Boot sector changed

JesseLeslie · 06-08-2007, 11:46 PM

Good day!

The computer was recently cleaned from spyware. During boot, the computer hanged when it was booting Windows XP. It stopped at the black screen with the logo and progress bar. The bar kept animating, but nothing happened after that.

I ran a system restore, which made the computer boot properly again, but when I ran a scan of AVG, a message appeared saying that the Boot Sector of Drive C: was changed. I decided to post a HiJackThis log since I'm not sure what caused this.

A Screencap of the AVG result is attached.

Thanks for reading.

Logfile of HijackThis v1.99.1
Scan saved at 1:45:00 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
D:\Security Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe
D:\Utility Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
D:\Internet Files\Free Download Manager\fdm.exe
C:\WINDOWS\system32\ctfmon.exe
D:\UTILIT~1\CACHEMAN\Cacheman.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\Utility Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Unique Files\Fast Launcher\fl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\Unqiue Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\svchost.exe
D:\Security Files\SpyCatcher 2006\Scheduler daemon.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Internet Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\the AEther\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Design Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - D:\Security Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\UTILIT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Internet Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "D:\Security Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [BHR3] D:\Security Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe
O4 - HKLM\..\Run: [Intel Driver] csrs.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\RunServices: [Intel Driver] csrs.exe
O4 - HKCU\..\Run: [Free Download Manager] D:\Internet Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cacheman] D:\UTILIT~1\CACHEMAN\Cacheman.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Utility Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [FastLauncher] D:\Unique Files\Fast Launcher\fl.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MiniMinder.lnk = D:\Unique Files\MiniMind\MiniMind.exe
O4 - Startup: Scheduler.lnk = D:\Security Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Internet Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Internet Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Internet Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C71DAF1-E96F-4665-9F1B-B4B039EEF4C0}: NameServer = 210.4.2.61 202.78.97.41
O20 - Winlogon Notify: MCPClient - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PDAgent - Raxco Software, Inc. - D:\Utility Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Utility Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Unqiue Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

JesseLeslie · 06-13-2007, 02:47 AM

Bump pls.

Ried · 06-13-2007, 06:04 AM

Hello

Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix)

--------------------------------------------------------------------

Disable Spybot TeaTimer as it may interfere with the fix below:

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

--------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.

--------------------------------------------------------------------

Download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review.
DSS automatically runs HijackThis 1.99.1 for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
Please attach extra.txt to your post.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt
Click Upload.

Please include the following in your next reply:

main.txt
an attached extra.txt

--------------------------------------------------------------------

Please include the following in your next reply:

C:\SDFix\Report.txt
main.txt
attached extra.txt

JesseLeslie · 06-16-2007, 08:24 AM

Thanks Ried. Here's what you asked for

SDfix Report

SDFix: Version 1.87

Run by Administrator on Sat 06/16/2007 at 09:42 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

Checking C:\WINDOWS\
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Music Files\\LimeWire\\LimeWire.exe"="D:\\Music Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Listing Files with Hidden Attributes:

C:\COMMAND.COM
C:\WINDOWS\system32\AVSredirect.dll
C:\Documents and Settings\the AEther\Desktop\Temporary\Pizza\zlsSetup_70_337_000_en.exe
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\Bombi Fernandez\My Documents\~WRL0003.tmp
C:\Documents and Settings\Bombi Fernandez\My Documents\~WRL0442.tmp
C:\Documents and Settings\Bombi Fernandez\My Documents\~WRL1529.tmp
C:\Documents and Settings\Bombi Fernandez\My Documents\~WRL3149.tmp
C:\Documents and Settings\Bombi Fernandez\My Documents\~WRL3337.tmp
C:\Documents and Settings\the AEther\My Documents\Written\College\YEAR ONE - Loneliness\1st Sem\~WRL0005.tmp
C:\Documents and Settings\the AEther\My Documents\Written\College\YEAR ONE - Loneliness\1st Sem\~WRL1325.tmp
C:\Documents and Settings\the AEther\My Documents\Written\College\YEAR ONE - Loneliness\1st Sem\~WRL2178.tmp
C:\Documents and Settings\the AEther\My Documents\Written\College\YEAR ONE - Loneliness\1st Sem\~WRL2526.tmp
C:\Documents and Settings\the AEther\My Documents\Written\College\YEAR ONE - Loneliness\1st Sem\~WRL2560.tmp
C:\Documents and Settings\the AEther\My Documents\Written\College\YEAR ONE - Loneliness\1st Sem\~WRL2591.tmp
C:\Documents and Settings\the AEther\My Documents\Written\College\YEAR ONE - Loneliness\2nd Sem\Mathematics\~WRL1422.tmp
C:\Documents and Settings\the AEther\My Documents\Written\College\YEAR ONE - Loneliness\2nd Sem\Mathematics\~WRL3467.tmp
C:\Documents and Settings\the AEther\My Documents\Written\College\YEAR TWO - Fury\1ST SEM\Psy\~WRL0003.tmp
C:\Documents and Settings\the AEther\My Documents\Written\College\YEAR TWO - Fury\1ST SEM\Psy\~WRL1279.tmp
C:\Documents and Settings\the AEther\My Documents\Written\College\YEAR TWO - Fury\1ST SEM\Psy\~WRL2099.tmp
C:\Documents and Settings\the AEther\My Documents\Written\College\YEAR TWO - Fury\2ND SEM\ECO\Exam\~WRL0439.tmp
C:\Documents and Settings\the AEther\My Documents\Written\College\YEAR TWO - Fury\2ND SEM\ECO\Exam\~WRL0858.tmp
C:\Documents and Settings\the AEther\My Documents\Written\College\YEAR TWO - Fury\2ND SEM\ECO\Exam\~WRL1213.tmp
C:\Documents and Settings\the AEther\My Documents\Written\College\YEAR TWO - Fury\2ND SEM\ECO\Exam\~WRL3620.tmp

Listing User Accounts:

User accounts for \\FERNANDEZ

Administrator ASPNET Bombi Fernandez
Guest HelpAssistant Lito Fernandez
Maxi Fernandez SUPPORT_388945a0 the AEther

Finished

Main.txt

Deckard's System Scanner v20070611.50
Run by the AEther on 2007-06-16 at 22:10:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
18: 2007-06-16 14:10:53 UTC - RP347 - Deckard's System Scanner Restore Point
17: 2007-06-16 02:25:46 UTC - RP346 - System Checkpoint
16: 2007-06-10 08:10:14 UTC - RP345 - Installed Ad-Aware 2007
15: 2007-06-08 13:49:39 UTC - RP344 - Restore Operation
14: 2007-06-05 03:45:49 UTC - RP343 - Installed Windows Media Format Runtime

-- First Restore Point --
1: 2007-05-05 03:11:59 UTC - RP330 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as the AEther.exe) ------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:12:53 PM, on 6/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Utility Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
D:\Utility Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\Unqiue Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe
D:\Security Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINDOWS\system32\ctfmon.exe
D:\UTILIT~1\CACHEMAN\Cacheman.exe
D:\Security Files\SpyCatcher 2006\Scheduler daemon.exe
C:\Documents and Settings\the AEther\Desktop\dss.exe
C:\DOCUME~1\THEAET~1\Desktop\the AEther.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Design Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - D:\Security Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\UTILIT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Internet Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "D:\Security Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [BHR3] D:\Security Files\Zamaan's Software\Browser Hijack Retaliator 3\BHR3.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKCU\..\Run: [Free Download Manager] D:\Internet Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cacheman] D:\UTILIT~1\CACHEMAN\Cacheman.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [FastLauncher] D:\Unique Files\Fast Launcher\fl.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MiniMinder.lnk = D:\Unique Files\MiniMind\MiniMind.exe
O4 - Startup: Scheduler.lnk = D:\Security Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Internet Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Internet Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Internet Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O20 - Winlogon Notify: MCPClient - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Utility Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PDAgent - Raxco Software, Inc. - D:\Utility Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Utility Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Unqiue Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

-- HijackThis Fixed Entries (C:\DOCUME~1\THEAET~1\Desktop\backups\) ------------

backup-20070601-193541-356 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20070601-193541-461 O4 - HKLM\..\Run: [Intel Driver] csrs.exe
backup-20070601-193541-523 O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
backup-20070601-193541-681 O4 - HKLM\..\Run: [NoticeP.exe] C:\Program Files\Impact Software LLC\iSync 2.1\NoticeP.exe
backup-20070601-193541-764 O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
backup-20070601-193541-856 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20070603-115114-668 O4 - HKLM\..\RunServices: [Intel Driver] csrs.exe
backup-20070603-115114-772 O4 - Global Startup: WordWeb.lnk = D:\Unique Files\WordWeb\wweb32.exe

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\System32\shell32.dll,-153
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\hh.exe,0
.inf - inffile - DefaultIcon - C:\WINDOWS\System32\shell32.dll,-151
.ini - inifile - DefaultIcon - C:\WINDOWS\System32\shell32.dll,-151
.js - JSFile - DefaultIcon - "D:\Web Dev Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2
.reg - regfile - DefaultIcon - C:\WINDOWS\regedit.exe,1
.txt - txtfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,-152

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PenClass (Pen Class) - c:\windows\system32\drivers\penclass.sys <Not Verified; Wacom Technology Corporation; Wacom Pen Class Driver>
R0 Vax347b - c:\windows\system32\drivers\vax347b.sys
R0 Vax347s - c:\windows\system32\drivers\vax347s.sys
R2 ScFBPNT3 (CanoScan FBP3 Port Driver) - c:\windows\system32\drivers\scfbpnt3.sys
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 cdiskdun - c:\docume~1\theaet~1\locals~1\temp\cdiskdun.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "d:\utility files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
R2 ProtexisLicensing - c:\windows\system32\psiservice.exe <Not Verified; ; PSIService>
R2 TabletService - c:\windows\system32\tablet.exe <Not Verified; Wacom Technology, Corp.; Wacom Win32 Tablet Service>

S3 Wmdintqx_uw -

-- Scheduled Tasks -------------------------------------------------------------

2007-03-27 10:43:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-05-16 and 2007-06-16 -----------------------------

2007-06-10 16:10:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-06-09 11:49:46 0 d-------- C:\Documents and Settings\All Users\Application Data\DvaSoft
2007-06-08 21:22:01 0 d-------- C:\WINDOWS\CSC
2007-06-08 20:36:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-06-07 15:14:06 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-06-07 15:13:12 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-06-07 15:12:20 0 d-------- C:\WINDOWS\Internet Logs
2007-06-06 10:50:11 0 d-------- C:\Documents and Settings\Maxi Fernandez\Application Data\Winamp
2007-06-05 15:52:26 0 d-------- C:\Documents and Settings\the AEther\Application Data\DVAsoft
2007-06-05 11:45:51 0 d-------- C:\WINDOWS\RegisteredPackages
2007-06-05 11:43:07 0 d-------- C:\Documents and Settings\the AEther\Application Data\Winamp
2007-06-05 11:30:04 0 d-------- C:\Documents and Settings\the AEther\Application Data\SUPERAntiSpyware.com
2007-06-05 11:29:12 13893632 --a------ C:\Documents and Settings\the AEther\ntuser.dat
2007-06-05 11:18:05 0 d-------- C:\Documents and Settings\the AEther\Application Data\SiteAdvisor
2007-06-05 11:18:05 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-06-05 11:18:05 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-06-04 15:18:48 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
2007-06-04 15:17:02 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys <Not Verified; Lavasoft AB; Ad-Watch Registry Protection>
2007-06-04 15:14:56 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys <Not Verified; Lavasoft AB; Ad-Watch Beta>
2007-06-03 12:18:36 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-03 12:00:55 0 dr-h----- C:\Documents and Settings\the AEther\Recent
2007-05-28 12:19:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2007-05-28 12:05:23 0 d-------- C:\Documents and Settings\the AEther\Application Data\uTorrent
2007-05-24 18

10 0 d-------- C:\Documents and Settings\the AEther\Application Data\DivX
2007-05-24 17:51:20 11690 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-20 17:53:16 0 d-------- C:\Program Files\Common Files\Raxco
2007-05-18 16:42:38 0 d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2007-05-18 16:36:28 0 d-------- C:\Program Files\Siber Systems

-- Find3M Report ---------------------------------------------------------------

2007-06-16 22:09:52 0 d-------- C:\Documents and Settings\the AEther\Application Data\Free Download Manager
2007-06-16 21:45:14 24575 --a------ C:\WINDOWS\system32\wacom.dat
2007-06-15 19:44:42 0 d-------- C:\Documents and Settings\the AEther\Application Data\Adobe
2007-06-10 16:10:33 0 d-------- C:\Documents and Settings\the AEther\Application Data\Lavasoft
2007-06-10 16:08:37 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-09 13:22:32 0 d-------- C:\Documents and Settings\the AEther\Application Data\AVG7
2007-06-05 12

11 93416 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-05-28 12:26:56 0 d-------- C:\Documents and Settings\the AEther\Application Data\Corel
2007-05-26 15:57:23 0 d-------- C:\Documents and Settings\the AEther\Application Data\Macromedia
2007-05-21 13:42:49 0 d-------- C:\Program Files\Common Files\Stardock
2007-05-21 10:21:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-20 17:46:34 0 d-------- C:\Program Files\Raxco
2007-05-18 16:53:24 0 d-------- C:\Program Files\Java
2007-05-11 12:37:15 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-05-11 12:37:15 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-11 12:37:15 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-11 12:37:15 740442 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-04-23 08:15:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 08:02:34 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-04-23 08:02:34 73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-04-23 08:01:47 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-13 15:19:52 7680 --a------ C:\WINDOWS\system32\lsdelete.exe
2007-04-04 12:22:42 0 --a------ C:\Documents and Settings\the AEther\Application Data\bhrslog.txt

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} D:\Design Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{0A87E45F-537A-40B4-B812-E2544C21A09F} D:\Security Files\SpyCatcher 2006\SCActiveBlock.dll
{53707962-6F74-2D53-2644-206D7942484F} D:\UTILIT~1\SPYBOT~1\SDHelper.dll
{724d43a9-0d85-11d4-9908-00400523e39a} C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{CC59E0F9-7E43-44FA-9FAA-8377850BF205} D:\Internet Files\Free Download Manager\iefdmcks.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"SpyCatcher Reminder"="\"D:\\Security Files\\SpyCatcher 2006\\SpyCatcher.exe\" reminder"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG Free\\avgcc.exe /STARTUP"
"AtiPTA"="atiptaxx.exe"
"BHR3"="D:\\Security Files\\Zamaan's Software\\Browser Hijack Retaliator 3\\BHR3.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb06.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Free Download Manager"="D:\\Internet Files\\Free Download Manager\\fdm.exe -autorun"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Cacheman"="D:\\UTILIT~1\\CACHEMAN\\Cacheman.exe"
"RoboForm"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\""
"FastLauncher"="D:\\Unique Files\\Fast Launcher\\fl.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG Free\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cd89fb88-febb-11da-b17a-00112ff806df}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe FS6519.dll.vbs

-- End of Deckard's System Scanner: finished at 2007-06-16 at 22:13:17 ---------

I also got this message when DSS tried running HijackThis:

An unexpected error has occurred at procedure: modMain_CheckOther1Item()
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

Thanks for helping.

Ried · 06-16-2007, 09:12 PM

Hiya,

I'm not finding any malware here. The message you originally received from AVG Free was due to the System Restore you had performed and is nothing to be concerned about.

I do however see that you currently have 2 Anti Virus programs installed and running on this system. (AVG Free Edition and McAfee SecurityCenter) While it may seem to be added protection for you, more than 1 Anti Virus can cause conflicts and confusion between the AV programs as well as system instability. Please choose and run only 1 and uninstall the other via the Add/Remove Programs in the Control Panel.

While in the Add/Remove programs, you can also uninstall these previous versions of Java as they are no longer needed and are just taking up space:

J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 11

**Leave this version installed-- Java(TM) SE Runtime Environment 6 Update 1

How is your system behaving?

JesseLeslie · 06-20-2007, 04:42 AM

Thanks, I'll remove what you suggested.

What I don't understand is why my Xp stopped booting at that one point. I didn't apply any system restore then. Only when I ran the System Restore from Safe did it work again.

Ried · 06-20-2007, 09:45 AM

Hi,

That puzzled me as well which is why I had you run the tool and scans. They are all coming up clean. Once you performed the System Restore, whatever it was, appears to be gone.

Has your system been performing as expected since?

JesseLeslie · 06-22-2007, 05:32 AM

Well, the PC is doing well now. Thanks for the help Ried. :)

Ried · 06-22-2007, 10:15 AM

You're welcome.

If such a thing shoud recur, run a scan with dss.exe (it can be run from Safe Mode) and post the main.txt for review.

06-13-2007, 02:47 AM	#2 (permalink)
JesseLeslie Registered User Join Date: May 2007 Posts: 19 OS: XP	Re: Boot sector changed Bump pls.

06-13-2007, 06:04 AM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,027 OS: WinXP and Vista	Re: Boot sector changed Hello Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix) -------------------------------------------------------------------- Disable Spybot TeaTimer as it may interfere with the fix below: Open Spybot Search & Destroy. In the Mode menu click "Advanced mode" if not already selected. Choose "Yes" at the Warning prompt. Expand the "Tools" menu. Click "Resident". Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. In the File menu click "Exit" to exit Spybot Search & Destroy. -------------------------------------------------------------------- Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply. -------------------------------------------------------------------- Download Deckard's System Scanner (DSS) to your Desktop. What DSS will do: create a new System Restore point in Windows XP and Vista. clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives. check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis 1.99.1 for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed. Note: You must be logged onto an account with administrator privileges. Close all applications and windows. Double-click on dss.exe to run it, and follow the prompts. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply. Please attach extra.txt to your post. To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box: C:\Deckard\System Scanner\extra.txt Click Upload. Please include the following in your next reply: main.txt an attached extra.txt -------------------------------------------------------------------- Please include the following in your next reply: C:\SDFix\Report.txt main.txt attached extra.txt __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-16-2007, 09:12 PM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,027 OS: WinXP and Vista	Re: Boot sector changed Hiya, I'm not finding any malware here. The message you originally received from AVG Free was due to the System Restore you had performed and is nothing to be concerned about. I do however see that you currently have 2 Anti Virus programs installed and running on this system. (AVG Free Edition and McAfee SecurityCenter) While it may seem to be added protection for you, more than 1 Anti Virus can cause conflicts and confusion between the AV programs as well as system instability. Please choose and run only 1 and uninstall the other via the Add/Remove Programs in the Control Panel. While in the Add/Remove programs, you can also uninstall these previous versions of Java as they are no longer needed and are just taking up space: J2SE Runtime Environment 5.0 Update 1 J2SE Runtime Environment 5.0 Update 11 **Leave this version installed-- Java(TM) SE Runtime Environment 6 Update 1 How is your system behaving? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-20-2007, 04:42 AM	#6 (permalink)
JesseLeslie Registered User Join Date: May 2007 Posts: 19 OS: XP	Re: Boot sector changed Thanks, I'll remove what you suggested. What I don't understand is why my Xp stopped booting at that one point. I didn't apply any system restore then. Only when I ran the System Restore from Safe did it work again.

06-20-2007, 09:45 AM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,027 OS: WinXP and Vista	Re: Boot sector changed Hi, That puzzled me as well which is why I had you run the tool and scans. They are all coming up clean. Once you performed the System Restore, whatever it was, appears to be gone. Has your system been performing as expected since? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-22-2007, 05:32 AM	#8 (permalink)
JesseLeslie Registered User Join Date: May 2007 Posts: 19 OS: XP	Re: Boot sector changed Well, the PC is doing well now. Thanks for the help Ried. :)

06-22-2007, 10:15 AM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,027 OS: WinXP and Vista	Re: Boot sector changed You're welcome. If such a thing shoud recur, run a scan with dss.exe (it can be run from Safe Mode) and post the main.txt for review. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."