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:54:50, on 05/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\Anti Virus Scanners\dss.exe
C:\PROGRA~1\HIJACK~1\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra 'Tools' menuitem: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1151879318531
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151879295750
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{378DAB05-8789-4F9B-A642-101CA7712A12}: NameServer = 62.24.222.134 62.24.222.135
O17 - HKLM\System\CS2\Services\Tcpip\..\{378DAB05-8789-4F9B-A642-101CA7712A12}: NameServer = 62.24.222.134 62.24.222.135
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (file missing)
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


-- Files created between 2007-04-05 and 2007-05-05 -----------------------------

2007-05-02 19:50:42 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-04-30 16:57:02 0 d-------- C:\Documents and Settings\User\Application Data\AVG7
2007-04-30 16:56:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-04-30 16:55:49 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-04-27 22:52:16 784821 --ahs---- C:\WINDOWS\system32\bccdd.ini2
2007-04-24 17:03:58 0 d-------- C:\ie-spyad
2007-04-24 17:01:37 536811 --a------ C:\ie-spyad.exe
2007-04-24 16:54:10 0 d-------- C:\Program Files\SpywareGuard
2007-04-24 16:44:33 0 d-------- C:\Program Files\SpywareBlaster
2007-04-23 18:04:41 0 d-------- C:\WINDOWS\BDOSCAN8
2007-04-23 17:52:28 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-04-22 15:39:22 0 d-------- C:\Documents and Settings\User\Application Data\Lavasoft
2007-04-22 15:38:46 0 d-------- C:\Program Files\Lavasoft
2007-04-20 19:38:14 787089 --ahs---- C:\WINDOWS\system32\bccdd.bak2
2007-04-19 21:18:13 0 d-------- C:\Documents and Settings\User\Application Data\Microgaming
2007-04-19 21:18:00 0 d-------- C:\WINDOWS\system32\FlashAX
2007-04-19 19:38:03 786677 --ahs---- C:\WINDOWS\system32\bccdd.bak1
2007-04-19 14:52:44 0 d-------- C:\VundoFix Backups
2007-04-18 17:15:55 0 d-------- C:\kav
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-04-18 14:26:22 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-04-18 14:26:22 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-04-18 14:26:22 364544 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-04-18 14:26:22 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-04-18 14:26:22 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-04-18 14:26:22 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-04-18 11:18:08 0 d-------- C:\Program Files\Enigma Software Group
2007-04-17 17:24:35 0 d-------- C:\WINDOWS\Prefetch
2007-04-16 14:24:22 0 d-------- C:\Program Files\Motorola Phone Tools
2007-04-15 15:00:31 8126464 --a------ C:\Documents and Settings\User\ntuser.dat
2007-04-12 21:48:17 0 d-------- C:\WINDOWS\pss
2007-04-11 15:41:35 0 d-------- C:\Program Files\PartyGaming
2007-04-10 17:50:54 0 d-------- C:\Program Files\Poker Indicator
2007-04-10 13:17:42 0 d-------- C:\Program Files\pokerkant
2007-04-07 19:27:32 0 d-------- C:\Program Files\Poker Pal Pro Edition
2007-04-06 19:29:42 0 d-------- C:\Program Files\Poker-Spy


-- Find3M Report ---------------------------------------------------------------

2007-05-04 22:21:41 0 d-------- C:\Program Files\PacificPoker
2007-05-01 07:20:41 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-28 14:49:41 0 d-------- C:\Documents and Settings\User\Application Data\uTorrent
2007-04-24 18:39:50 0 d-------- C:\Program Files\EmpirePokerMaster
2007-04-24 16:15:02 0 d-------- C:\Program Files\Norton SystemWorks
2007-04-24 16:14:52 0 d-------- C:\Program Files\Norton AntiVirus
2007-04-24 16:09:26 0 d-------- C:\Program Files\Messenger
2007-04-24 1634 0 d-------- C:\Program Files\iTunes
2007-04-24 16:05:55 0 d-------- C:\Program Files\Google
2007-04-22 15:37:43 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-20 00:44:14 0 d-------- C:\Program Files\MSN Messenger
2007-04-19 14:40:04 0 d-------- C:\Program Files\Calorie-Count.com Toolbar
2007-04-16 14:24:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-07 19:24:17 0 d-------- C:\Program Files\CyberLink
2007-04-02 23:04:24 0 d-------- C:\Program Files\Magic Holdem
2007-04-02 22:49:18 0 d-------- C:\Program Files\Google Toolbar
2007-04-02 22:13:22 0 d-------- C:\Program Files\Symantec
2007-04-02 18:15:10 0 d-------- C:\Documents and Settings\User\Application Data\Symantec
2007-03-21 09:51:22 0 d-------- C:\Program Files\Java
2007-03-15 15:34:57 0 d-------- C:\Program Files\Thomson
2007-03-12 17:30:45 0 d-------- C:\Program Files\Motorola Phone Tools(2)
2007-03-12 17:30:37 0 d-------- C:\Program Files\LiveUpdate
2007-03-12 17:30:14 0 d-------- C:\Program Files\Motorola Phone Tools(2)(2)
2007-03-12 17:28:46 0 d-------- C:\Program Files\Motorola Phone Tools(3)
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\USA Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Titan Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Prestige Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Poker.com
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Noble Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\CDPoker
2007-02-09 18:22:24 8022 --ahs---- C:\WINDOWS\system32\uttss.ini2


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-05-05 at 11:55:15
JOHNNYMACK is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-05-2007, 11:07 AM   #15 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,673
OS: XP Pro, Vista, Ubuntu 8.10


Re: Newby Bombarded With Spyware Pop-ups
Hello again First off, thank you for the listing your steps as you did. It makes my job that much easier

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

==========================================

Delete the following Files indicated in RED if they still exist.

C:\WINDOWS\system32\dllcache\win32\ csrss.exe
C:\WINDOWS\system32\ bccdd.ini2
C:\WINDOWS\system32\ bccdd.bak2
C:\WINDOWS\system32\ bccdd.bak1
C:\WINDOWS\system32\ uttss.ini2

If any of the files resist deletion the reboot into safe mode to delete them. Then reboot into normal mode.

===========================================

Please try now and take a look in this folder
C:\WINDOWS\system32\dllcache\ win32 and tell me if there any files or folders in there. If there are any then please list them.

===========================================

Run Deckard's System Scanner (DSS) again
  1. Close all applications and windows.
  2. Double-click on DSS.exe to run it, and follow the prompts.
  3. When the scan is complete, one text file will open - main.txt
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your reply.
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-07-2007, 04:03 AM   #16 (permalink)
Registered User
 
Join Date: Apr 2007
Location: united kingdom
Posts: 16
OS: Win XP


Re: Newby Bombarded With Spyware Pop-ups
Clark - Hi there again and again thanks for your assistance.

Going through your instructions systematically -

Done the unchecking thing then -

1) Found and deleted the following as requested -

C:\WINDOWS\system32\dllcache\win32\csrss.exe
C:\WINDOWS\system32\bccdd.ini2
C:\WINDOWS\system32\bccdd.bak2
C:\WINDOWS\system32\bccdd.bak1
C:\WINDOWS\system32\uttss.ini2

p.s. none resisted deletion (they gave in gracefully) lol.

2) Had a look in the C:\WINDOWS\system32\dllcache\win32 folder (was there this time) and the following is a list of what is still inside -

1.txt
hide.EXE
libeay32.dll
run.bat
ssleay32.dll
winlogon.exe
cygcrypt-0.dll
hide.RB0
pshut.bat
servudaemon.ini
TzoLibr.dll
xdcc.config
cygwin1.dll
instsrv.exe
reg.reg
ServUStartUpLog.txt
welcome.txt

Hope you understand this list, its all double dutch to me.

Finally here is the latest D.S.S. Scan -

Deckard's System Scanner v20070426.43
Run by User on 2007-05-07 at 10:58:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:00:11, on 07/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra 'Tools' menuitem: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1151879318531
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151879295750
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{378DAB05-8789-4F9B-A642-101CA7712A12}: NameServer = 62.24.128.18 62.24.128.17
O17 - HKLM\System\CS2\Services\Tcpip\..\{378DAB05-8789-4F9B-A642-101CA7712A12}: NameServer = 62.24.128.18 62.24.128.17
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (file missing)
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


-- Files created between 2007-04-07 and 2007-05-07 -----------------------------

2007-05-02 19:50:42 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-04-30 16:57:02 0 d-------- C:\Documents and Settings\User\Application Data\AVG7
2007-04-30 16:56:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-04-30 16:55:49 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-04-24 17:03:58 0 d-------- C:\ie-spyad
2007-04-24 17:01:37 536811 --a------ C:\ie-spyad.exe
2007-04-24 16:54:10 0 d-------- C:\Program Files\SpywareGuard
2007-04-24 16:44:33 0 d-------- C:\Program Files\SpywareBlaster
2007-04-23 18:04:41 0 d-------- C:\WINDOWS\BDOSCAN8
2007-04-23 17:52:28 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-04-22 15:39:22 0 d-------- C:\Documents and Settings\User\Application Data\Lavasoft
2007-04-22 15:38:46 0 d-------- C:\Program Files\Lavasoft
2007-04-19 21:18:13 0 d-------- C:\Documents and Settings\User\Application Data\Microgaming
2007-04-19 21:18:00 0 d-------- C:\WINDOWS\system32\FlashAX
2007-04-19 14:52:44 0 d-------- C:\VundoFix Backups
2007-04-18 17:15:55 0 d-------- C:\kav
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-04-18 14:26:22 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-04-18 14:26:22 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-04-18 14:26:22 364544 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-04-18 14:26:22 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-04-18 14:26:22 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-04-18 14:26:22 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-04-18 11:18:08 0 d-------- C:\Program Files\Enigma Software Group
2007-04-17 17:24:35 0 d-------- C:\WINDOWS\Prefetch
2007-04-16 14:24:22 0 d-------- C:\Program Files\Motorola Phone Tools
2007-04-15 15:00:31 8126464 --a------ C:\Documents and Settings\User\ntuser.dat
2007-04-12 21:48:17 0 d-------- C:\WINDOWS\pss
2007-04-11 15:41:35 0 d-------- C:\Program Files\PartyGaming
2007-04-10 17:50:54 0 d-------- C:\Program Files\Poker Indicator
2007-04-10 13:17:42 0 d-------- C:\Program Files\pokerkant
2007-04-07 19:27:32 0 d-------- C:\Program Files\Poker Pal Pro Edition


-- Find3M Report ---------------------------------------------------------------

2007-05-04 22:21:41 0 d-------- C:\Program Files\PacificPoker
2007-05-01 07:20:41 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-28 14:49:41 0 d-------- C:\Documents and Settings\User\Application Data\uTorrent
2007-04-24 18:39:50 0 d-------- C:\Program Files\EmpirePokerMaster
2007-04-24 16:15:02 0 d-------- C:\Program Files\Norton SystemWorks
2007-04-24 16:14:52 0 d-------- C:\Program Files\Norton AntiVirus
2007-04-24 16:09:26 0 d-------- C:\Program Files\Messenger
2007-04-24 1634 0 d-------- C:\Program Files\iTunes
2007-04-24 16:05:55 0 d-------- C:\Program Files\Google
2007-04-22 15:37:43 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-20 00:44:14 0 d-------- C:\Program Files\MSN Messenger
2007-04-19 14:40:04 0 d-------- C:\Program Files\Calorie-Count.com Toolbar
2007-04-16 14:24:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-07 19:24:17 0 d-------- C:\Program Files\CyberLink
2007-04-07 19:23:04 0 d-------- C:\Program Files\Poker-Spy
2007-04-02 23:04:24 0 d-------- C:\Program Files\Magic Holdem
2007-04-02 22:49:18 0 d-------- C:\Program Files\Google Toolbar
2007-04-02 22:13:22 0 d-------- C:\Program Files\Symantec
2007-04-02 18:15:10 0 d-------- C:\Documents and Settings\User\Application Data\Symantec
2007-03-21 09:51:22 0 d-------- C:\Program Files\Java
2007-03-15 15:34:57 0 d-------- C:\Program Files\Thomson
2007-03-12 17:30:45 0 d-------- C:\Program Files\Motorola Phone Tools(2)
2007-03-12 17:30:37 0 d-------- C:\Program Files\LiveUpdate
2007-03-12 17:30:14 0 d-------- C:\Program Files\Motorola Phone Tools(2)(2)
2007-03-12 17:28:46 0 d-------- C:\Program Files\Motorola Phone Tools(3)
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\USA Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Titan Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Prestige Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Poker.com
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Noble Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\CDPoker


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-05-07 at 11:00:35 ---

Also system seems to be running great now and a lot faster.

Thanks again looking forward to reply

John T.
JOHNNYMACK is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-07-2007, 02:46 PM   #17 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,673
OS: XP Pro, Vista, Ubuntu 8.10


Re: Newby Bombarded With Spyware Pop-ups
Hello John

Please zip this folder
C:\WINDOWS\system32\dllcache\ win32

Right click the win32 folder with your mouse, choose "Send to" , Compressed (zipped) folder

Please submit it to this site → http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.

==================================

Delete the following Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\dllcache\ win32
C:\WINDOWS\system32\dllcache\ win32.zip

===========================================

Run Deckard's System Scanner (DSS) again
  1. Close all applications and windows.
  2. Double-click on DSS.exe to run it, and follow the prompts.
  3. When the scan is complete, one text file will open - main.txt
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your reply.
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-07-2007, 03:35 PM   #18 (permalink)
Registered User
 
Join Date: Apr 2007
Location: united kingdom
Posts: 16
OS: Win XP


Re: Newby Bombarded With Spyware Pop-ups
Clark,

Many thanks for the promp reply,

I have submitted the C:\WINDOWS\system32\dllcache\win32 to bleepingcomputer as requested.

I have deleted the 2 files win 32 and win32.zip as requested.

Attached is the latest D.S.S. Scan -

Deckard's System Scanner v20070426.43
Run by User on 2007-05-07 at 2237
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:08:01, on 07/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra 'Tools' menuitem: Calorie-Count.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1151879318531
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151879295750
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{378DAB05-8789-4F9B-A642-101CA7712A12}: NameServer = 62.24.222.135 62.24.222.134
O17 - HKLM\System\CS2\Services\Tcpip\..\{378DAB05-8789-4F9B-A642-101CA7712A12}: NameServer = 62.24.222.135 62.24.222.134
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (file missing)
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Unknown owner - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


-- Files created between 2007-04-07 and 2007-05-07 -----------------------------

2007-05-02 19:50:42 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-04-30 16:57:02 0 d-------- C:\Documents and Settings\User\Application Data\AVG7
2007-04-30 16:56:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-04-30 16:55:49 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-04-24 17:03:58 0 d-------- C:\ie-spyad
2007-04-24 17:01:37 536811 --a------ C:\ie-spyad.exe
2007-04-24 16:54:10 0 d-------- C:\Program Files\SpywareGuard
2007-04-24 16:44:33 0 d-------- C:\Program Files\SpywareBlaster
2007-04-23 18:04:41 0 d-------- C:\WINDOWS\BDOSCAN8
2007-04-23 17:52:28 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-04-22 15:39:22 0 d-------- C:\Documents and Settings\User\Application Data\Lavasoft
2007-04-22 15:38:46 0 d-------- C:\Program Files\Lavasoft
2007-04-19 21:18:13 0 d-------- C:\Documents and Settings\User\Application Data\Microgaming
2007-04-19 21:18:00 0 d-------- C:\WINDOWS\system32\FlashAX
2007-04-19 14:52:44 0 d-------- C:\VundoFix Backups
2007-04-18 17:15:55 0 d-------- C:\kav
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-04-18 14:26:22 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-04-18 14:26:22 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-04-18 14:26:22 364544 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-04-18 14:26:22 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-04-18 14:26:22 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-04-18 14:26:22 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-04-18 14:26:22 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-04-18 14:26:22 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-04-18 11:18:08 0 d-------- C:\Program Files\Enigma Software Group
2007-04-17 17:24:35 0 d-------- C:\WINDOWS\Prefetch
2007-04-16 14:24:22 0 d-------- C:\Program Files\Motorola Phone Tools
2007-04-15 15:00:31 8126464 --a------ C:\Documents and Settings\User\ntuser.dat
2007-04-12 21:48:17 0 d-------- C:\WINDOWS\pss
2007-04-11 15:41:35 0 d-------- C:\Program Files\PartyGaming
2007-04-10 17:50:54 0 d-------- C:\Program Files\Poker Indicator
2007-04-10 13:17:42 0 d-------- C:\Program Files\pokerkant
2007-04-07 19:27:32 0 d-------- C:\Program Files\Poker Pal Pro Edition


-- Find3M Report ---------------------------------------------------------------

2007-05-07 12:00:33 0 d-------- C:\Program Files\Norton SystemWorks
2007-05-04 22:21:41 0 d-------- C:\Program Files\PacificPoker
2007-05-01 07:20:41 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-28 14:49:41 0 d-------- C:\Documents and Settings\User\Application Data\uTorrent
2007-04-24 18:39:50 0 d-------- C:\Program Files\EmpirePokerMaster
2007-04-24 16:14:52 0 d-------- C:\Program Files\Norton AntiVirus
2007-04-24 16:09:26 0 d-------- C:\Program Files\Messenger
2007-04-24 1634 0 d-------- C:\Program Files\iTunes
2007-04-24 16:05:55 0 d-------- C:\Program Files\Google
2007-04-22 15:37:43 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-20 00:44:14 0 d-------- C:\Program Files\MSN Messenger
2007-04-19 14:40:04 0 d-------- C:\Program Files\Calorie-Count.com Toolbar
2007-04-16 14:24:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-07 19:24:17 0 d-------- C:\Program Files\CyberLink
2007-04-07 19:23:04 0 d-------- C:\Program Files\Poker-Spy
2007-04-02 23:04:24 0 d-------- C:\Program Files\Magic Holdem
2007-04-02 22:49:18 0 d-------- C:\Program Files\Google Toolbar
2007-04-02 22:13:22 0 d-------- C:\Program Files\Symantec
2007-04-02 18:15:10 0 d-------- C:\Documents and Settings\User\Application Data\Symantec
2007-03-21 09:51:22 0 d-------- C:\Program Files\Java
2007-03-15 15:34:57 0 d-------- C:\Program Files\Thomson
2007-03-12 17:30:45 0 d-------- C:\Program Files\Motorola Phone Tools(2)
2007-03-12 17:30:37 0 d-------- C:\Program Files\LiveUpdate
2007-03-12 17:30:14 0 d-------- C:\Program Files\Motorola Phone Tools(2)(2)
2007-03-12 17:28:46 0 d-------- C:\Program Files\Motorola Phone Tools(3)
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\USA Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Titan Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Prestige Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Poker.com
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\Noble Poker
2007-02-27 11:00:13 0 --a------ C:\WINDOWS\CDPoker


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-05-07 at 22:08:24 --


How are things progressing?
are we nearly there yet?
things seem to be running a lot smoother.

J.T.
JOHNNYMACK is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-07-2007, 07:33 PM   #19 (permalink)
Analyst, Security Team ; Rangemaster, TSF Academy
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 1,673
OS: XP Pro, Vista, Ubuntu 8.10


Re: Newby Bombarded With Spyware Pop-ups
Well done, your logs are clean!

====================================

Turn SpywareGuard back on

Click Start > Programs > SpywareGuard > SpywareGuard

====================================

Rehide System Files
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

====================================

Flush the System Restore Points

To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.

======================================

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

=================================================

This is a good time to set up protection against further attacks. Read TonyKlein's How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and downloads are available at the following links:

Spyware Blaster
Spyware Guard
IE-Spyad

========================================

Please respond to this thread one more time so we can mark this thread as Resolved.

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.
__________________
Proud Member of ASAP
Proud Member of UNITE

If you feel we've helped you, Please Donate to the Forum
Clark76 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-08-2007, 06:39 AM   #20 (permalink)
Registered User
 
Join Date: Apr 2007
Location: united kingdom
Posts: 16
OS: Win XP


Re: Newby Bombarded With Spyware Pop-ups
Clark thanks ever so much for your invaluable assistance and may I also say -extremely prompt and easy to follow instructions.

I will definately be making a donation to the site.

J.T.
JOHNNYMACK is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 07:08 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85