Technicolor screen, Popups, Error messages running programs, random programs starting

Nigel4 · 09-30-2007, 07:21 PM

I've been trying to fix my brother's computer for a while, but every Spy-bot and Ad-aware continuously find 60+ bad items and something has recently caused most programs to stop working completely that can be solved with a restart and crossed fingers. Recently a restart brought up a very colorful rendition of the screen that wasn't a good sign as I try to fix the computer. So I turn here. I'm pretty sure I got rid of the 'win antispyware 2005' malware he had running for the longest time. I had ZoneAlarm (deactivates the Windows default firewall) for a long time then had to uninstall it for Medal of Honor:Airbourne which required the windows firewall to be running (to add itself to the allow list). Then I got Jetico Personal Firewall and I've had Avast! On-Access scanner for the entire ordeal. I think that's about everything. Extra.txt is attached.

Edit: I tried the panda activescan. I downloaded the plug-in, but after 1.5 hours of running the scan it remained at 0%. If it's neccessary, I could run it overnight.

Deckard's System Scanner v20070905.67
Run by Owner on 2007-09-30 16:12:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
106: 2007-09-30 20:13:07 UTC - RP952 - Deckard's System Scanner Restore Point
105: 2007-09-30 04:25:03 UTC - RP951 - System Checkpoint
104: 2007-09-29 03:47:15 UTC - RP950 - System Checkpoint
103: 2007-09-28 01:01:00 UTC - RP949 - System Checkpoint
102: 2007-09-27 00:16:46 UTC - RP948 - System Checkpoint

-- First Restore Point --
1: 2007-09-20 13:07:14 UTC - RP847 - Removed Norton WMI Update

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Owner.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-30 16:17:20
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\soundman.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Jetico Personal Firewall\fwsrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINDOWS\system32\vtustqo.dll
O2 - BHO: (no name) - {D0A380DD-0750-468B-BEDD-B20C9DF360F7} - C:\WINDOWS\system32\ddayw.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: (no name) - - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\fthtibtm.dll",sitypnow
O4 - HKEY_LOCAL_MACHINE\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico Personal Firewall\fwsrv.exe"
O4 - HKEY_LOCAL_MACHINE\..\RunOnceEx: [Flag] 2
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Party Poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Party Poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O15 - Trusted Zone: https://turbotax.com (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub...irector/sw.cab
O16 - DPF: {77538FC7-CE52-4704-9865-494FE92BC320} (LaunchUBO.Ulit) - http://www.ultimatebaseballonline.co.../launchubo.OCX
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} () - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} () - http://static.zangocash.com/cab/Seek...dae853c5219026
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\system32\igfxsrvc.dll
O20 - Winlogon Notify: vtustqo - C:\WINDOWS\system32\vtustqo.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe"
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - "C:\WINDOWS\wanmpsvc.exe"

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync04 (StarForce Protection Synchronization Driver (version 4.x)) - c:\windows\system32\drivers\sfsync04.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 vax347b - c:\windows\system32\drivers\vax347b.sys
R0 vax347s - c:\windows\system32\drivers\vax347s.sys
R1 ATITool (ATITool Overclocking Utility) - c:\windows\system32\drivers\atitool.sys <Not Verified; W1zzard; ATITool Driver>
R1 bc_filter - c:\windows\system32\drivers\bc_filter.sys <Not Verified; Jetico, Inc.; Jetico Personal Firewall Network Filter Driver>
R1 bc_ip_f (BC_IP_Filter) - c:\windows\system32\drivers\bc_ip_f.sys <Not Verified; Jetico, Inc.; Jetico Personal Firewall for Windows>
R1 bc_ngn (BC_Engine) - c:\windows\system32\drivers\bc_ngn.sys <Not Verified; Jetico, Inc.; Jetico Personal Firewall for Window>
R1 bc_pat_f (BC_PAT_Filter) - c:\windows\system32\drivers\bc_pat_f.sys <Not Verified; Jetico, Inc.; Jetico Personal Firewall for Windows>
R1 bc_prt_f (BC_Protocol_Filter) - c:\windows\system32\drivers\bc_prt_f.sys <Not Verified; Jetico, Inc.; Jetico Personal Firewall for Windows>
R1 bc_tdi_f (BC_TDI_Filter) - c:\windows\system32\drivers\bc_tdi_f.sys <Not Verified; Jetico, Inc.; Jetico Personal Firewall for Windows>
R1 bcftdi - c:\windows\system32\drivers\bcftdi.sys <Not Verified; Jetico, Inc.; Jetico Personal Firewall TDI Filter Driver>
R2 BT848 (WinFast TV2000 XP WDM Video Capture) - c:\windows\system32\drivers\wf2kvcap.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Video Capture Driver.>
R2 SVKP - c:\windows\system32\svkp.sys <Not Verified; AntiCracking; SVKP driver for NT>
R2 tv2ktunr (WinFast TV2000 XP WDM TVTuner) - c:\windows\system32\drivers\wf2ktunr.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Tuner Driver.>
R2 Tv2kXbar (WinFast TV2000 XP WDM Crossbar) - c:\windows\system32\drivers\wf2kxbar.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM XBar Crossbar Driver.>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 RadProbe (Radeon Probe Driver) - c:\windows\system32\drivers\radprobe.sys <Not Verified; ChrisW; RadProbe>

S3 ENTECH - c:\windows\system32\drivers\entech.sys (file missing)
S3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 pnicml - c:\docume~1\owner\locals~1\temp\pnicml.sys (file missing)
S3 viagfx - c:\windows\system32\drivers\vtmini.sys (file missing)
S3 W8100PCI (D-Link AirPlus G Wireless Driver) - c:\windows\system32\drivers\mrv8k51.sys <Not Verified; Marvell Semiconductor, Inc; Device driver for Marvell 802.11 NIC>
S3 WFIOCTL - c:\program files\winfast\wftvfm\wfioctl.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S4 AOL ACS (AOL Connectivity Service) - c:\progra~1\common~1\aol\acs\acsd.exe (file missing)
S4 RadClock - c:\windows\system32\radclock.exe <Not Verified; ; RadClock Module>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-09-30 14:45:00 364 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2007-09-29 13:22:00 270 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2007-07-01 13:22:45 392 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job

-- Files created between 2007-08-30 and 2007-09-30 -----------------------------

2007-09-30 15:35:09 0 d-------- C:\WINDOWS\LastGood
2007-09-29 15:11:06 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-09-27 10:23:20 44054 --a------ C:\WINDOWS\system32\nnnlklk.dll
2007-09-27 10:21:00 44054 --a------ C:\WINDOWS\system32\khffgef.dll
2007-09-21 23:18:57 2158335 ---hs---- C:\WINDOWS\system32\wyadd.bak2
2007-09-21 14:37:40 0 d-------- C:\Documents and Settings\Owner\Application Data\Jetico Personal Firewall
2007-09-20 22:36:19 0 d-------- C:\Program Files\Jetico Personal Firewall
2007-09-20 21:19:01 83008 --a------ C:\WINDOWS\system32\fthtibtm.dll
2007-09-20 09:08:47 2154735 ---hs---- C:\WINDOWS\system32\wyadd.bak1
2007-09-20 09

58 306784 --a------ C:\WINDOWS\system32\ddayw.dll
2007-09-20 09:05:58 0 d-------- C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
2007-09-20 09:05:24 44054 --a------ C:\WINDOWS\system32\hgghhgh.dll
2007-09-20 09:01:55 44054 --a------ C:\WINDOWS\system32\vtustqo.dll
2007-09-20 09:01:55 0 d-------- C:\WINDOWS\system32\f02WtR
2007-09-20 09:01:55 0 d-------- C:\Temp
2007-09-15 10:13:09 0 d-------- C:\Program Files\SpywareBlaster
2007-09-14 21:30:18 0 d-------- C:\Program Files\TrackMania Nations ESWC
2007-09-13 21:01:45 0 --a------ C:\WINDOWS\system32\atiicdxx.dat
2007-09-13 20:59:33 0 d-------- C:\Program Files\Halo
2007-09-13 20:55:37 0 d-------- C:\sysprep
2007-09-13 20:55:35 0 d-------- C:\Program Files\IntelliMover Data Transfer Demo
2007-09-13 20:55:27 0 d-------- C:\Program Files\Atari
2007-09-13 20:55:13 0 d-------- C:\Program Files\ItsDeductible2006
2007-09-13 20:55:01 0 d-------- C:\Program Files\Worms Armageddon
2007-09-13 20:49:19 0 d-------- C:\Program Files\ATI Technologies
2007-09-13 20:48:38 0 d-------- C:\ATI
2007-09-13 20

08 0 d-------- C:\Program Files\TrackMania Nations ESWC(2)
2007-09-11 22:37:26 0 d-------- C:\Program Files\DriverCleanerDotNET
2007-09-11 21:04:00 1100 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-09-11 18:56:15 0 d-------- C:\Program Files\Xfire
2007-09-11 18:34:02 0 d-------- C:\WINDOWS\system32\AGEIA(2)
2007-09-09 12:56:33 0 d-------- C:\Program Files\InterActual
2007-09-08 23:56:19 9175040 --a------ C:\Documents and Settings\Owner\ntuser.dat
2007-09-08 15:39:24 0 d-------- C:\Documents and Settings\Owner\Application Data\RipIt4Me

-- Find3M Report ---------------------------------------------------------------

2007-09-30 15:30:56 1814 --a------ C:\WINDOWS\mozver.dat
2007-09-30 13:09:22 0 d-------- C:\Program Files\PokerStars
2007-09-29 15:29:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Xfire
2007-09-29 15:03:19 0 d-------- C:\Program Files\EA GAMES
2007-09-29 14:57:25 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-09-29 00:10:12 0 d-------- C:\Program Files\PokerStars.TEST
2007-09-27 10:23:30 0 d-a------ C:\Program Files\Common Files
2007-09-14 16:11:41 0 d-------- C:\Program Files\LEGO Media
2007-09-14 14:33:45 0 d-------- C:\Program Files\LogMeIn
2007-09-13 20:59:52 0 d-------- C:\Program Files\Electronic Arts
2007-09-13 20:49:20 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-13 20:48:36 0 d-------- C:\Documents and Settings\Owner\Application Data\ATI
2007-09-11 22:48:10 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-09-10 21:58:32 0 d-------- C:\Program Files\Midway Home Entertainment
2007-09-09 17:21:56 0 d-------- C:\Documents and Settings\Owner\Application Data\IGN_DLM
2007-08-16 11:59:38 34872 --a----c- C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-08-14 21:15:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2007-08-14 16:04:08 0 d-------- C:\Program Files\MSXML 6.0
2007-08-01 12:56:29 0 d-------- C:\Program Files\Sling Media
2007-07-31 18:07:25 0 d-------- C:\Program Files\Age of Empires II
2007-07-23 15:20:00 2497 --a----c- C:\WINDOWS\eReg.dat
2007-07-15 18:15:15 553 --a----c- C:\WINDOWS\EReg072.dat
2007-07-09 15:07:50 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-09 15:05:58 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-07-09 15:05:58 73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-07-09 15:05:54 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-07-09 15:05:54 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 15:05:54 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 15:05:54 740442 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 15:05:28 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-01 15:19:57 468 --a----c- C:\WINDOWS\EReg213.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3352FCD-CFE5-4F35-831A-19C68DDB7CF4}]
09/20/2007 09:01 AM 44054 --a------ C:\WINDOWS\system32\vtustqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0A380DD-0750-468B-BEDD-B20C9DF360F7}]
09/20/2007 09:07 AM 306784 --a------ C:\WINDOWS\system32\ddayw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [09/06/2007 06:06 AM]
"SoundMan"="SOUNDMAN.EXE" [04/16/2007 03:28 PM C:\WINDOWS\soundman.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 03:40 PM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [04/17/2007 02:03 PM]
"SearchIndexer"="C:\WINDOWS\system32\fthtibtm.dll" [09/20/2007 09:19 PM]
"JeticoPFStartup"="C:\Program Files\Jetico Personal Firewall\fwsrv.exe" [07/19/2005 02:22 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{35B2861B-2B26-4691-9FF0-09083722C736}"= C:\WINDOWS\system32\RadExe.dll [04/27/2005 04:49 AM 200704]
"{C3352FCD-CFE5-4F35-831A-19C68DDB7CF4}"= C:\WINDOWS\system32\vtustqo.dll [09/20/2007 09:01 AM 44054]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 05/25/2007 03:22 PM 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtustqo]
vtustqo.dll 09/20/2007 09:01 AM 44054 C:\WINDOWS\system32\vtustqo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\ddayw

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Zeno.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Zeno.lnk
backup=C:\WINDOWS\pss\Zeno.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Z_Start.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Z_Start.lnk
backup=C:\WINDOWS\pss\Z_Start.lnkStartup
c:\windowsupdate\ufp\irs7\csrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS4EN\plugin\bin\pchbutton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]
C:\WINDOWS\system32\pwinqsap.exe FI002

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1139081734\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
"C:\Program Files\LogMeIn\LogMeInSystray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"C:\Windows\Creator\Remind_XP.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyAxe]
C:\Program Files\SpyAxe\spyaxe.exe /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
"C:\Program Files\support.com\bin\tgcmd.exe" /server

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tukati:4]
C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.exe -r:4 -x:1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdateProtection]
c:\windowsupdate\ufp\008\csrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{08-8B-BF-FC-ZN}]
C:\windows\system32\rpdsregs.exe FI002

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido security suite control"=2 (0x2)
"vsmon"=2 (0x2)
"StarWindService"=2 (0x2)
"RadClock"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WANMiniportService"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32263ab0-eee4-11d8-b521-806d6172696f}]
AutoRun\command- D:\Info.exe folder.htt 480 480

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb

-- End of Deckard's System Scanner: finished at 2007-09-30 16:21:20 ------------

Bob4 · 10-01-2007, 06:05 PM

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!

All hijackthis logs I ask for should be done in normal mode ( not safe mode)
These logs should be done last after you have followed my instructions in the previous post.

Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!

The fixes we are going to do may and may not help other problems you are having.

__________________

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

_________________________________

Download SmitfraudFix (by S!Ri) to your Desktop.
Smitfraud by S!ri

______________________________

Double clcik the smitfraud.exe
When promted
Press any key to continue.
Select option #1 - Search by typing 1 and press Enter

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with any others I have asked for in your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. When prompted by allow it to run

IMPORTANT: Do NOT run any other options until you are asked to do so!
If you do and smitfraud isn't present it will have undesirable effects
_____________________________
In your next reply I would like to see:

A new HJT log
The Report from Vundofix
The report from smitfraud.

Nigel4 · 10-01-2007, 08:09 PM

I ran into some problems with Vundofix. A .dll called Vtustqo.dll repeatedly came up and triggered an NT Authority/SYSTEM shutdown for the lsass.exe. After the 3rd time running Vundofix on start-up with Vtustqo.dll still appearing, I'm posting this. Here's the VundoFix Log:

VundoFix V6.5.9

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:46:44 PM 10/1/2007

Listing files found while scanning....

C:\windows\system32\fthtibtm.dll
C:\windows\system32\hgghhgh.dll
C:\windows\system32\khffgef.dll
C:\windows\system32\mtbithtf.ini
C:\windows\system32\nnnlklk.dll
C:\WINDOWS\system32\vtustqo.dll

Beginning removal...

Attempting to delete C:\windows\system32\fthtibtm.dll
C:\windows\system32\fthtibtm.dll Could not be deleted.

Attempting to delete C:\windows\system32\hgghhgh.dll
C:\windows\system32\hgghhgh.dll Has been deleted!

Attempting to delete C:\windows\system32\khffgef.dll
C:\windows\system32\khffgef.dll Has been deleted!

Attempting to delete C:\windows\system32\mtbithtf.ini
C:\windows\system32\mtbithtf.ini Has been deleted!

Attempting to delete C:\windows\system32\nnnlklk.dll
C:\windows\system32\nnnlklk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtustqo.dll
C:\WINDOWS\system32\vtustqo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\fthtibtm.dll
C:\windows\system32\fthtibtm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtustqo.dll
C:\WINDOWS\system32\vtustqo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:55:16 PM 10/1/2007

Listing files found while scanning....

C:\windows\system32\vtustqo.dll

Beginning removal...

Attempting to delete C:\windows\system32\vtustqo.dll
C:\windows\system32\vtustqo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\vtustqo.dll
C:\windows\system32\vtustqo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Should I continue with SmitFraud anyway? Also, you say to post a HJT log after the vundofix, but initially you said post the HJT log after all the steps you mentioned. Do you want two HJT Logs?

Bob4 · 10-02-2007, 04:41 AM

Please continue with the smitfraud fix.
I will only need 1 HJT log after everything I asked is done per post.

Nigel4 · 10-02-2007, 06:34 PM

SmitFraudFix v2.235

Scan done at 20:29:38.17, Tue 10/02/2007
Run from C:\Documents and Settings\Owner\My Documents\Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Jetico Personal Firewall\fwsrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\country.exe FOUND !
C:\WINDOWS\kl1.exe FOUND !
C:\WINDOWS\secure32.html FOUND !
C:\WINDOWS\toolbar.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{240A4C79-8242-4231-89B6-2836FC0CC688}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9A6F1D4E-9368-4CFC-B3C2-CD3E7F72B91A}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{240A4C79-8242-4231-89B6-2836FC0CC688}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9A6F1D4E-9368-4CFC-B3C2-CD3E7F72B91A}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{240A4C79-8242-4231-89B6-2836FC0CC688}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9A6F1D4E-9368-4CFC-B3C2-CD3E7F72B91A}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Deckard's System Scanner v20070905.67
Run by Owner on 2007-10-02 20:32:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Owner.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-10-02 20:32:32
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\soundman.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Jetico Personal Firewall\fwsrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINDOWS\system32\vtustqo.dll
O2 - BHO: (no name) - {D40A2633-1554-4CE9-B1BB-14B18F7BD1ED} - C:\WINDOWS\system32\ddayw.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: (no name) - - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico Personal Firewall\fwsrv.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKEY_LOCAL_MACHINE\..\RunOnceEx: [Flag] 2
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Party Poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Party Poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O15 - Trusted Zone: https://turbotax.com (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub...irector/sw.cab
O16 - DPF: {77538FC7-CE52-4704-9865-494FE92BC320} (LaunchUBO.Ulit) - http://www.ultimatebaseballonline.co.../launchubo.OCX
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} () - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} () - http://static.zangocash.com/cab/Seek...dae853c5219026
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\system32\igfxsrvc.dll
O20 - Winlogon Notify: vtustqo - C:\WINDOWS\system32\vtustqo.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe"
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - "C:\WINDOWS\wanmpsvc.exe"

-- Files created between 2007-09-02 and 2007-10-02 -----------------------------

2007-10-02 20:29:51 1908 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-01 21:46:44 0 d-------- C:\VundoFix Backups
2007-09-29 15:11:06 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-09-21 23:18:57 2158335 ---hs---- C:\WINDOWS\system32\wyadd.bak2
2007-09-21 14:37:40 0 d-------- C:\Documents and Settings\Owner\Application Data\Jetico Personal Firewall
2007-09-20 22:36:19 0 d-------- C:\Program Files\Jetico Personal Firewall
2007-09-20 09:08:47 2154735 ---hs---- C:\WINDOWS\system32\wyadd.bak1
2007-09-20 09

58 306784 --a------ C:\WINDOWS\system32\ddayw.dll
2007-09-20 09:05:58 0 d-------- C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
2007-09-20 09:01:55 44054 -----n--- C:\WINDOWS\system32\vtustqo.dll
2007-09-20 09:01:55 0 d-------- C:\WINDOWS\system32\f02WtR
2007-09-20 09:01:55 0 d-------- C:\Temp
2007-09-15 10:13:09 0 d-------- C:\Program Files\SpywareBlaster
2007-09-14 21:30:18 0 d-------- C:\Program Files\TrackMania Nations ESWC
2007-09-13 21:01:45 0 --a------ C:\WINDOWS\system32\atiicdxx.dat
2007-09-13 20:59:33 0 d-------- C:\Program Files\Halo
2007-09-13 20:55:37 0 d-------- C:\sysprep
2007-09-13 20:55:35 0 d-------- C:\Program Files\IntelliMover Data Transfer Demo
2007-09-13 20:55:27 0 d-------- C:\Program Files\Atari
2007-09-13 20:55:13 0 d-------- C:\Program Files\ItsDeductible2006
2007-09-13 20:55:01 0 d-------- C:\Program Files\Worms Armageddon
2007-09-13 20:49:19 0 d-------- C:\Program Files\ATI Technologies
2007-09-13 20:48:38 0 d-------- C:\ATI
2007-09-13 20

08 0 d-------- C:\Program Files\TrackMania Nations ESWC(2)
2007-09-11 22:37:26 0 d-------- C:\Program Files\DriverCleanerDotNET
2007-09-11 21:04:00 1100 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-09-11 18:56:15 0 d-------- C:\Program Files\Xfire
2007-09-11 18:34:02 0 d-------- C:\WINDOWS\system32\AGEIA(2)
2007-09-09 12:56:33 0 d-------- C:\Program Files\InterActual
2007-09-08 23:56:19 9175040 --a------ C:\Documents and Settings\Owner\ntuser.dat
2007-09-08 15:39:24 0 d-------- C:\Documents and Settings\Owner\Application Data\RipIt4Me

-- Find3M Report ---------------------------------------------------------------

2007-10-02 10:08:35 0 d-------- C:\Program Files\PokerStars
2007-09-30 15:30:56 1814 --a------ C:\WINDOWS\mozver.dat
2007-09-29 15:29:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Xfire
2007-09-29 15:03:19 0 d-------- C:\Program Files\EA GAMES
2007-09-29 14:57:25 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-09-29 00:10:12 0 d-------- C:\Program Files\PokerStars.TEST
2007-09-27 10:23:30 0 d-a------ C:\Program Files\Common Files
2007-09-14 16:11:41 0 d-------- C:\Program Files\LEGO Media
2007-09-14 14:33:45 0 d-------- C:\Program Files\LogMeIn
2007-09-13 20:59:52 0 d-------- C:\Program Files\Electronic Arts
2007-09-13 20:49:20 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-13 20:48:36 0 d-------- C:\Documents and Settings\Owner\Application Data\ATI
2007-09-11 22:48:10 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-09-10 21:58:32 0 d-------- C:\Program Files\Midway Home Entertainment
2007-09-09 17:21:56 0 d-------- C:\Documents and Settings\Owner\Application Data\IGN_DLM
2007-08-16 11:59:38 34872 --a----c- C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-08-14 21:15:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2007-08-14 16:04:08 0 d-------- C:\Program Files\MSXML 6.0
2007-07-23 15:20:00 2497 --a----c- C:\WINDOWS\eReg.dat
2007-07-15 18:15:15 553 --a----c- C:\WINDOWS\EReg072.dat
2007-07-09 15:07:50 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-09 15:05:58 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-07-09 15:05:58 73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-07-09 15:05:54 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-07-09 15:05:54 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 15:05:54 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 15:05:54 740442 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 15:05:28 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3352FCD-CFE5-4F35-831A-19C68DDB7CF4}]
09/20/2007 09:01 AM 44054 --------- C:\WINDOWS\system32\vtustqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D40A2633-1554-4CE9-B1BB-14B18F7BD1ED}]
09/20/2007 09:07 AM 306784 --a------ C:\WINDOWS\system32\ddayw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [09/06/2007 06:06 AM]
"SoundMan"="SOUNDMAN.EXE" [04/16/2007 03:28 PM C:\WINDOWS\soundman.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 03:40 PM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [04/17/2007 02:03 PM]
"JeticoPFStartup"="C:\Program Files\Jetico Personal Firewall\fwsrv.exe" [07/19/2005 02:22 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/14/2004 07:11 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{35B2861B-2B26-4691-9FF0-09083722C736}"= C:\WINDOWS\system32\RadExe.dll [04/27/2005 04:49 AM 200704]
"{C3352FCD-CFE5-4F35-831A-19C68DDB7CF4}"= C:\WINDOWS\system32\vtustqo.dll [09/20/2007 09:01 AM 44054]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 05/25/2007 03:22 PM 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtustqo]
vtustqo.dll 09/20/2007 09:01 AM 44054 C:\WINDOWS\system32\vtustqo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\ddayw

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Zeno.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Zeno.lnk
backup=C:\WINDOWS\pss\Zeno.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Z_Start.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Z_Start.lnk
backup=C:\WINDOWS\pss\Z_Start.lnkStartup
c:\windowsupdate\ufp\irs7\csrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS4EN\plugin\bin\pchbutton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]
C:\WINDOWS\system32\pwinqsap.exe FI002

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1139081734\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
"C:\Program Files\LogMeIn\LogMeInSystray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"C:\Windows\Creator\Remind_XP.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyAxe]
C:\Program Files\SpyAxe\spyaxe.exe /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
"C:\Program Files\support.com\bin\tgcmd.exe" /server

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tukati:4]
C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.exe -r:4 -x:1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdateProtection]
c:\windowsupdate\ufp\008\csrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{08-8B-BF-FC-ZN}]
C:\windows\system32\rpdsregs.exe FI002

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido security suite control"=2 (0x2)
"vsmon"=2 (0x2)
"StarWindService"=2 (0x2)
"RadClock"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WANMiniportService"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb

-- End of Deckard's System Scanner: finished at 2007-10-02 20:33:43 ------------

Bob4 · 10-03-2007, 03:59 PM

From here on in when I ask for a hJT log
Navigate to and find C:\Program Files\Trend Micro\HijackThis\Owner.exe
You can right click that file and choose send to :
Desktop (create shortcut) for your convenience.

This will post just the HJT portion of the log. No reason for me to see all that DSS see's more than once.

_____________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINDOWS\system32\vtustqo.dll
O2 - BHO: (no name) - {D40A2633-1554-4CE9-B1BB-14B18F7BD1ED} - C:\WINDOWS\system32\ddayw.dll
O3 - Toolbar: (no name) - - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKEY_LOCAL_MACHINE\..\RunOnceEx: [Flag] 2
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Party Poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Party Poker\PartyPoker\RunApp.exe (file missing)
O15 - Trusted Zone: <https://turbotax.com> (HKCU)
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} () - <http://cabs.elitemediagroup.net/cabs/mediaview.cab>
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} () - http://static.zangocash.com/cab/Seek...dae853c5219026 <http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab?0993688dc438777ffae64d31307a794694621c798d4971bf08fb991261a3b92a4407e2e8b2e1e238a16956b34f14128d9f08516218e990ace940b6dbfd8e5f:3a9fb66615443315d3dae853c5219026>
O20 - Winlogon Notify: vtustqo - C:\WINDOWS\system32\vtustqo.dll

_______________________________________________

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
___________________________________
Download AVG Anti-Spyware.

Install AVG Anti-Spyware.
Launch AVG by double-clicking on the icon.
The program will now open to the main screen.
You will need to update AVG to the latest definition files.
- At the top of the main screen click Update.
  - Then in the Manual Update section, click on Start Update.
The update will start and a progress bar will show the updates being installed.
When updates are completed, close AVG.

If you are having problems with the updater, you can use this link to manually update AVG.
AVG manual updates
Do not use it yet.

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
___________________________

Run AVG Anti-Spyware
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Do not automatically generate reports
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.

IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot normaly
__________________________
Please post:

c:\rapport.txt
AVG log
A new HijackThis log

Your may need several replies to post the requested logs, otherwise they might get cut off.

______________________________________________

Nigel4 · 10-03-2007, 07:03 PM

I've been running The Deckard's System Scanner rather than HJT. My older HJT repeatedly crashed when I tried to run it even after reboot and in safe. Could I get a link to a newer one maybe? The DSS isn't giving me the options you described, it just spits out a main.txt and an extra.txt when it finishes.

I've downloaded AVG and got the updates, I just need the HJT portion to continue.

Bob4 · 10-04-2007, 04:38 AM

Delete or uninstall your HJT.

download HJT from here.

http://www.trendsecure.com/portal/en...HJTInstall.exe

It will set it self up should work now. If your still having trouble with HJT just use dss.

Nigel4 · 10-05-2007, 08:50 PM

I got HJT downloaded, but I'm working through the technicolor screen problem for the second time, and I have to say, it's not cool at all. I'm hoping to get back to you at least once more over the weekend... Now to find the submit button...

Bob4 · 10-05-2007, 10:49 PM

Technocolor::
Can you attempt to reinstall video drivers?
IF you need help. Please let me know what video card you have ?

Nigel4 · 10-06-2007, 10:10 AM

I have a ATI Radeon 9600.

I had a sudden blast of about 20 pop ups when I rebooted after safe mode that all came up in internet explorer as blank:pages with a few IP's and generic mal-ware websites I couldn't read because of technicolor death.

Here come the logs: Rapport.txt

mitFraudFix v2.235

Scan done at 0:11:15.00, Sat 10/06/2007
Run from C:\Documents and Settings\Owner\My Documents\Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\country.exe Deleted
C:\WINDOWS\kl1.exe Deleted
C:\WINDOWS\secure32.html Deleted
C:\WINDOWS\toolbar.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{240A4C79-8242-4231-89B6-2836FC0CC688}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9A6F1D4E-9368-4CFC-B3C2-CD3E7F72B91A}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{240A4C79-8242-4231-89B6-2836FC0CC688}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9A6F1D4E-9368-4CFC-B3C2-CD3E7F72B91A}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{240A4C79-8242-4231-89B6-2836FC0CC688}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9A6F1D4E-9368-4CFC-B3C2-CD3E7F72B91A}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Nigel4 · 10-06-2007, 10:13 AM

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:54:09 AM 10/6/2007

+ Scan result:

HKU\S-1-5-21-1032218028-3103756211-369227866-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup (quarantined).
HKU\S-1-5-21-1032218028-3103756211-369227866-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup (quarantined).
C:\WINDOWS\eliteunstall.exe -> Adware.EliteMedia : Cleaned with backup (quarantined).
HKU\S-1-5-21-1032218028-3103756211-369227866-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{D49E9D35-254C-4C6A-9D17-95018D228FF5} -> Adware.Starware : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP937\A0452714.exe -> Downloader.Small.bmx : Cleaned with backup (quarantined).
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071005-230342-825.inf -> Downloader.Small.rl : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\2C37B51E-C36A-4A16-9C95-082138\0A833D90-1006-44FC-AE55-261161 -> Not-A-Virus.Monitor.Win32.KeyLogger.e : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\2C37B51E-C36A-4A16-9C95-082138\B42E6C69-BDCC-4D0C-B115-C9E447 -> Not-A-Virus.Monitor.Win32.KeyLogger.e : Cleaned with backup (quarantined).
C:\windowsupdate\ufp\008\svchost.exe -> Not-A-Virus.Monitor.Win32.KeyLogger.e : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP904\A0443905.dll -> Not-A-Virus.RemoteAdmin.Win32.RemotelyAnywhere.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP905\A0443923.dll -> Not-A-Virus.RemoteAdmin.Win32.RemotelyAnywhere.a : Cleaned with backup (quarantined).
C:\WINDOWS\system32\LMIinit.dll.000.bak -> Not-A-Virus.RemoteAdmin.Win32.RemotelyAnywhere.a : Cleaned with backup (quarantined).
:mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\l0wau5q2.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\l0wau5q2.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\l0wau5q2.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\l0wau5q2.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\l0wau5q2.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP899\A0443442.dll -> Trojan.WinSpy : Cleaned with backup (quarantined).

::Report end

On this one there was a Tacoda web cookie or something from mozilla that couldn't be quarantined, I assumed (hopefully correctly) that it should just be deleted. It's quarantine option was greyed out.

Nigel4 · 10-06-2007, 10:14 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:06 PM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Jetico Personal Firewall\fwsrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico Personal Firewall\fwsrv.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {77538FC7-CE52-4704-9865-494FE92BC320} (LaunchUBO.Ulit) - http://www.ultimatebaseballonline.co.../launchubo.OCX
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5247 bytes

This is a new HJT Log after doing everything else, not immediately after removing the entries you said to.

Bob4 · 10-06-2007, 10:33 AM

OK lets see if we can fix your graphics drivers so that this is easier for you.
It is possible your graphics card is bad and may need replacing.

Go to :
http://ati.de/support/driver.html

In the windows Box click on
Professional/home

In the next window choose radeon

In the next window choose Radeon 9600 series.

The click go.
In the next page:
I would choose at this point the Display driver only, it's the second choice down !

Download and run that closing all other applications/browsers.
Follow the prompts.

Let me know if that helps. Then we can try and continue cleaning your machine.

If that doesn't help let me know exactly what your seeingas far as a technicolor screen.

Nigel4 · 10-06-2007, 07:35 PM

Well, I reset my Jetico to factory defaults because things keep running and I can't pinpoint where they start from, but now I've discovered that the technicolor thing is due to a wmiprvse.exe. I stopped it from running, and the problem went away without a restart (thus I concluded it isn't graphics card related).

I also got new drivers, though.

Bob4 · 10-07-2007, 04:41 AM

wmiprvse.exe.. Is a legitimate process. Why it effected your graphics is beyond me. Just don't delete that file.

Let's get one more scan.

1. Download Combo fix from one of these locations.
http://www.techsupportforum.com/sect...s/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply . (c:\comboFix.txt)

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
________________

_____________________________
In your next reply I would like to see:

A new HJT log
The report from combofix
Let me know how things are running.

Nigel4 · 10-07-2007, 05:33 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:30 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Jetico Personal Firewall\fwsrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico Personal Firewall\fwsrv.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Macromed\SHOCKW~1\SWHELP~1.EXE -Update -1020022 -iexplore.exe7.0
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {77538FC7-CE52-4704-9865-494FE92BC320} (LaunchUBO.Ulit) - http://www.ultimatebaseballonline.co.../launchubo.OCX
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5412 bytes

Nigel4 · 10-07-2007, 05:34 PM

ComboFix 07-10-07.2 - Owner 2007-10-07 9:03:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.266 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\My Documents\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\Owner\Application Data\inst.exe
C:\Documents and Settings\Owner\Application Data\inst.exe
C:\Temp\fse
C:\WINDOWS\cookies.ini
C:\WINDOWS\hosts
C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\vtustqo.dll
C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\wyadd.bak2
C:\WINDOWS\system32\wyadd.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_FOPN
-------\LEGACY_SFSYNC02
-------\nm
-------\sfsync02

((((((((((((((((((((((((( Files Created from 2007-09-07 to 2007-10-07 )))))))))))))))))))))))))))))))
.

2007-10-07 09:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-06 23:27 516,096 --a------ C:\WINDOWS\system32\ati2sgag.exe
2007-10-06 23:24 451,072 --a------ C:\WINDOWS\Radeon Omega Drivers v3.8.252 Uninstall.exe
2007-10-06 23:24 <DIR> d-------- C:\Program Files\Radeon Omega Drivers
2007-10-06 23:24 <DIR> d-------- C:\Program Files\MultiRes
2007-10-05 22:50 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-03 21:06 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-02 20:29 2,104 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-01 21:46 <DIR> d-------- C:\VundoFix Backups
2007-09-30 15:41 <DIR> d-------- C:\Deckard
2007-09-29 15:11 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-09-21 14:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Jetico Personal Firewall
2007-09-21 14:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Jetico Personal Firewall
2007-09-20 22:36 <DIR> d-------- C:\Program Files\Jetico Personal Firewall
2007-09-20 09:01 <DIR> d-------- C:\Temp
2007-09-15 10:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-09-14 21:30 <DIR> d-------- C:\Program Files\TrackMania Nations ESWC
2007-09-13 20:59 <DIR> d-------- C:\Program Files\Halo
2007-09-13 20:55 <DIR> d-------- C:\sysprep
2007-09-13 20:55 <DIR> d-------- C:\Program Files\Worms Armageddon
2007-09-13 20:55 <DIR> d-------- C:\Program Files\ItsDeductible2006
2007-09-13 20:55 <DIR> d-------- C:\Program Files\IntelliMover Data Transfer Demo
2007-09-13 20:55 <DIR> d-------- C:\Program Files\Atari
2007-09-13 20:48 <DIR> d-------- C:\ATI
2007-09-13 20:06 <DIR> d-------- C:\Program Files\TrackMania Nations ESWC(2)
2007-09-11 22:37 <DIR> d-------- C:\Program Files\DriverCleanerDotNET
2007-09-11 21:04 1,100 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-09-11 18:56 <DIR> d-------- C:\Program Files\Xfire
2007-09-11 18:34 <DIR> d-------- C:\WINDOWS\system32\AGEIA(2)
2007-09-09 12:56 <DIR> d-------- C:\Program Files\InterActual
2007-09-08 15:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\RipIt4Me
2007-09-08 15:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\RipIt4Me

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-04 20:53 --------- d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-03 09:29 --------- d-------- C:\Program Files\PokerStars
2007-09-29 15:29 --------- d-------- C:\Documents and Settings\Owner\Application Data\Xfire
2007-09-29 15:29 --------- d-------- C:\Documents and Settings\Owner\Application Data\Xfire
2007-09-29 15:03 --------- d-------- C:\Program Files\EA GAMES
2007-09-29 14:57 --------- d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-09-29 14:57 --------- d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-09-29 00:10 --------- d-------- C:\Program Files\PokerStars.TEST
2007-09-14 16:11 --------- d-------- C:\Program Files\LEGO Media
2007-09-14 14:33 --------- d-------- C:\Program Files\LogMeIn
2007-09-13 20:59 --------- d-------- C:\Program Files\Electronic Arts
2007-09-13 20:49 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-13 20:48 --------- d-------- C:\Documents and Settings\Owner\Application Data\ATI
2007-09-13 20:48 --------- d-------- C:\Documents and Settings\Owner\Application Data\ATI
2007-09-10 21:58 --------- d-------- C:\Program Files\Midway Home Entertainment
2007-09-09 17:21 --------- d-------- C:\Documents and Settings\Owner\Application Data\IGN_DLM
2007-09-09 17:21 --------- d-------- C:\Documents and Settings\Owner\Application Data\IGN_DLM
2007-09-06 06:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 06:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 06:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 06:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 06:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-14 21:15 --------- d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2007-08-14 21:15 --------- d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2007-08-14 16:04 --------- d-------- C:\Program Files\MSXML 6.0
2007-04-21 14:34 47360 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2007-04-21 14:34 47360 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2006-11-21 20:58 1 --a--c--- C:\Documents and Settings\Owner\SI.bin
2005-04-29 16:21 774144 --a--c--- C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 C:\WINDOWS\soundman.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"JeticoPFStartup"="C:\Program Files\Jetico Personal Firewall\fwsrv.exe" [2005-07-19 02:22]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-12-14 19:11]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"AtiPTA"="atiptaxx.exe" [2006-02-21 20:05 C:\WINDOWS\system32\atiptaxx.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{35B2861B-2B26-4691-9FF0-09083722C736}"= C:\WINDOWS\system32\RadExe.dll [2005-04-27 04:49 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-05-25 15:22 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=C:\WINDOWS\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Zeno.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Zeno.lnk
backup=C:\WINDOWS\pss\Zeno.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Z_Start.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Z_Start.lnk
backup=C:\WINDOWS\pss\Z_Start.lnkStartup
c:\windowsupdate\ufp\irs7\csrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS4EN\plugin\bin\pchbutton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]
C:\WINDOWS\system32\pwinqsap.exe FI002

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1139081734\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
"C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"C:\Windows\Creator\Remind_XP.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyAxe]
C:\Program Files\SpyAxe\spyaxe.exe /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
"C:\Program Files\support.com\bin\tgcmd.exe" /server

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tukati:4]
C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.exe -r:4 -x:1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdateProtection]
c:\windowsupdate\ufp\008\csrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{08-8B-BF-FC-ZN}]
C:\windows\system32\rpdsregs.exe FI002

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido security suite control"=2 (0x2)
"vsmon"=2 (0x2)
"StarWindService"=2 (0x2)
"RadClock"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WANMiniportService"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)

R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
R1 bc_filter;BC_Filter;C:\WINDOWS\system32\drivers\bc_filter.sys
R1 bc_ip_f;BC_IP_Filter;C:\WINDOWS\system32\drivers\bc_ip_f.sys
R1 bc_ngn;BC_Engine;C:\WINDOWS\system32\drivers\bc_ngn.sys
R1 bc_pat_f;BC_PAT_Filter;C:\WINDOWS\system32\drivers\bc_pat_f.sys
R1 bc_prt_f;BC_Protocol_Filter;C:\WINDOWS\system32\drivers\bc_prt_f.sys
R1 bc_tdi_f;BC_TDI_Filter;C:\WINDOWS\system32\drivers\bc_tdi_f.sys
R1 bcftdi;BCFTDI;C:\WINDOWS\system32\drivers\bcftdi.sys
R2 BT848;WinFast TV2000 XP WDM Video Capture;C:\WINDOWS\system32\drivers\wf2kvcap.sys
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R2 SVKP;SVKP;\??\C:\WINDOWS\system32\SVKP.sys
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;C:\WINDOWS\system32\drivers\wf2ktunr.sys
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;C:\WINDOWS\system32\drivers\wf2kxbar.sys
R3 LMImirr;LMImirr;C:\WINDOWS\system32\DRIVERS\LMImirr.sys
R3 RadProbe;Radeon Probe Driver;C:\WINDOWS\system32\DRIVERS\RadProbe.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
S3 pnicml;pnicml;\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\pnicml.sys
S3 W8100PCI;D-Link AirPlus G Wireless Driver;C:\WINDOWS\system32\DRIVERS\MRV8K51.sys
S3 WFIOCTL;WFIOCTL;\??\C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS
S3 WmHidLo;Logitech Gaming USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-10-07 10:45:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2007-09-29 17:22:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-07-01 17:22:45 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 09:15:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-07 9:17:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-07 09:17
.
--- E O F ---

Nigel4 · 10-07-2007, 05:37 PM

Everything seems to be running all right. No more technicolor rave madness, haven't had a blast of pop-ups since the last time, not as many outgoing or incoming datagrams from random places.

For future reference:The Newest ATI drivers DO NOT work on nearly EVERY SINGLE ONE of their graphics cards older than Radeon 2750 or something. I found this out after waiting for customer support for 1.5 hours then just googling the problem and happened to come across this place called "Omega Drivers" where they have been solving ATI's problems for a really long time. They also support nVidia cards.

Bob4 · 10-07-2007, 06:12 PM

Thanks for the info on ATI. Had one of their cards once. Won't do that again.

________________________________________
Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\system32\pwinqsap.exe
C:\windows\system32\rpdsregs.exe

Folder::
C:\Program Files\SpyAxe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyAxe]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.

______________________________________________________

You need to update SunJava for security reasons.
Updating Java:
Download the latest version of
Java Runtime Environment (JRE) 6u2

Scroll down to where it says "Java Runtime Environment (JRE) 6u2... allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the icon next to it.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

_____________________________

Next reply:

Post the log from combo fix and that should be the end of it.

10-01-2007, 06:05 PM	#2 (permalink)
Bob4 Analyst, Security Team Join Date: Aug 2005 Posts: 147 OS: XP pro	Re: Technicolor screen, Popups, Error messages running programs, random programs star _________________________________ Welcome to the Forums. The fixes we will use are specific to your problems and should only be used for this issue on this machine. Please only use this topic to reply to. Do not start another thread. If any other issues arise let me know. The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end! All hijackthis logs I ask for should be done in normal mode ( not safe mode) These logs should be done last after you have followed my instructions in the previous post. Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time. If you have any questions about any advice given here please STOP and ask! The fixes we are going to do may and may not help other problems you are having. __________________ Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt and a new HiJackThis log. _________________________________ Download SmitfraudFix (by S!Ri) to your Desktop. Smitfraud by S!ri ______________________________ Double clcik the smitfraud.exe When promted Press any key to continue. Select option #1 - Search by typing 1 and press Enter This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with any others I have asked for in your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. When prompted by allow it to run IMPORTANT: Do NOT run any other options until you are asked to do so! If you do and smitfraud isn't present it will have undesirable effects _____________________________ In your next reply I would like to see: A new HJT log The Report from Vundofix The report from smitfraud. __________________

10-01-2007, 08:09 PM	#3 (permalink)
Nigel4 Registered User Join Date: Aug 2006 Location: Detroit Posts: 18 OS: XP/Vista	Re: Technicolor screen, Popups, Error messages running programs, random programs star I ran into some problems with Vundofix. A .dll called Vtustqo.dll repeatedly came up and triggered an NT Authority/SYSTEM shutdown for the lsass.exe. After the 3rd time running Vundofix on start-up with Vtustqo.dll still appearing, I'm posting this. Here's the VundoFix Log: VundoFix V6.5.9 Checking Java version... Java version is 1.4.2.3 Old versions of java are exploitable and should be removed. Scan started at 9:46:44 PM 10/1/2007 Listing files found while scanning.... C:\windows\system32\fthtibtm.dll C:\windows\system32\hgghhgh.dll C:\windows\system32\khffgef.dll C:\windows\system32\mtbithtf.ini C:\windows\system32\nnnlklk.dll C:\WINDOWS\system32\vtustqo.dll Beginning removal... Attempting to delete C:\windows\system32\fthtibtm.dll C:\windows\system32\fthtibtm.dll Could not be deleted. Attempting to delete C:\windows\system32\hgghhgh.dll C:\windows\system32\hgghhgh.dll Has been deleted! Attempting to delete C:\windows\system32\khffgef.dll C:\windows\system32\khffgef.dll Has been deleted! Attempting to delete C:\windows\system32\mtbithtf.ini C:\windows\system32\mtbithtf.ini Has been deleted! Attempting to delete C:\windows\system32\nnnlklk.dll C:\windows\system32\nnnlklk.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\vtustqo.dll C:\WINDOWS\system32\vtustqo.dll Could not be deleted. Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\windows\system32\fthtibtm.dll C:\windows\system32\fthtibtm.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\vtustqo.dll C:\WINDOWS\system32\vtustqo.dll Could not be deleted. Performing Repairs to the registry. Done! VundoFix V6.5.9 Checking Java version... Java version is 1.4.2.3 Old versions of java are exploitable and should be removed. Scan started at 9:55:16 PM 10/1/2007 Listing files found while scanning.... C:\windows\system32\vtustqo.dll Beginning removal... Attempting to delete C:\windows\system32\vtustqo.dll C:\windows\system32\vtustqo.dll Could not be deleted. Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\windows\system32\vtustqo.dll C:\windows\system32\vtustqo.dll Could not be deleted. Performing Repairs to the registry. Done! Should I continue with SmitFraud anyway? Also, you say to post a HJT log after the vundofix, but initially you said post the HJT log after all the steps you mentioned. Do you want two HJT Logs? Last edited by Nigel4; 10-01-2007 at 08:12 PM.

10-02-2007, 04:41 AM	#4 (permalink)
Bob4 Analyst, Security Team Join Date: Aug 2005 Posts: 147 OS: XP pro	Re: Technicolor screen, Popups, Error messages running programs, random programs star Please continue with the smitfraud fix. I will only need 1 HJT log after everything I asked is done per post. __________________

10-03-2007, 03:59 PM	#6 (permalink)
Bob4 Analyst, Security Team Join Date: Aug 2005 Posts: 147 OS: XP pro	Re: Technicolor screen, Popups, Error messages running programs, random programs star From here on in when I ask for a hJT log Navigate to and find C:\Program Files\Trend Micro\HijackThis\Owner.exe You can right click that file and choose send to : Desktop (create shortcut) for your convenience. This will post just the HJT portion of the log. No reason for me to see all that DSS see's more than once. _____________________________ HJT Run hijackthis and choose scan only and place a check by the following lines if present. Close all other windows and browsers except HJT before clicking on Fix Checked O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINDOWS\system32\vtustqo.dll O2 - BHO: (no name) - {D40A2633-1554-4CE9-B1BB-14B18F7BD1ED} - C:\WINDOWS\system32\ddayw.dll O3 - Toolbar: (no name) - - (no file) O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file) O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O4 - HKEY_LOCAL_MACHINE\..\RunOnceEx: [Flag] 2 O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Party Poker\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Party Poker\PartyPoker\RunApp.exe (file missing) O15 - Trusted Zone: <https://turbotax.com> (HKCU) O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} () - <http://cabs.elitemediagroup.net/cabs/mediaview.cab> O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} () - http://static.zangocash.com/cab/Seek...dae853c5219026 <http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab?0993688dc438777ffae64d31307a794694621c798d4971bf08fb991261a3b92a4407e2e8b2e1e238a16956b34f14128d9f08516218e990ace940b6dbfd8e5f:3a9fb66615443315d3dae853c5219026> O20 - Winlogon Notify: vtustqo - C:\WINDOWS\system32\vtustqo.dll _______________________________________________ Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes. ___________________________________ Download AVG Anti-Spyware. Install AVG Anti-Spyware. Launch AVG by double-clicking on the icon. The program will now open to the main screen. You will need to update AVG to the latest definition files. At the top of the main screen click Update. Then in the Manual Update section, click on Start Update. The update will start and a progress bar will show the updates being installed. When updates are completed, close AVG. If you are having problems with the updater, you can use this link to manually update AVG. AVG manual updates Do not use it yet. Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. ______________________________ Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ______________________________ Navigate to C:\Windows\Temp Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin. Navigate to *C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp* Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin. Clean out your Temporary Internet files. Proceed like this: Quit Internet Explorer and quit any instances of Windows Explorer. Click Start, click Control Panel, and then double-click Internet Options. On the General tab, click Delete Files under Temporary Internet Files. In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK. On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK. Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK. Click OK. Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin. ______________________________ Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter. Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ___________________________ Run AVG Anti-Spyware Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan. Click on Scanner on the toolbar. Click on the Settings tab. Under How to act? Click on Recommended Action and choose Quarantine from the popup menu. Under How to scan? All checkboxes should be ticked. Under Possibly unwanted software: All checkboxes should be ticked. Under Reports: Select Do not automatically generate reports Under What to scan? Select Scan every file. Click on the Scan tab. Click on Complete System Scan to start the scan process. Let the program scan the machine. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button. Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2) At the bottom of the window click on the Apply all Actions button. (3) When done, click the Save Scan Report button. (4) Click the Save Report as button. Save the report to your Desktop. Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes. Reboot normaly __________________________ Please post: c:\rapport.txt AVG log A new HijackThis log Your may need several replies to post the requested logs, otherwise they might get cut off. ______________________________________________ __________________

10-03-2007, 07:03 PM	#7 (permalink)
Nigel4 Registered User Join Date: Aug 2006 Location: Detroit Posts: 18 OS: XP/Vista	Re: Technicolor screen, Popups, Error messages running programs, random programs star I've been running The Deckard's System Scanner rather than HJT. My older HJT repeatedly crashed when I tried to run it even after reboot and in safe. Could I get a link to a newer one maybe? The DSS isn't giving me the options you described, it just spits out a main.txt and an extra.txt when it finishes. I've downloaded AVG and got the updates, I just need the HJT portion to continue. Last edited by Nigel4; 10-03-2007 at 07:06 PM.

10-04-2007, 04:38 AM	#8 (permalink)
Bob4 Analyst, Security Team Join Date: Aug 2005 Posts: 147 OS: XP pro	Re: Technicolor screen, Popups, Error messages running programs, random programs star Delete or uninstall your HJT. download HJT from here. http://www.trendsecure.com/portal/en...HJTInstall.exe It will set it self up should work now. If your still having trouble with HJT just use dss. __________________

10-05-2007, 08:50 PM	#9 (permalink)
Nigel4 Registered User Join Date: Aug 2006 Location: Detroit Posts: 18 OS: XP/Vista	Re: Technicolor screen, Popups, Error messages running programs, random programs star I got HJT downloaded, but I'm working through the technicolor screen problem for the second time, and I have to say, it's not cool at all. I'm hoping to get back to you at least once more over the weekend... Now to find the submit button...

10-05-2007, 10:49 PM	#10 (permalink)
Bob4 Analyst, Security Team Join Date: Aug 2005 Posts: 147 OS: XP pro	Re: Technicolor screen, Popups, Error messages running programs, random programs star Technocolor:: Can you attempt to reinstall video drivers? IF you need help. Please let me know what video card you have ? __________________

10-06-2007, 10:10 AM	#11 (permalink)
Nigel4 Registered User Join Date: Aug 2006 Location: Detroit Posts: 18 OS: XP/Vista	Re: Technicolor screen, Popups, Error messages running programs, random programs star I have a ATI Radeon 9600. I had a sudden blast of about 20 pop ups when I rebooted after safe mode that all came up in internet explorer as blank:pages with a few IP's and generic mal-ware websites I couldn't read because of technicolor death. Here come the logs: Rapport.txt mitFraudFix v2.235 Scan done at 0:11:15.00, Sat 10/06/2007 Run from C:\Documents and Settings\Owner\My Documents\Downloads\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\country.exe Deleted C:\WINDOWS\kl1.exe Deleted C:\WINDOWS\secure32.html Deleted C:\WINDOWS\toolbar.exe Deleted »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{240A4C79-8242-4231-89B6-2836FC0CC688}: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{9A6F1D4E-9368-4CFC-B3C2-CD3E7F72B91A}: DhcpNameServer=68.87.77.130 68.87.72.130 HKLM\SYSTEM\CS1\Services\Tcpip\..\{240A4C79-8242-4231-89B6-2836FC0CC688}: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{9A6F1D4E-9368-4CFC-B3C2-CD3E7F72B91A}: DhcpNameServer=68.87.77.130 68.87.72.130 HKLM\SYSTEM\CS3\Services\Tcpip\..\{240A4C79-8242-4231-89B6-2836FC0CC688}: DhcpNameServer=192.168.0.1 HKLM\SYSTEM\CS3\Services\Tcpip\..\{9A6F1D4E-9368-4CFC-B3C2-CD3E7F72B91A}: DhcpNameServer=68.87.77.130 68.87.72.130 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End

10-06-2007, 10:13 AM	#12 (permalink)
Nigel4 Registered User Join Date: Aug 2006 Location: Detroit Posts: 18 OS: XP/Vista	Re: Technicolor screen, Popups, Error messages running programs, random programs star --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 11:54:09 AM 10/6/2007 + Scan result: HKU\S-1-5-21-1032218028-3103756211-369227866-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup (quarantined). HKU\S-1-5-21-1032218028-3103756211-369227866-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup (quarantined). C:\WINDOWS\eliteunstall.exe -> Adware.EliteMedia : Cleaned with backup (quarantined). HKU\S-1-5-21-1032218028-3103756211-369227866-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{D49E9D35-254C-4C6A-9D17-95018D228FF5} -> Adware.Starware : Cleaned with backup (quarantined). C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP937\A0452714.exe -> Downloader.Small.bmx : Cleaned with backup (quarantined). C:\Program Files\Trend Micro\HijackThis\backups\backup-20071005-230342-825.inf -> Downloader.Small.rl : Cleaned with backup (quarantined). C:\Program Files\Microsoft AntiSpyware\Quarantine\2C37B51E-C36A-4A16-9C95-082138\0A833D90-1006-44FC-AE55-261161 -> Not-A-Virus.Monitor.Win32.KeyLogger.e : Cleaned with backup (quarantined). C:\Program Files\Microsoft AntiSpyware\Quarantine\2C37B51E-C36A-4A16-9C95-082138\B42E6C69-BDCC-4D0C-B115-C9E447 -> Not-A-Virus.Monitor.Win32.KeyLogger.e : Cleaned with backup (quarantined). C:\windowsupdate\ufp\008\svchost.exe -> Not-A-Virus.Monitor.Win32.KeyLogger.e : Cleaned with backup (quarantined). C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP904\A0443905.dll -> Not-A-Virus.RemoteAdmin.Win32.RemotelyAnywhere.a : Cleaned with backup (quarantined). C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP905\A0443923.dll -> Not-A-Virus.RemoteAdmin.Win32.RemotelyAnywhere.a : Cleaned with backup (quarantined). C:\WINDOWS\system32\LMIinit.dll.000.bak -> Not-A-Virus.RemoteAdmin.Win32.RemotelyAnywhere.a : Cleaned with backup (quarantined). :mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\l0wau5q2.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\l0wau5q2.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\l0wau5q2.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\l0wau5q2.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\l0wau5q2.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP899\A0443442.dll -> Trojan.WinSpy : Cleaned with backup (quarantined). ::Report end On this one there was a Tacoda web cookie or something from mozilla that couldn't be quarantined, I assumed (hopefully correctly) that it should just be deleted. It's quarantine option was greyed out.

10-06-2007, 10:14 AM	#13 (permalink)
Nigel4 Registered User Join Date: Aug 2006 Location: Detroit Posts: 18 OS: XP/Vista	Re: Technicolor screen, Popups, Error messages running programs, random programs star Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:14:06 PM, on 10/6/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Jetico Personal Firewall\fwsrv.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico Personal Firewall\fwsrv.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user') O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {77538FC7-CE52-4704-9865-494FE92BC320} (LaunchUBO.Ulit) - http://www.ultimatebaseballonline.co.../launchubo.OCX O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- End of file - 5247 bytes This is a new HJT Log after doing everything else, not immediately after removing the entries you said to.

10-06-2007, 10:33 AM	#14 (permalink)
Bob4 Analyst, Security Team Join Date: Aug 2005 Posts: 147 OS: XP pro	Re: Technicolor screen, Popups, Error messages running programs, random programs star OK lets see if we can fix your graphics drivers so that this is easier for you. It is possible your graphics card is bad and may need replacing. Go to : http://ati.de/support/driver.html In the windows Box click on Professional/home In the next window choose radeon In the next window choose Radeon 9600 series. The click go. In the next page: I would choose at this point the Display driver only, it's the second choice down ! Download and run that closing all other applications/browsers. Follow the prompts. Let me know if that helps. Then we can try and continue cleaning your machine. If that doesn't help let me know exactly what your seeingas far as a technicolor screen. __________________

10-06-2007, 07:35 PM	#15 (permalink)
Nigel4 Registered User Join Date: Aug 2006 Location: Detroit Posts: 18 OS: XP/Vista	Re: Technicolor screen, Popups, Error messages running programs, random programs star Well, I reset my Jetico to factory defaults because things keep running and I can't pinpoint where they start from, but now I've discovered that the technicolor thing is due to a wmiprvse.exe. I stopped it from running, and the problem went away without a restart (thus I concluded it isn't graphics card related). I also got new drivers, though.

10-07-2007, 04:41 AM	#16 (permalink)
Bob4 Analyst, Security Team Join Date: Aug 2005 Posts: 147 OS: XP pro	Re: Technicolor screen, Popups, Error messages running programs, random programs star wmiprvse.exe.. Is a legitimate process. Why it effected your graphics is beyond me. Just don't delete that file. Let's get one more scan. 1. Download Combo fix from one of these locations. http://www.techsupportforum.com/sect...s/ComboFix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply . (c:\comboFix.txt) Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ________________ _____________________________ In your next reply I would like to see: A new HJT log The report from combofix Let me know how things are running. __________________

10-07-2007, 05:33 PM	#17 (permalink)
Nigel4 Registered User Join Date: Aug 2006 Location: Detroit Posts: 18 OS: XP/Vista	Re: Technicolor screen, Popups, Error messages running programs, random programs star Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:33:30 PM, on 10/7/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Jetico Personal Firewall\fwsrv.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico Personal Firewall\fwsrv.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Macromed\SHOCKW~1\SWHELP~1.EXE -Update -1020022 -iexplore.exe7.0 O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user') O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {77538FC7-CE52-4704-9865-494FE92BC320} (LaunchUBO.Ulit) - http://www.ultimatebaseballonline.co.../launchubo.OCX O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- End of file - 5412 bytes

10-07-2007, 05:37 PM	#19 (permalink)
Nigel4 Registered User Join Date: Aug 2006 Location: Detroit Posts: 18 OS: XP/Vista	Re: Technicolor screen, Popups, Error messages running programs, random programs star Everything seems to be running all right. No more technicolor rave madness, haven't had a blast of pop-ups since the last time, not as many outgoing or incoming datagrams from random places. For future reference:The Newest ATI drivers DO NOT work on nearly EVERY SINGLE ONE of their graphics cards older than Radeon 2750 or something. I found this out after waiting for customer support for 1.5 hours then just googling the problem and happened to come across this place called "Omega Drivers" where they have been solving ATI's problems for a really long time. They also support nVidia cards.