Adaware SE crashes and computer restarts

[D_KrYpT]

I have run a virus scan and got rid of 7 viruses, a chkdsk, spybot which got rid of about 15 objects, a dfrg and then i tried Adaware SE it finds the first critical object scans for a few more seconds then stops the computer then restarts itself dont no why please help.

Logfile of HijackThis v1.99.1
Scan saved at 23:18:33, on 01/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Always use Firefox

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\all users.silver\Desktop\~D_KrYpTs~ #F1L35#\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZJfox000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/pro...er/awswaxf.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57E675E6-1867-49DB-B52E-79071F46A97D}: NameServer = 192.168.1.1,212.159.11.150
O17 - HKLM\System\CCS\Services\Tcpip\..\{60A1B07B-5116-4755-A6E2-4B352E89E406}: NameServer = 212.139.132.20 212.139.132.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBED8F7B-7929-47CC-9E4D-A0F9673FAFE1}: NameServer = 192.168.1.1,212.159.11.150
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[D_KrYpT]

Sorry about posting a log file twice but i have now got ad aware 2007 now and it did not crash, i have removed critical objects and have now ran another hi-jack this scan so here is the new log file...

Logfile of HijackThis v1.99.1
Scan saved at 22:07:36, on 03/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\all users.silver\Desktop\~D_KrYpTs~ #F1L35#\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZJfox000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/pro...er/awswaxf.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57E675E6-1867-49DB-B52E-79071F46A97D}: NameServer = 192.168.1.1,212.159.11.150
O17 - HKLM\System\CCS\Services\Tcpip\..\{60A1B07B-5116-4755-A6E2-4B352E89E406}: NameServer = 212.139.132.20 212.139.132.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBED8F7B-7929-47CC-9E4D-A0F9673FAFE1}: NameServer = 192.168.1.1,212.159.11.150
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Ried]

Hello D_KrYpT,

We prefer a more comprehensive set of logs. As noted in our sticky topic (Updated!) IMPORTANT - Read This Before Posting A Log:

Download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review.
• DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

Please include the following in your next reply:

main.txt
an attached extra.txt

[D_KrYpT]

----->

[D_KrYpT]

No probs ive got my computer running alot faster now as ive updated and ran spybot but is still not 100 % i will post the log files as required ASAP.

P.S could you please tell me what i need to do to be able to analyse log files myself thankyou...

[D_KrYpT]

Deckard's System Scanner v20070905.67
Run by all users on 2007-10-05 16:21:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-10-05 15:21:45 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis (run as all users.exe) -------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-10-05 16:23:09
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
C:\Documents and Settings\all users.silver\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - C:\WINDOWS\system32\yaywxwv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\oqqsqcyj.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {EF51CC67-7E7A-4989-A2A7-01D7BAACB0A5} - C:\WINDOWS\system32\sstts.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Alienware Dock.lnk = C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZJfox000
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/pro...er/awswaxf.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{57E675E6-1867-49DB-B52E-79071F46A97D}: NameServer = 192.168.1.1,212.159.11.150
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{DBED8F7B-7929-47CC-9E4D-A0F9673FAFE1}: NameServer = 192.168.1.1,212.159.11.150
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O20 - AppInit_DLLs: wbsys.dll
O20 - Winlogon Notify: sstts - C:\WINDOWS\system32\sstts.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: yaywxwv - C:\WINDOWS\system32\yaywxwv.dll
O22 - SharedTaskScheduler: blippers - {f2efa195-4785-4db1-9316-b48c64bb71da} - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


-- HijackThis Fixed Entries (C:\DOCUME~1\ALLUSE~1.SIL\Desktop\~D_KRY~1\HIJACK~1\backups\) --------------------------------------------------------------------------------

backup-20070114-131913-357 O4 - HKLM\..\Run: [chicsaveinterbook] C:\Documents and Settings\All Users\Application Data\64ShimChicSave\bashloud.exe
backup-20070114-132054-918 O21 - SSODL: blippers - {f2efa195-4785-4db1-9316-b48c64bb71da} - (no file)

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,71
.inf - inffile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.ini - inifile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.txt - txtfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,70


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>
R0 sfsync04 (StarForce Protection Synchronization Driver (version 4.x)) - c:\windows\system32\drivers\sfsync04.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R2 atksgt - c:\windows\system32\drivers\atksgt.sys
R2 lirsgt - c:\windows\system32\drivers\lirsgt.sys

S2 Ca533av (Icatch(IV) Video Camera Device) - c:\windows\system32\drivers\ca533av.sys (file missing)
S3 USBCamera (Icatch(IV) Still Camera Device) - c:\windows\system32\drivers\bulk533.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-09-30 09:00:00 386 --a------ C:\WINDOWS\Tasks\rpc.job


-- Files created between 2007-09-05 and 2007-10-05 -----------------------------

2007-10-04 20:24:40 77376 --a------ C:\WINDOWS\system32\oqqsqcyj.dll
2007-10-04 20:21:40 83008 --a------ C:\WINDOWS\system32\rwboqyvq.dll
2007-10-03 21:25:28 0 d-------- C:\Program Files\Lavasoft
2007-10-03 21:25:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-03 21:24:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-02 20:33:28 0 d-------- C:\info
2007-10-02 19:16:29 83008 --a------ C:\WINDOWS\system32\helylmqg.dll
2007-10-01 23:00:33 212 --a------ C:\delete.bat
2007-10-01 17:02:27 83008 --a------ C:\WINDOWS\system32\fjxflerf.dll
2007-09-30 11:59:24 0 d-------- C:\Documents and Settings\Guest\Application Data\Mozilla
2007-09-30 10:38:28 83008 --a------ C:\WINDOWS\system32\cusrjekg.dll
2007-09-30 10:01:33 83008 --a------ C:\WINDOWS\system32\oipqysfv.dll
2007-09-30 08:58:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\WINDOWS
2007-09-30 00:27:11 0 d--h----- C:\Documents and Settings\Guest\Templates
2007-09-30 00:27:11 0 dr------- C:\Documents and Settings\Guest\Start Menu
2007-09-30 00:27:11 0 dr-h----- C:\Documents and Settings\Guest\SendTo
2007-09-30 00:27:11 0 dr-h----- C:\Documents and Settings\Guest\Recent
2007-09-30 00:27:11 0 d--h----- C:\Documents and Settings\Guest\PrintHood
2007-09-30 00:27:11 0 d--h----- C:\Documents and Settings\Guest\NetHood
2007-09-30 00:27:11 0 dr------- C:\Documents and Settings\Guest\My Documents
2007-09-30 00:27:11 0 d--h----- C:\Documents and Settings\Guest\Local Settings
2007-09-30 00:27:11 0 dr------- C:\Documents and Settings\Guest\Favorites
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Desktop
2007-09-30 00:27:11 0 d--hs---- C:\Documents and Settings\Guest\Cookies
2007-09-30 00:27:11 0 dr-h----- C:\Documents and Settings\Guest\Application Data
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Application Data\SampleView
2007-09-30 00:27:11 0 d---s---- C:\Documents and Settings\Guest\Application Data\Microsoft
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Application Data\Identities
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Application Data\CyberLink
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Application Data\Apple Computer
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Application Data\Adobe
2007-09-30 00:27:10 1572864 --ah----- C:\Documents and Settings\Guest\NTUSER.DAT
2007-09-28 17:43:55 83008 --a------ C:\WINDOWS\system32\kupgnwea.dll
2007-09-27 17:43:34 83008 --a------ C:\WINDOWS\system32\gukujcwl.dll
2007-09-26 17:36:24 83008 --a------ C:\WINDOWS\system32\mirbcgua.dll
2007-09-25 16:36:21 83008 --a------ C:\WINDOWS\system32\kkeppamv.dll
2007-09-23 21:53:39 83008 --a------ C:\WINDOWS\system32\bfkjhrvr.dll
2007-09-22 18:45:27 304160 --a------ C:\StiImg.dat
2007-09-22 18:41:44 0 d-------- C:\WINDOWS\PixArt
2007-09-22 18:41:43 0 d-------- C:\Program Files\Trust
2007-09-22 18:41:43 0 d-------- C:\Program Files\Common Files\PCCamera
2007-09-21 20:47:21 83008 --a------ C:\WINDOWS\system32\hnqualsr.dll
2007-09-20 19:23:01 83008 --a------ C:\WINDOWS\system32\kdpsyrgf.dll
2007-09-15 14:00:10 0 d-------- C:\Program Files\MSN Messenger
2007-09-13 16:21:27 865305 ---hs---- C:\WINDOWS\system32\sttss.bak2
2007-09-12 21:16:55 6488 ---hs---- C:\WINDOWS\system32\sttss.bak1
2007-09-12 21:16:43 109600 --a------ C:\WINDOWS\system32\sptll.dll
2007-09-12 21:16:34 369248 --a------ C:\WINDOWS\system32\sstts.dll
2007-09-12 21:12:23 44054 --a------ C:\WINDOWS\system32\ddcbcab.dll
2007-09-12 21:11:32 44054 --a------ C:\WINDOWS\system32\yaywxwv.dll


-- Find3M Report ---------------------------------------------------------------

2007-10-04 22:33:10 0 d-------- C:\Program Files\TweakGenie
2007-10-04 22:32:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-04 22:32:12 0 d-------- C:\Program Files\Activision
2007-10-04 22:31:30 0 d-------- C:\Program Files\My Pet Hotel
2007-10-04 22:31:30 0 d-------- C:\Program Files\Mindscape
2007-10-04 22:26:58 0 d-------- C:\Program Files\Jasc Software Inc
2007-10-04 22:23:39 0 d-------- C:\Program Files\eGames
2007-10-04 22:01:18 0 d-------- C:\Program Files\lx_cats
2007-10-04 21:51:36 0 d-------- C:\Program Files\AlienGUIse
2007-10-03 21:24:42 0 d-------- C:\Program Files\Common Files
2007-10-03 21:24:23 0 d-------- C:\Documents and Settings\all users.silver\Application Data\Lavasoft
2007-10-02 19:56:59 0 d-------- C:\Documents and Settings\all users.silver\Application Data\LimeWire
2007-10-01 17:11:36 5060 --a------ C:\Documents and Settings\all users.silver\Application Data\wklnhst.dat
2007-09-30 08:55:47 0 d-------- C:\Documents and Settings\all users.silver\Application Data\AdobeUM
2007-09-04 19:34:22 0 d-------- C:\Documents and Settings\all users.silver\Application Data\Google
2007-09-04 19:33:27 0 d-------- C:\Program Files\Google
2007-09-04 18:44:16 0 d-------- C:\Program Files\Play89
2007-08-19 11:54:27 0 d-------- C:\Documents and Settings\all users.silver\Application Data\GlueTypeView
2007-08-19 11:36:17 0 d-------- C:\Program Files\Yahoo!
2007-08-15 20:24:34 532480 -----n--- C:\WINDOWS\system32\PixelChix - Hamster Jam.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2007-08-15 17:52:38 0 d-------- C:\Program Files\MSXML 6.0


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{733E9132-53CA-4C97-9AC9-145C4502FA20}]
12/09/2007 21:11 44054 --a------ C:\WINDOWS\system32\yaywxwv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}]
04/10/2007 20:24 77376 --a------ C:\WINDOWS\system32\oqqsqcyj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF51CC67-7E7A-4989-A2A7-01D7BAACB0A5}]
12/09/2007 21:16 369248 --a------ C:\WINDOWS\system32\sstts.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [13/09/2002 21:42]
"SoundMan"="SOUNDMAN.EXE" [01/03/2006 16:22 C:\WINDOWS\soundman.exe]
"Run StartupMonitor"="StartupMonitor.exe" [20/05/2000 17:23 C:\WINDOWS\StartupMonitor.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [06/09/2007 11:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [26/07/2006 04:03]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/03/2007 01:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/08/2004 20:00]

C:\Documents and Settings\all users.silver\Start Menu\Programs\Startup\
Alienware Dock.lnk - C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe [07/12/2006 18:23:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [14/10/2006 14:12:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)
"NoFind"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoRun"=0 (0x0)
"NoLogoff"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"NoClose"=0 (0x0)
"NoSetTaskBar"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoStartMenuMorePrograms"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"MaxRecentDocs"=15 (0xf)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"=0 (0x0)
"NoRun"=0 (0x0)
"NoClose"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoStrCmpLogical"=1 (0x1)
"NoRecentDocsMenu"=0 (0x0)
"NoFind"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoLogoff"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"NoSetTaskBar"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoStartMenuMorePrograms"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"MaxRecentDocs"=15 (0xf)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{733E9132-53CA-4C97-9AC9-145C4502FA20}"= C:\WINDOWS\system32\yaywxwv.dll [12/09/2007 21:11 44054]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstts]
C:\WINDOWS\system32\sstts.dll 12/09/2007 21:16 369248 C:\WINDOWS\system32\sstts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 21/12/2001 00:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywxwv]
yaywxwv.dll 12/09/2007 21:11 44054 C:\WINDOWS\system32\yaywxwv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
"C:\Program Files\Lexmark 2400 Series\ezprint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
"C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"WZCSVC"=2 (0x2)
"W32Time"=2 (0x2)
"ALG"=3 (0x3)
"WebClient"=2 (0x2)
"VSS"=3 (0x3)
"Themes"=2 (0x2)
"SwPrv"=3 (0x3)
"CiSvc"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"TrkWks"=2 (0x2)
"Browser"=2 (0x2)
"wuauserv"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- Hosts -----------------------------------------------------------------------

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

60 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-10-05 16:24:17 ------------

[Ried]

We have a bit to take care of here. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs)

CiD Help <--this program is known to infect the system with LOP.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
• We'll need to see the C:\ComboFix.txt in your next reply so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

--------------------------------------------------------------------

Download fl.zip

• Extract the contents of the fl.zip to a new folder on Desktop.
• Within the folder, locate & double-click fl.bat.
• It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply

----------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

----------------------------------------------------------------------

Please return with the following:

C:\ComboFix.txt
c:\findlop.txt
New HijackThis log

[D_KrYpT]

Combofix

ComboFix 07-10-08 - all users 2007-10-07 21:55:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.147 [GMT 1:00]
Running from: C:\Documents and Settings\all users.silver\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-07 21:53 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-05 16:21 <DIR> d-------- C:\Deckard
2007-10-03 21:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-03 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-03 21:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-02 20:33 <DIR> d-------- C:\info
2007-10-01 23:00 212 --a------ C:\delete.bat
2007-09-30 00:27 <DIR> d-------- C:\Documents and Settings\Guest\WINDOWS
2007-09-30 00:27 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\SampleView
2007-09-30 00:27 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\CyberLink
2007-09-30 00:27 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Apple Computer
2007-09-22 18:45 304,160 --a------ C:\StiImg.dat
2007-09-22 18:42 53,248 --a------ C:\WINDOWS\system32\PAStiSvc.exe
2007-09-22 18:41 <DIR> d-------- C:\WINDOWS\PixArt
2007-09-22 18:41 <DIR> d-------- C:\Program Files\Trust
2007-09-22 18:41 <DIR> d-------- C:\Program Files\Common Files\PCCamera
2007-09-15 14:00 <DIR> d-------- C:\Program Files\MSN Messenger
2007-09-12 21:16 109,600 --a------ C:\WINDOWS\system32\sptll.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 14:30 --------- d-------- C:\Program Files\lx_cats
2007-10-04 22:33 --------- d-------- C:\Program Files\TweakGenie
2007-10-04 22:32 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-10-04 22:32 --------- d-------- C:\Program Files\Activision
2007-10-04 22:31 --------- d-------- C:\Program Files\My Pet Hotel
2007-10-04 22:31 --------- d-------- C:\Program Files\Mindscape
2007-10-04 22:26 --------- d-------- C:\Program Files\Jasc Software Inc
2007-10-04 22:23 --------- d-------- C:\Program Files\eGames
2007-10-04 21:51 --------- d-------- C:\Program Files\AlienGUIse
2007-10-03 21:24 --------- d-------- C:\Documents and Settings\all users.silver\Application Data\Lavasoft
2007-10-02 19:56 --------- d-------- C:\Documents and Settings\all users.silver\Application Data\LimeWire
2007-09-30 08:55 --------- d-------- C:\Documents and Settings\all users.silver\Application Data\AdobeUM
2007-09-06 11:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 11:05 92848 --a--c--- C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 11:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 11:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 11:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-04 19:34 --------- d-------- C:\Documents and Settings\all users.silver\Application Data\Google
2007-09-04 19:33 --------- d-------- C:\Program Files\Google
2007-09-04 18:44 --------- d-------- C:\Program Files\Play89
2007-08-19 11:54 --------- d-------- C:\Documents and Settings\all users.silver\Application Data\GlueTypeView
2007-08-19 11:36 --------- d-------- C:\Program Files\Yahoo!
2007-08-15 17:52 --------- d-------- C:\Program Files\MSXML 6.0
2007-08-12 21:32 --------- d-------- C:\Documents and Settings\All Users\Application Data\Winferno
2007-01-23 23:14 360448 --a--c--- C:\Program Files\Uninstall My Web Search.dll
2006-10-15 16:23 92 --a--c--- C:\Program Files\Print Files.bat
2006-10-15 16:19 86 --a--c--- C:\Program Files\List Files.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 16:22 C:\WINDOWS\soundman.exe]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 17:23 C:\WINDOWS\StartupMonitor.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoLogoff"=0 (0x0)
"NoSetTaskBar"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoStartMenuMorePrograms"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"MaxRecentDocs"=15 (0xf)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoStrCmpLogical"=1 (0x1)
"NoRecentDocsMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoLogoff"=0 (0x0)
"NoSetTaskBar"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoStartMenuMorePrograms"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"MaxRecentDocs"=15 (0xf)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-21 00:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
"C:\Program Files\Lexmark 2400 Series\ezprint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
"C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe "C:\WINDOWS\system32\fbbstwju.dll",sitypnow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"WZCSVC"=2 (0x2)
"W32Time"=2 (0x2)
"ALG"=3 (0x3)
"WebClient"=2 (0x2)
"VSS"=3 (0x3)
"Themes"=2 (0x2)
"SwPrv"=3 (0x3)
"CiSvc"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"TrkWks"=2 (0x2)
"Browser"=2 (0x2)
"wuauserv"=2 (0x2)

R2 ehMonitor;Media Center Monitor Service;C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys
S2 GDI23880;Genesis Video Capture;C:\WINDOWS\system32\drivers\gdi2vid.sys
S2 GDI2BTS;Genesis BDA Transport Capture;C:\WINDOWS\system32\drivers\gdi2bts.sys
S2 GDI2IR;Genesis InfraRed;C:\WINDOWS\system32\drivers\gdi2ir.sys
S2 GDI2XBAR;Genesis Crossbar;C:\WINDOWS\system32\drivers\gdi2xbr.sys
S3 GDI2BDA;Black Gold Signature BDA DVB Tuner/Demod;C:\WINDOWS\system32\drivers\gdi2bda.sys
S3 Hauppauge WinTV-HVR;Hauppauge WinTV-HVR 713X PCI Card;C:\WINDOWS\system32\DRIVERS\HCW713x.sys
S3 PAC207;Trust WB-1400T Webcam;C:\WINDOWS\system32\DRIVERS\pfc027.sys
S3 SE2Bbus;Sony Ericsson Device 043 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Bbus.sys
S3 SE2Bmdfl;Sony Ericsson Device 043 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Bmdfl.sys
S3 SE2Bmdm;Sony Ericsson Device 043 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Bmdm.sys
S3 SE2Bmgmt;Sony Ericsson Device 043 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Bmgmt.sys
S3 se2Bnd5;Sony Ericsson Device 043 USB Ethernet Emulation SEMC43 (NDIS);C:\WINDOWS\system32\DRIVERS\se2Bnd5.sys
S3 SE2Bobex;Sony Ericsson Device 043 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Bobex.sys
S3 se2Bunic;Sony Ericsson Device 043 USB Ethernet Emulation SEMC43 (WDM);C:\WINDOWS\system32\DRIVERS\se2Bunic.sys
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-09-30 08:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 22:03:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\wininit.ini
C:\WINDOWS\winnt.bmp
C:\WINDOWS\winnt256.bmp
C:\WINDOWS\WinSxS
C:\WINDOWS\WMCSetup.log
C:\WINDOWS\WMFDist11.log
C:\WINDOWS\wmp11.log
C:\WINDOWS\wmsetup.log
C:\WINDOWS\wmsetup10.log
C:\WINDOWS\WMSysPr9.prx
C:\WINDOWS\Wudf01000Inst.log
C:\WINDOWS\Zapotec.bmp
C:\WINDOWS\zllsputility.exe
C:\WINDOWS\_default.pif
C:\WINDOWS\~GLH0014.TMP

scan completed successfully
hidden files: 19

**************************************************************************
.
Completion time: 2007-10-08 22:05:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 22:05
.
--- E O F ---


Findlop

Volume in drive C is Partition_1
Volume Serial Number is 30EF-9CEF

Directory of C:\Documents and Settings\Administrator\Application Data

09/09/2006 12:59 <DIR> Adobe
09/09/2006 12:59 <DIR> Apple Computer
09/09/2006 12:59 <DIR> CyberLink
09/09/2006 12:59 <DIR> Identities
09/09/2006 13:00 <DIR> SampleView
0 File(s) 0 bytes
5 Dir(s) 142,384,324,608 bytes free
Volume in drive C is Partition_1
Volume Serial Number is 30EF-9CEF

Directory of C:\Documents and Settings\All Users\Application Data

30/09/2007 08:58 <DIR> Adobe
09/09/2006 13:00 <DIR> Apple Computer
09/09/2006 13:00 <DIR> CyberLink
18/07/2007 18:48 <DIR> Driving Test Success
10/10/2006 04:12 <DIR> FaxCtr
03/10/2007 21:25 <DIR> Lavasoft
10/10/2006 21:54 <DIR> Microsoft Help
11/10/2006 18:59 <DIR> SpieleEntwicklungsKombinat
17/06/2007 17:03 <DIR> Spybot - Search & Destroy
04/02/2007 21:18 <DIR> Trymedia
05/02/2007 19:19 <DIR> WildTangent
11/01/2007 13:34 <DIR> Windows Genuine Advantage
12/08/2007 21:32 <DIR> Winferno
23/02/2007 22:04 <DIR> Zylom
0 File(s) 0 bytes
14 Dir(s) 142,384,320,512 bytes free
Volume in drive C is Partition_1
Volume Serial Number is 30EF-9CEF

Directory of C:\Documents and Settings\Guest\Application Data

09/09/2006 12:59 <DIR> Adobe
09/09/2006 12:59 <DIR> Apple Computer
09/09/2006 12:59 <DIR> CyberLink
09/09/2006 12:59 <DIR> Identities
30/09/2007 11:59 <DIR> Mozilla
09/09/2006 13:00 <DIR> SampleView
0 File(s) 0 bytes
6 Dir(s) 142,384,320,512 bytes free
Volume in drive C is Partition_1
Volume Serial Number is 30EF-9CEF

Directory of C:\Documents and Settings\Default User\Application Data

20/09/2006 20:03 <DIR> .
20/09/2006 20:03 <DIR> ..
04/02/2006 08:00 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 142,384,320,512 bytes free
Volume in drive C is Partition_1
Volume Serial Number is 30EF-9CEF

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C is Partition_1
Volume Serial Number is 30EF-9CEF

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'rpc.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe'
Parameters: '/ac '
WorkingDirectory: 'C:\Program Files\Winferno\RegistryPowerCleaner'
Comment: ''
Creator: 'WSTF'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 10/14/2007 9:00:00
StartError: 0x80070003
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 1
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 7
StartDate: 08/12/2007
EndDate: 00/00/0000
StartTime: 09:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 22:10:16, on 08/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\all users.silver\Desktop\~D_KrYpTs~ #F1L35#\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Alienware Dock.lnk = C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZJfox000
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/pro...er/awswaxf.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{57E675E6-1867-49DB-B52E-79071F46A97D}: NameServer = 192.168.1.1,212.159.11.150
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBED8F7B-7929-47CC-9E4D-A0F9673FAFE1}: NameServer = 192.168.1.1,212.159.11.150
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Ried]

Delete the following file:

C:\WINDOWS\system32\sptll.dll

-------------------------------------------------------

Go to Start->Run and type in regedit and hit OK.

Open notepad and copy/paste the entire text in the code box below: (don't forget to copy and paste REGEDIT4)

Code:

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with dss.exe

--------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix-quarantined-files.txt
Panda results
main.txt

[D_KrYpT]

ComboFix-quarantined-files

Code:

2007-09-12 21:11      44054    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\yaywxwv.dll.vir
2007-09-12 21:12      44054    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ddcbcab.dll.vir
2007-09-12 21:16      369248    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\sstts.dll.vir
2007-09-12 21:16      6488    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\sttss.bak1.vir
2007-09-20 19:23      693421    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\fgryspdk.ini.vir
2007-09-20 19:23      83008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\kdpsyrgf.dll.vir
2007-09-21 20:47      693481    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\rslauqnh.ini.vir
2007-09-21 20:47      83008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\hnqualsr.dll.vir
2007-09-23 21:53      83008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\bfkjhrvr.dll.vir
2007-09-23 21:58      693661    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\rvrhjkfb.ini.vir
2007-09-25 16:36      294    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\vmappekk.ini.vir
2007-09-25 16:36      83008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\kkeppamv.dll.vir
2007-09-26 17:36      83008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\mirbcgua.dll.vir
2007-09-26 21:54      693484    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\augcbrim.ini.vir
2007-09-27 17:43      83008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\gukujcwl.dll.vir
2007-09-27 18:43      693431    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\lwcjukug.ini.vir
2007-09-28 17:43      83008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\kupgnwea.dll.vir
2007-09-28 17:44      693421    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\aewngpuk.ini.vir
2007-09-30 10:01      693652    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\vfsyqpio.ini.vir
2007-09-30 10:01      83008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\oipqysfv.dll.vir
2007-09-30 10:38      294    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\gkejrsuc.ini.vir
2007-09-30 10:38      83008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\cusrjekg.dll.vir
2007-10-01 17:02      83008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\fjxflerf.dll.vir
2007-10-01 17:44      693961    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\frelfxjf.ini.vir
2007-10-02 19:16      294    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\gqmlyleh.ini.vir
2007-10-02 19:16      83008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\helylmqg.dll.vir
2007-10-04 20:21      83008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\rwboqyvq.dll.vir
2007-10-04 20:24      77376    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\oqqsqcyj.dll.vir
2007-10-04 20:57      693593    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\qvyqobwr.ini.vir
2007-10-05 20:25      83008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\fbbstwju.dll.vir
2007-10-05 20:26      294    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ujwtsbbf.ini.vir
2007-10-05 21:28      693412    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ebbxxhyf.ini.vir
2007-10-05 21:28      83008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\fyhxxbbe.dll.vir
2007-10-06 22:46      693481    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\rjoapihy.ini.vir
2007-10-06 22:46      83008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\yhipaojr.dll.vir
2007-10-07 16:41      1358    --a------    C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2007-10-07 17:37      860072    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\sttss.bak2.vir
2007-10-07 17:46      693472    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\kujqvwuj.ini.vir
2007-10-07 17:46      83008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\juwvqjuk.dll.vir
2007-10-07 21:55      77376    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\emgolewn.dll.vir
2007-10-08 21:58      891498    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\sttss.ini.vir
2007-10-08 21:59      309    --a------    C:\Qoobox\Quarantine\catchme.log
2007-10-08 21:59      372700    --a------    C:\Qoobox\Quarantine\catchme2007-10-08_220249.68.zip


Folder PATH listing for volume Partition_1
Volume serial number is 30EF-9CEF
C:\QOOBOX\QUARANTINE
|   catchme.log
|   catchme2007-10-08_220249.68.zip
|   
+---C
|   \---WINDOWS
|       |   cookies.ini.vir
|       |   
|       \---system32
|               aewngpuk.ini.vir
|               augcbrim.ini.vir
|               bfkjhrvr.dll.vir
|               cusrjekg.dll.vir
|               ddcbcab.dll.vir
|               ebbxxhyf.ini.vir
|               emgolewn.dll.vir
|               fbbstwju.dll.vir
|               fgryspdk.ini.vir
|               fjxflerf.dll.vir
|               frelfxjf.ini.vir
|               fyhxxbbe.dll.vir
|               gkejrsuc.ini.vir
|               gqmlyleh.ini.vir
|               gukujcwl.dll.vir
|               helylmqg.dll.vir
|               hnqualsr.dll.vir
|               juwvqjuk.dll.vir
|               kdpsyrgf.dll.vir
|               kkeppamv.dll.vir
|               kujqvwuj.ini.vir
|               kupgnwea.dll.vir
|               lwcjukug.ini.vir
|               mirbcgua.dll.vir
|               oipqysfv.dll.vir
|               oqqsqcyj.dll.vir
|               qvyqobwr.ini.vir
|               rjoapihy.ini.vir
|               rslauqnh.ini.vir
|               rvrhjkfb.ini.vir
|               rwboqyvq.dll.vir
|               sstts.dll.vir
|               sttss.bak1.vir
|               sttss.bak2.vir
|               sttss.ini.vir
|               ujwtsbbf.ini.vir
|               vfsyqpio.ini.vir
|               vmappekk.ini.vir
|               yaywxwv.dll.vir
|               yhipaojr.dll.vir
|               
\---Registry_backups

Panda scan

Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA}
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF05104-B030-46FC-94B8-81276E4E27DF}
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\all users.silver\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@2o7[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@2o7[3].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@ad.yieldmanager[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@ad.yieldmanager[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@ad.yieldmanager[3].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@adrevolver[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@ads.pointroll[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@adtech[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@atdmt[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@atdmt[3].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@azjmp[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@bs.serving-sys[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@doubleclick[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@doubleclick[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@doubleclick[3].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@questionmarket[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@server.iad.liveperson[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@server.iad.liveperson[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@statcounter[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@stats1.reliablestats[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@tradedoubler[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@tradedoubler[3].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\all users.silver\Cookies\all_users@zedo[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\all users.silver\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\all users.silver\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\all users.silver\Local Settings\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\Cache\7ED6F4AAd01[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\all users.silver\Local Settings\Application Data\Mozilla\Firefox\Profiles\ljof80og.default\Cache\7ED6F4AAd01[nircmd.cfexe]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Uninstall My Web Search.dll
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\ddcbcab.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\catchme2007-10-08_220249.68.zip[yaywxwv.dll]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe


Main.txt

Deckard's System Scanner v20070905.67
Run by all users on 2007-10-10 18:58:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis (run as all users.exe) -------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-10-10 18:58:48
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\all users.silver\Desktop\~D_KrYpTs~ #F1L35#\tools\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Alienware Dock.lnk = C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZJfox000
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/pro...er/awswaxf.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{57E675E6-1867-49DB-B52E-79071F46A97D}: NameServer = 192.168.1.1,212.159.11.150
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{60A1B07B-5116-4755-A6E2-4B352E89E406}: NameServer = 212.139.132.20 212.139.132.21
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{DBED8F7B-7929-47CC-9E4D-A0F9673FAFE1}: NameServer = 192.168.1.1,212.159.11.150
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O20 - AppInit_DLLs: wbsys.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O22 - SharedTaskScheduler: blippers - {f2efa195-4785-4db1-9316-b48c64bb71da} - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


-- Files created between 2007-09-10 and 2007-10-10 -----------------------------

2007-10-03 21:25:28 0 d-------- C:\Program Files\Lavasoft
2007-10-03 21:25:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-03 21:24:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-02 20:33:28 0 d-------- C:\info
2007-10-01 23:00:33 212 --a------ C:\delete.bat
2007-09-30 11:59:24 0 d-------- C:\Documents and Settings\Guest\Application Data\Mozilla
2007-09-30 08:58:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\WINDOWS
2007-09-30 00:27:11 0 d--h----- C:\Documents and Settings\Guest\Templates
2007-09-30 00:27:11 0 dr------- C:\Documents and Settings\Guest\Start Menu
2007-09-30 00:27:11 0 dr-h----- C:\Documents and Settings\Guest\SendTo
2007-09-30 00:27:11 0 dr-h----- C:\Documents and Settings\Guest\Recent
2007-09-30 00:27:11 0 d--h----- C:\Documents and Settings\Guest\PrintHood
2007-09-30 00:27:11 0 d--h----- C:\Documents and Settings\Guest\NetHood
2007-09-30 00:27:11 0 dr------- C:\Documents and Settings\Guest\My Documents
2007-09-30 00:27:11 0 d--h----- C:\Documents and Settings\Guest\Local Settings
2007-09-30 00:27:11 0 dr------- C:\Documents and Settings\Guest\Favorites
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Desktop
2007-09-30 00:27:11 0 d--hs---- C:\Documents and Settings\Guest\Cookies
2007-09-30 00:27:11 0 dr-h----- C:\Documents and Settings\Guest\Application Data
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Application Data\SampleView
2007-09-30 00:27:11 0 d---s---- C:\Documents and Settings\Guest\Application Data\Microsoft
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Application Data\Identities
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Application Data\CyberLink
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Application Data\Apple Computer
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Application Data\Adobe
2007-09-30 00:27:10 1572864 --ah----- C:\Documents and Settings\Guest\NTUSER.DAT
2007-09-22 18:45:27 304160 --a------ C:\StiImg.dat
2007-09-22 18:41:44 0 d-------- C:\WINDOWS\PixArt
2007-09-22 18:41:43 0 d-------- C:\Program Files\Trust
2007-09-22 18:41:43 0 d-------- C:\Program Files\Common Files\PCCamera
2007-09-15 14:00:10 0 d-------- C:\Program Files\MSN Messenger


-- Find3M Report ---------------------------------------------------------------

2007-10-10 18:23:52 0 d-------- C:\Program Files\AlienGUIse
2007-10-07 14:30:14 0 d-------- C:\Program Files\lx_cats
2007-10-04 22:33:10 0 d-------- C:\Program Files\TweakGenie
2007-10-04 22:32:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-04 22:32:12 0 d-------- C:\Program Files\Activision
2007-10-04 22:31:30 0 d-------- C:\Program Files\My Pet Hotel
2007-10-04 22:31:30 0 d-------- C:\Program Files\Mindscape
2007-10-04 22:26:58 0 d-------- C:\Program Files\Jasc Software Inc
2007-10-04 22:23:39 0 d-------- C:\Program Files\eGames
2007-10-03 21:24:42 0 d-------- C:\Program Files\Common Files
2007-10-03 21:24:23 0 d-------- C:\Documents and Settings\all users.silver\Application Data\Lavasoft
2007-10-02 19:56:59 0 d-------- C:\Documents and Settings\all users.silver\Application Data\LimeWire
2007-10-01 17:11:36 5060 --a------ C:\Documents and Settings\all users.silver\Application Data\wklnhst.dat
2007-09-30 08:55:47 0 d-------- C:\Documents and Settings\all users.silver\Application Data\AdobeUM
2007-09-04 19:34:22 0 d-------- C:\Documents and Settings\all users.silver\Application Data\Google
2007-09-04 19:33:27 0 d-------- C:\Program Files\Google
2007-09-04 18:44:16 0 d-------- C:\Program Files\Play89
2007-08-19 11:54:27 0 d-------- C:\Documents and Settings\all users.silver\Application Data\GlueTypeView
2007-08-19 11:36:17 0 d-------- C:\Program Files\Yahoo!
2007-08-15 20:24:34 532480 --a------ C:\WINDOWS\system32\PixelChix - Hamster Jam.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2007-08-15 17:52:38 0 d-------- C:\Program Files\MSXML 6.0


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [13/09/2002 21:42]
"SoundMan"="SOUNDMAN.EXE" [01/03/2006 16:22 C:\WINDOWS\soundman.exe]
"Run StartupMonitor"="StartupMonitor.exe" [20/05/2000 17:23 C:\WINDOWS\StartupMonitor.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [06/09/2007 11:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/03/2007 01:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/08/2004 20:00]

C:\Documents and Settings\all users.silver\Start Menu\Programs\Startup\
Alienware Dock.lnk - C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe [07/12/2006 18:23:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [14/10/2006 14:12:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoLogoff"=0 (0x0)
"NoSetTaskBar"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoStartMenuMorePrograms"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"MaxRecentDocs"=15 (0xf)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoStrCmpLogical"=1 (0x1)
"NoRecentDocsMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoLogoff"=0 (0x0)
"NoSetTaskBar"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoStartMenuMorePrograms"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"MaxRecentDocs"=15 (0xf)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 21/12/2001 00:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
"C:\Program Files\Lexmark 2400 Series\ezprint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
"C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"WZCSVC"=2 (0x2)
"W32Time"=2 (0x2)
"ALG"=3 (0x3)
"WebClient"=2 (0x2)
"VSS"=3 (0x3)
"Themes"=2 (0x2)
"SwPrv"=3 (0x3)
"CiSvc"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"TrkWks"=2 (0x2)
"Browser"=2 (0x2)
"wuauserv"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2007-10-10 18:59:46 ------------

Deckard's System Scanner v20070905.67
Run by all users on 2007-10-10 18:58:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 495 MiB (512 MiB recommended).


-- HijackThis (run as all users.exe) -------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-10-10 18:58:48
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\all users.silver\Desktop\~D_KrYpTs~ #F1L35#\tools\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Alienware Dock.lnk = C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZJfox000
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/pro...er/awswaxf.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{57E675E6-1867-49DB-B52E-79071F46A97D}: NameServer = 192.168.1.1,212.159.11.150
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{60A1B07B-5116-4755-A6E2-4B352E89E406}: NameServer = 212.139.132.20 212.139.132.21
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{DBED8F7B-7929-47CC-9E4D-A0F9673FAFE1}: NameServer = 192.168.1.1,212.159.11.150
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O20 - AppInit_DLLs: wbsys.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O22 - SharedTaskScheduler: blippers - {f2efa195-4785-4db1-9316-b48c64bb71da} - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


-- Files created between 2007-09-10 and 2007-10-10 -----------------------------

2007-10-03 21:25:28 0 d-------- C:\Program Files\Lavasoft
2007-10-03 21:25:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-03 21:24:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-02 20:33:28 0 d-------- C:\info
2007-10-01 23:00:33 212 --a------ C:\delete.bat
2007-09-30 11:59:24 0 d-------- C:\Documents and Settings\Guest\Application Data\Mozilla
2007-09-30 08:58:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\WINDOWS
2007-09-30 00:27:11 0 d--h----- C:\Documents and Settings\Guest\Templates
2007-09-30 00:27:11 0 dr------- C:\Documents and Settings\Guest\Start Menu
2007-09-30 00:27:11 0 dr-h----- C:\Documents and Settings\Guest\SendTo
2007-09-30 00:27:11 0 dr-h----- C:\Documents and Settings\Guest\Recent
2007-09-30 00:27:11 0 d--h----- C:\Documents and Settings\Guest\PrintHood
2007-09-30 00:27:11 0 d--h----- C:\Documents and Settings\Guest\NetHood
2007-09-30 00:27:11 0 dr------- C:\Documents and Settings\Guest\My Documents
2007-09-30 00:27:11 0 d--h----- C:\Documents and Settings\Guest\Local Settings
2007-09-30 00:27:11 0 dr------- C:\Documents and Settings\Guest\Favorites
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Desktop
2007-09-30 00:27:11 0 d--hs---- C:\Documents and Settings\Guest\Cookies
2007-09-30 00:27:11 0 dr-h----- C:\Documents and Settings\Guest\Application Data
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Application Data\SampleView
2007-09-30 00:27:11 0 d---s---- C:\Documents and Settings\Guest\Application Data\Microsoft
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Application Data\Identities
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Application Data\CyberLink
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Application Data\Apple Computer
2007-09-30 00:27:11 0 d-------- C:\Documents and Settings\Guest\Application Data\Adobe
2007-09-30 00:27:10 1572864 --ah----- C:\Documents and Settings\Guest\NTUSER.DAT
2007-09-22 18:45:27 304160 --a------ C:\StiImg.dat
2007-09-22 18:41:44 0 d-------- C:\WINDOWS\PixArt
2007-09-22 18:41:43 0 d-------- C:\Program Files\Trust
2007-09-22 18:41:43 0 d-------- C:\Program Files\Common Files\PCCamera
2007-09-15 14:00:10 0 d-------- C:\Program Files\MSN Messenger


-- Find3M Report ---------------------------------------------------------------

2007-10-10 18:23:52 0 d-------- C:\Program Files\AlienGUIse
2007-10-07 14:30:14 0 d-------- C:\Program Files\lx_cats
2007-10-04 22:33:10 0 d-------- C:\Program Files\TweakGenie
2007-10-04 22:32:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-04 22:32:12 0 d-------- C:\Program Files\Activision
2007-10-04 22:31:30 0 d-------- C:\Program Files\My Pet Hotel
2007-10-04 22:31:30 0 d-------- C:\Program Files\Mindscape
2007-10-04 22:26:58 0 d-------- C:\Program Files\Jasc Software Inc
2007-10-04 22:23:39 0 d-------- C:\Program Files\eGames
2007-10-03 21:24:42 0 d-------- C:\Program Files\Common Files
2007-10-03 21:24:23 0 d-------- C:\Documents and Settings\all users.silver\Application Data\Lavasoft
2007-10-02 19:56:59 0 d-------- C:\Documents and Settings\all users.silver\Application Data\LimeWire
2007-10-01 17:11:36 5060 --a------ C:\Documents and Settings\all users.silver\Application Data\wklnhst.dat
2007-09-30 08:55:47 0 d-------- C:\Documents and Settings\all users.silver\Application Data\AdobeUM
2007-09-04 19:34:22 0 d-------- C:\Documents and Settings\all users.silver\Application Data\Google
2007-09-04 19:33:27 0 d-------- C:\Program Files\Google
2007-09-04 18:44:16 0 d-------- C:\Program Files\Play89
2007-08-19 11:54:27 0 d-------- C:\Documents and Settings\all users.silver\Application Data\GlueTypeView
2007-08-19 11:36:17 0 d-------- C:\Program Files\Yahoo!
2007-08-15 20:24:34 532480 --a------ C:\WINDOWS\system32\PixelChix - Hamster Jam.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2007-08-15 17:52:38 0 d-------- C:\Program Files\MSXML 6.0


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [13/09/2002 21:42]
"SoundMan"="SOUNDMAN.EXE" [01/03/2006 16:22 C:\WINDOWS\soundman.exe]
"Run StartupMonitor"="StartupMonitor.exe" [20/05/2000 17:23 C:\WINDOWS\StartupMonitor.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [06/09/2007 11:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/03/2007 01:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/08/2004 20:00]

C:\Documents and Settings\all users.silver\Start Menu\Programs\Startup\
Alienware Dock.lnk - C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe [07/12/2006 18:23:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [14/10/2006 14:12:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoLogoff"=0 (0x0)
"NoSetTaskBar"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoStartMenuMorePrograms"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"MaxRecentDocs"=15 (0xf)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoStrCmpLogical"=1 (0x1)
"NoRecentDocsMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoLogoff"=0 (0x0)
"NoSetTaskBar"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoStartMenuMorePrograms"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"MaxRecentDocs"=15 (0xf)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 21/12/2001 00:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
"C:\Program Files\Lexmark 2400 Series\ezprint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
"C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"WZCSVC"=2 (0x2)
"W32Time"=2 (0x2)
"ALG"=3 (0x3)
"WebClient"=2 (0x2)
"VSS"=3 (0x3)
"Themes"=2 (0x2)
"SwPrv"=3 (0x3)
"CiSvc"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"TrkWks"=2 (0x2)
"Browser"=2 (0x2)
"wuauserv"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2007-10-10 18:59:46 ------------

[Ried]

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Please download ATF Cleaner by Atribune.

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O8 - Extra context menu item: &Search - ?p=ZJfox000
O22 - SharedTaskScheduler: blippers - {f2efa195-4785-4db1-9316-b48c64bb71da} - (no file)

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Double-click ATF-Cleaner.exe to run the program.

• Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

--------------------------------------------------------------------

Go to Start->Run and type in regedit and hit OK.

Open notepad and copy/paste the entire text in the quotebox below: (don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF05104-B030-46FC-94B8-81276E4E27DF}]

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

Reboot your system.

--------------------------------------------------------------------

You should be good to go now. If there aren't any more problems, please continue with these final instructions.

The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

*Please respond one more time so we can mark this as resolved.

[D_KrYpT]

I have done everything requested i will now run numerouse scans to finalize. If u want to have a look at fresh logs afterwards please reply, if not then resolve this thread.
Thankyou for your help.