Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Unwanted Sys 32 files
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 11-24-2007, 06:01 PM   #1 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 15
OS: xp


Unwanted Sys 32 files
I downloaded a program yesterday only to see a different program (malware watch or some bs like that) on my desktop. After a period of cursing at my computer I went to work on trying to clean the virus or at least prevent it from doing too much damage. What i've found is 2 files in my System 32 that are causing problems. the files are fccawwt.dll and mljjk.dll. Past experiences have taught me what the outcome of trying to deal with these things by myself is. So I decided to come on here and get it before it becomes a major problem.

Here is my HJT log from DSS:

Deckard's System Scanner v20071014.68
Run by Spencer on 2007-11-24 18:59:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Spencer.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:40 PM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\AdVantage\AdVantage.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Spencer\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Spencer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mg1.mail.yahoo.com/dc/laun...=2dfahiaautco3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468} - C:\WINDOWS\system32\fccawwt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {84A4F12E-1530-451F-88A1-C23E2A858AE7} - C:\WINDOWS\system32\mljjk.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AdVantage] "C:\Program Files\AdVantage\AdVantage.exe"
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1195950977750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195950962390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O20 - Winlogon Notify: fccawwt - C:\WINDOWS\SYSTEM32\fccawwt.dll
O20 - Winlogon Notify: urqrqqq - urqrqqq.dll (file missing)
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9519 bytes

-- Files created between 2007-10-24 and 2007-11-24 -----------------------------

2007-11-24 01:26:27 0 d-------- C:\Program Files\Outerinfo
2007-11-24 01:26:27 0 d-------- C:\Documents and Settings\Spencer\Application Data\F?nts
2007-11-24 01:26:26 60928 --a------ C:\WINDOWS\system32\nmdpqq.dll
2007-11-24 01:26:06 15360 --a------ C:\WINDOWS\system32\drvfuzr.dll
2007-11-24 01:26:06 102912 --a------ C:\WINDOWS\system32\drvfuz.dll
2007-11-24 01:26:05 34304 --a------ C:\WINDOWS\system32\fccawwt.dll
2007-11-24 01:26:03 0 d-------- C:\Program Files\klenwler
2007-11-24 01:08:46 0 dr-h----- C:\Documents and Settings\Spencer\Recent
2007-11-24 00:17:07 0 d-------- C:\Documents and Settings\Administrator\Templates
2007-11-24 00:17:07 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-24 00:17:07 0 d-------- C:\Documents and Settings\Administrator\Local Settings
2007-11-24 00:17:07 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-24 00:17:07 0 d-------- C:\Documents and Settings\Administrator\Cookies
2007-11-24 00:17:07 0 d-------- C:\Documents and Settings\Administrator\Application Data
2007-11-24 00:17:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-23 23:52:32 7704576 --a------ C:\Documents and Settings\Spencer\ntuser.dat
2007-11-23 23:52:32 741376 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2007-11-23 23:51:57 434476 --ahs---- C:\WINDOWS\system32\kjjlm.ini2
2007-11-23 23:51:54 331360 --a------ C:\WINDOWS\system32\mljjk.dll
2007-11-23 23:46:31 39424 --a------ C:\WINDOWS\system32\rqrstts.dll
2007-11-23 23:46:29 0 d-------- C:\WINDOWS\system32\tnrtmwuk
2007-11-23 23:46:29 20992 --a------ C:\WINDOWS\avp.exe <Not Verified; MskSoftStudy Corp.; Anti-Virus Project (AVP) spyware removal module>
2007-11-23 23:46:29 0 d-------- C:\Program Files\SecCenter
2007-11-23 23:46:28 15360 --a------ C:\WINDOWS\system32\drvsuvr.dll
2007-11-23 23:46:28 102912 --a------ C:\WINDOWS\system32\drvsuv.dll
2007-11-23 23:46:28 0 d-------- C:\Program Files\MalwareAlarm
2007-11-23 23:46:27 0 d-------- C:\Program Files\Fctghvpc
2007-11-23 23:46:27 106496 --a------ C:\Documents and Settings\All Users\Application Data\ngpibyto.dll
2007-11-23 23:46:25 1149472 --a------ C:\Install
2007-11-23 23:46:24 0 d-------- C:\Program Files\hcrwpwlm
2007-11-23 23:46:23 22528 --a------ C:\WINDOWS\system32\winrvc32.dll
2007-11-23 23:40:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2007-11-23 23:23:49 0 d-------- C:\Program Files\AdVantage
2007-11-23 23:23:05 0 d-------- C:\Program Files\DAEMON Tools
2007-11-23 22:34:13 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-25 10:19:04 0 d-------- C:\Documents and Settings\All Users\Application Data\OrbNetworks
2007-10-25 10:19:01 0 d-------- C:\Program Files\Winamp Remote
2007-10-25 00:19:42 0 d-------- C:\Documents and Settings\Spencer\Application Data\vlc
2007-10-25 00:18:35 0 d-------- C:\Program Files\VideoLAN
2007-10-25 00:09:17 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-10-25 00:09:17 0 d-------- C:\Program Files\Xvid


-- Find3M Report ---------------------------------------------------------------

2007-11-24 18:30:34 0 d-------- C:\Program Files\SpywareBlaster
2007-11-24 18:19:48 0 d-------- C:\Program Files\Zune
2007-11-24 18:13:20 0 d-------- C:\Program Files\QuickTime
2007-11-24 18:12:09 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-11-24 18:12:05 0 d-------- C:\Program Files\MagicISO
2007-11-24 18:11:27 0 d-------- C:\Program Files\Google
2007-11-24 18:05:49 0 d-------- C:\Program Files\ATI Multimedia
2007-11-24 01:27:22 0 d-------- C:\Program Files\Microsoft Games
2007-11-24 01:26:27 0 d-------- C:\Documents and Settings\Spencer\Application Data\F?nts
2007-11-24 01:26:05 0 d-------- C:\Program Files\Common Files
2007-11-24 00:21:52 0 d-------- C:\Documents and Settings\Spencer\Application Data\Azureus
2007-11-23 23:38:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-23 23:18:19 0 d-------- C:\Program Files\DC++
2007-11-23 13:26:54 0 d-------- C:\Program Files\Steam
2007-11-17 17:10:01 0 d-------- C:\Program Files\Java
2007-11-13 14:30:24 0 d-------- C:\Program Files\AIM6
2007-10-25 10:19:15 0 d-------- C:\Program Files\Winamp
2007-10-24 01:22:35 0 d-------- C:\Documents and Settings\Spencer\Application Data\Skype
2007-10-05 13:00:57 0 d-------- C:\Documents and Settings\Spencer\Application Data\Move Networks
2007-10-04 14:40:34 0 d-------- C:\Program Files\FLAC
2007-09-26 11:43:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-24 17:44:15 221184 --a------ C:\WINDOWS\SnoopFreeUI.exe <Not Verified; SnoopFree Software; SnoopFree Privacy Shield>
2007-08-24 17:44:15 45056 --a------ C:\WINDOWS\SnoopFreeDll.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468}]
11/24/2007 01:26 AM 34304 --a------ C:\WINDOWS\system32\fccawwt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84A4F12E-1530-451F-88A1-C23E2A858AE7}]
11/23/2007 11:51 PM 331360 --a------ C:\WINDOWS\system32\mljjk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/13/2007 05:52 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/09/2007 12:02 AM]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [11/21/2006 04:09 PM]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [10/30/2006 10:44 PM]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [11/16/2006 07:05 PM]
"RTHDCPL"="RTHDCPL.EXE" [11/14/2006 03:21 AM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [05/16/2006 04:04 AM C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 04:43 AM C:\WINDOWS\Alcmtr.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/21/2006 10:29 AM]
"nwiz"="nwiz.exe" [12/21/2006 10:29 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/21/2006 10:29 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [08/11/2007 04:48 PM]
"SnoopFreeUI"="SnoopFreeUI.exe" [08/24/2007 05:44 PM C:\WINDOWS\SnoopFreeUI.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 09:54 AM]
"WinampAgent"="C:\Program Files\Winamp\wianmpa.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/05/2007 02:05 AM]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [04/04/2007 01:20 PM]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [10/22/2007 06:47 PM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [11/17/2007 05:53 AM]
"AdVantage"="C:\Program Files\AdVantage\AdVantage.exe" [06/28/2007 03:19 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468}"= C:\WINDOWS\system32\fccawwt.dll [11/24/2007 01:26 AM 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccawwt]
fccawwt.dll 11/24/2007 01:26 AM 34304 C:\WINDOWS\system32\fccawwt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrqqq]
urqrqqq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrvc32]
winrvc32.dll 11/23/2007 11:46 PM 22528 C:\WINDOWS\system32\winrvc32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljjk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Spencer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Spencer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Spencer^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=C:\Documents and Settings\Spencer\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.2.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
"C:\Program Files\ATI Multimedia\main\launchpd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMCService]
"C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
C:\WINDOWS\system32\hphmon03.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
"C:\Program Files\Zune\ZuneLauncher.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eed67790-0397-11dc-9e6b-806d6172696f}]
AutoRun\command- D:\Run.exe




-- End of Deckard's System Scanner: finished at 2007-11-24 19:00:01 ------------

I did not receive an extra.txt file upon completion of the program.

Thanks in advance for all your help.
CiD sucks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 11-25-2007, 03:10 PM   #2 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 15
OS: xp


Re: Unwanted Sys 32 files
Just an update: In addition to the problem causing .dll files from yesterday, today new things such as njoojktj.dll in my System 32 and re-appearing icons on my desktop claiming to be a security center. And a bubble popup from my tray that prompts me to click it to install anti-virus software from it.
CiD sucks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-30-2007, 10:51 AM   #3 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,559
OS: 2000 Pro; XP Pro; XP Home


Re: Unwanted Sys 32 files
Is this the same machine we cleaned in August?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-30-2007, 05:31 PM   #4 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 15
OS: xp


Re: Unwanted Sys 32 files
Yes it is. I was able to delete the virus completely (or at least as far as I know) but there are still some problems on my computer and I am not sure if they are virus related.
CiD sucks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-30-2007, 06:05 PM   #5 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,559
OS: 2000 Pro; XP Pro; XP Home


Re: Unwanted Sys 32 files
Well, for some reason, you no longer have an AntiVirus program on your machine. I know TheBruce1 spent some time clearing up your machine in August, had you install an AntiVirus program, and gave you other prevention instructions.

Why do you no longer have an AntiVirus program?

Without one, if the machine is connected to the outside world at all, whether through the internet or sharing files with someone via flash drive, it will continue to become infected.

According to your log posted above, you're infected.

I see no evidence of an AntiVirus program on your system. This must be resolved. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer.

Install this FREE AntiVirus program, update it, and run a full system scan.

Avira PersonalEdition Classic

Here is a tutorial on it's setup and use:

http://www.techsupportforum.com/cont...ticles/64.html

Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

---------------------------------------------------------------------------------------------

Once you've done that....

Please run Deckard's System Scanner once again, this time using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
"%userprofile%\desktop\dss.exe" /config
Click on "Check All"

Click Scan!

When finished, it shall produce two logs for you. Post those logs in your next reply.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2007, 06:45 PM   #6 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 15
OS: xp


Re: Unwanted Sys 32 files
The "something wrong" from earlier continues despite my efforts, when I click on the start menu and click any icon it freezes the start menu and its always on top and it usually failes to launch that application, and in IE when I click on an arrow to get a scroll menu of options it freezes IE and closes.

Deckard's System Scanner v20070819.64
Run by Spencer on 2007-12-01 00:38:37
Computer is in Safe Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.


-- Last 5 Restore Point(s) --
6: 2007-12-01 06:19:05 UTC - RP6 - Installed Age of Empires III
5: 2007-12-01 05:33:28 UTC - RP5 - AntiVir PersonalEdition Classic - 11/30/2007 23:33
4: 2007-12-01 05:19:33 UTC - RP4 - System Checkpoint
3: 2007-11-29 20:02:45 UTC - RP3 - System Checkpoint
2: 2007-11-28 19:15:51 UTC - RP2 - Installed Age of Empires III


-- First Restore Point --
1: 2007-11-27 23:59:11 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Spencer.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:38 AM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Spencer\desktop\t('-'t)\Stuff\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Spencer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mg1.mail.yahoo.com/dc/laun...=2dfahiaautco3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1195950977750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195950962390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O20 - Winlogon Notify: fccawwt - fccawwt.dll (file missing)
O20 - Winlogon Notify: gebcdaa - gebcdaa.dll (file missing)
O20 - Winlogon Notify: njoojktj - njoojktj.dll (file missing)
O20 - Winlogon Notify: urqrqqq - urqrqqq.dll (file missing)
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7548 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20070823-124539-984 O4 - HKCU\..\Run: [ball mix] C:\DOCUME~1\Spencer\APPLIC~1\PROGRA~1\Antithat.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 SnoopFree (SnoopFree Driver) - c:\windows\system32\drivers\snopfree.sys
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>

S1 ATITool (ATITool Overclocking Utility) - c:\windows\system32\drivers\atitool.sys <Not Verified; ; Low-Level Driver>
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 NVR0Dev - c:\windows\nvoclock.sys <Not Verified; NVidia Corp.; NVidia System Utility Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>
S2 CLCapSvc (CyberLink Background Capture Service (CBCS)) - "c:\program files\ati\catalyst media center\kernel\tv\clcapsvc.exe" <Not Verified; ; CLCapSvc Module>
S2 CLSched (CyberLink Task Scheduler (CTS)) - "c:\program files\ati\catalyst media center\kernel\tv\clsched.exe" <Not Verified; ; CLSched Module>
S2 CyberLink Media Library Service - "c:\program files\ati\catalyst media center\kernel\clml_ntservice\clmlserver.exe" <Not Verified; Cyberlink; Cyberlink Media Library Server>
S2 nTuneService (nTune Service) - c:\program files\nvidia corporation\ntune\ntuneservice.exe /startservice <Not Verified; NVIDIA; NVIDIA nTune>
S2 SnoopFreeSvc (Snoop Free Service) - system32\snoopfreesvc.exe (file missing)
S4 DomainService - c:\windows\system32\syiwmsdp.exe /service <Not Verified; ; DDC>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 296)
2007-11-23 23:46:23 22528 --a------ C:\WINDOWS\system32\winrvc32.dll

C:\WINDOWS\explorer.exe (pid 1104)
2006-09-28 08:13:28 73728 --a------ C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\shellexecutehook.dll <Not Verified; Anti-Malware Development a.s.; AVG Anti-Spyware>
2007-02-09 16:17:44 339968 --a------ C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll <Not Verified; Sun Microsystems, Inc.; >
2007-03-01 12:37:56 98304 --a------ C:\Program Files\OpenOffice.org 2.2\program\uwinapi.dll <Not Verified; Sun Microsystems, Inc.; >
2007-01-10 08:04:06 577536 --a------ C:\Program Files\OpenOffice.org 2.2\program\stlport_vc7145.dll <Not Verified; STLport Consulting, Inc.; STLport Standard ANSI C++ Libarary>


-- Scheduled Tasks -------------------------------------------------------------

2007-05-06 22:04:13 294 --ah----- C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job


-- Files created between 2007-11-01 and 2007-12-01 -----------------------------

2007-11-30 23:33:42 0 d-------- C:\Program Files\Avira
2007-11-30 23:33:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-11-28 13:18:50 92544 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
2007-11-28 13:18:49 0 d-------- C:\Program Files\MagicDisc
2007-11-27 16:04:13 0 dr-h----- C:\Documents and Settings\Spencer\Recent
2007-11-27 00:08:47 2 --a------ C:\WINDOWS\system32\wnsinticomsv32.exe
2007-11-27 00:08:45 60928 --a------ C:\WINDOWS\system32\wvsxpwlv.dll
2007-11-27 00:08:32 15360 --a------ C:\WINDOWS\system32\drvloxr.dll
2007-11-27 00:08:32 102912 --a------ C:\WINDOWS\system32\drvlox.dll
2007-11-26 19:29:50 11776 --a------ C:\WINDOWS\mgrs.exe
2007-11-26 19:28:50 0 d-------- C:\WINDOWS\system32\tpcwdoia
2007-11-26 19:28:48 15360 --a------ C:\WINDOWS\system32\drvdifr.dll
2007-11-26 19:28:48 110592 --a------ C:\Documents and Settings\All Users\Application Data\yjonwjkr.dll
2007-11-26 19:28:46 34304 --a------ C:\WINDOWS\system32\tuvvtts.dll
2007-11-26 13:37:15 85056 --a------ C:\WINDOWS\system32\njjdfjpk.dll
2007-11-26 13:29:17 85056 --a------ C:\WINDOWS\system32\uggtfeih.dll
2007-11-26 10:43:31 4672 --a------ C:\WINDOWS\system32\pvepettt.exe
2007-11-26 10:43:31 85056 --a------ C:\WINDOWS\system32\mneawdpe.dll
2007-11-26 10:40:31 80960 --a------ C:\WINDOWS\system32\mybeipai.dll
2007-11-26 10:37:48 71232 --a------ C:\WINDOWS\system32\smqcjbdy.exe <Not Verified; ; DDC>
2007-11-25 15:44:57 85056 --a------ C:\WINDOWS\system32\omwkrjkr.dll
2007-11-25 15:32:51 85056 --a------ C:\WINDOWS\system32\yyixwqju.dll
2007-11-25 01:07:52 85056 --a------ C:\WINDOWS\system32\klvaggcw.dll
2007-11-24 23:52:22 85056 --a------ C:\WINDOWS\system32\qruprohs.dll
2007-11-24 23:52:21 79936 --a------ C:\WINDOWS\system32\nccoqysp.dll
2007-11-24 23:52:18 71232 --a------ C:\WINDOWS\system32\syiwmsdp.exe <Not Verified; ; DDC>
2007-11-24 01:26:06 15360 --a------ C:\WINDOWS\system32\drvfuzr.dll
2007-11-24 01:26:06 102912 --a------ C:\WINDOWS\system32\drvfuz.dll
2007-11-24 00:17:07 0 d-------- C:\Documents and Settings\Administrator\Templates
2007-11-24 00:17:07 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-24 00:17:07 0 d-------- C:\Documents and Settings\Administrator\Local Settings
2007-11-24 00:17:07 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-24 00:17:07 0 d-------- C:\Documents and Settings\Administrator\Cookies
2007-11-24 00:17:07 0 d-------- C:\Documents and Settings\Administrator\Application Data
2007-11-24 00:17:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-23 23:52:32 7704576 --a------ C:\Documents and Settings\Spencer\ntuser.dat
2007-11-23 23:52:32 741376 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2007-11-23 23:51:57 442563 --ahs---- C:\WINDOWS\system32\kjjlm.ini2
2007-11-23 23:46:31 39424 --a------ C:\WINDOWS\system32\rqrstts.dll
2007-11-23 23:46:29 0 d-------- C:\WINDOWS\system32\tnrtmwuk
2007-11-23 23:46:29 20992 --a------ C:\WINDOWS\avp.exe <Not Verified; MskSoftStudy Corp.; Anti-Virus Project (AVP) spyware removal module>
2007-11-23 23:46:28 15360 --a------ C:\WINDOWS\system32\drvsuvr.dll
2007-11-23 23:46:28 102912 --a------ C:\WINDOWS\system32\drvsuv.dll
2007-11-23 23:46:27 106496 --a------ C:\Documents and Settings\All Users\Application Data\ngpibyto.dll
2007-11-23 23:46:25 1149472 --a------ C:\Install
2007-11-23 23:46:23 22528 --a------ C:\WINDOWS\system32\winrvc32.dll
2007-11-23 23:40:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2007-11-23 23:23:05 0 d-------- C:\Program Files\DAEMON Tools
2007-11-23 22:34:13 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys


-- Find3M Report ---------------------------------------------------------------

2007-12-01 00:00:52 0 d-------- C:\Documents and Settings\Spencer\Application Data\Azureus
2007-11-30 18:50:12 0 d-------- C:\Program Files\Steam
2007-11-29 00:34:42 0 d-------- C:\Program Files\DC++
2007-11-27 16:31:31 0 d-------- C:\Program Files\Winamp
2007-11-27 15:57:01 0 d-------- C:\Program Files\Winamp Remote
2007-11-27 15:54:08 0 d-------- C:\Program Files\Common Files
2007-11-25 1715 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-24 18:30:34 0 d-------- C:\Program Files\SpywareBlaster
2007-11-24 18:19:48 0 d-------- C:\Program Files\Zune
2007-11-24 18:13:20 0 d-------- C:\Program Files\QuickTime
2007-11-24 18:12:09 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-11-24 18:12:05 0 d-------- C:\Program Files\MagicISO
2007-11-24 18:11:27 0 d-------- C:\Program Files\Google
2007-11-24 18:05:49 0 d-------- C:\Program Files\ATI Multimedia
2007-11-24 01:27:22 0 d-------- C:\Program Files\Microsoft Games
2007-11-17 17:10:01 0 d-------- C:\Program Files\Java
2007-11-13 14:30:24 0 d-------- C:\Program Files\AIM6
2007-10-25 00:19:42 0 d-------- C:\Documents and Settings\Spencer\Application Data\vlc
2007-10-25 00:18:35 0 d-------- C:\Program Files\VideoLAN
2007-10-25 00:09:49 0 d-------- C:\Program Files\Xvid
2007-10-24 01:22:35 0 d-------- C:\Documents and Settings\Spencer\Application Data\Skype
2007-10-05 13:00:57 0 d-------- C:\Documents and Settings\Spencer\Application Data\Move Networks
2007-10-04 14:40:34 0 d-------- C:\Program Files\FLAC
2007-09-26 11:43:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/13/2007 05:52 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/09/2007 12:02 AM]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [11/21/2006 04:09 PM]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" []
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [11/16/2006 07:05 PM]
"RTHDCPL"="RTHDCPL.EXE" [11/14/2006 03:21 AM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [05/16/2006 04:04 AM C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 04:43 AM C:\WINDOWS\Alcmtr.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/21/2006 10:29 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/21/2006 10:29 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [08/11/2007 04:48 PM]
"WinampAgent"="C:\Program Files\Winamp\wianmpa.exe" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [11/30/2007 11:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/05/2007 02:05 AM]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [04/04/2007 01:20 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468}"= C:\WINDOWS\system32\gebcdaa.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccawwt]
fccawwt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcdaa]
gebcdaa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\njoojktj]
njoojktj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrqqq]
urqrqqq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrvc32]
winrvc32.dll 11/23/2007 11:46 PM 22528 C:\WINDOWS\system32\winrvc32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljjk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Spencer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Spencer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Spencer^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=C:\Documents and Settings\Spencer\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.2.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
"C:\Program Files\ATI Multimedia\main\launchpd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMCService]
"C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
C:\WINDOWS\system32\hphmon03.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
"C:\Program Files\Zune\ZuneLauncher.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eed67790-0397-11dc-9e6b-806d6172696f}]
AutoRun\command- D:\Run.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 www.aaa-livedoor.net #[Trojan-PSW.Win32.Maran.ei]
127.0.0.1 www.abcsearcher.com #[Spamdexing][Microsoft.Strider]
127.0.0.1 abc-search.info
127.0.0.1 abloga.info #[Spamdexing]
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com

16420 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-12-01 00:40:15 ------------
Attached Files
File Type: txt main.txt (24.2 KB, 1 views)
File Type: txt extra.txt (17.4 KB, 1 views)
Last edited by tetonbob; 12-01-2007 at 06:56 PM.
CiD sucks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2007, 06:59 PM   #7 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,559
OS: 2000 Pro; XP Pro; XP Home


Re: Unwanted Sys 32 files
Can you explain this better, please?

Quote:
The "something wrong" from earlier
You mean from August?

Frankly, you may be better off doing a wipe and reinstall of Windows if your OS is acting dodgy since the last infection, and here you have another.

Trouble with infections these days is, we can clean what we see, but they often leave a wake of destruction.

I can try to help you clean this machine, but there's no guarantees it will help the troubles you seem to be having with the OS.

Your call.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2007, 07:25 PM   #8 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 15
OS: xp


Re: Unwanted Sys 32 files
Id say try and fix it, If that doesn't help at all I might reformat but Id really rather not.
CiD sucks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2007, 07:31 PM   #9 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,559
OS: 2000 Pro; XP Pro; XP Home


Re: Unwanted Sys 32 files
OK then....we will not want to see you back, infected, with no AntiVirus application again. We like helping people, but it's on you to follow our advice for future protection also. This includes maintaining AntiVirus protection on your machine.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Note: If you have ComboFix already, I need you to delete it, and get the version from this link below
  1. Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe

    * IMPORTANT !!! Place combofix.exe on your Desktop


  2. Go to -> Run -> paste in the following single line command & click OK

    "%userprofile%\desktop\combofix.exe" /killall



  3. Follow the prompts. Type "1" and press Enter to begin the scan.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  6. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2007, 09:00 PM   #10 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 15
OS: xp


Re: Unwanted Sys 32 files
Included the combofix log as well just in case.

ComboFix 07-12-02.5 - Spencer 2007-12-01 21:45:19.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1783 [GMT -6:00]
Running from: C:\Documents and Settings\Spencer\desktop\combofix.exe
Command switches used :: /killall
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\ngpibyto.dll
C:\Documents and Settings\All Users\Application Data.\yjonwjkr.dll
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\Spencer\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Spencer\My Documents\ASKS~1
C:\Documents and Settings\Spencer\My Documents\ASKS~1\?asks\
C:\Documents and Settings\Spencer\My Documents\PPATCH~1
C:\Documents and Settings\Spencer\My Documents\PPATCH~1\?ervices.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\drvdifr.dll
C:\WINDOWS\system32\drvfuzr.dll
C:\WINDOWS\system32\drvloxr.dll
C:\WINDOWS\system32\drvsuvr.dll
C:\WINDOWS\system32\epdwaenm.ini
C:\WINDOWS\system32\hieftggu.ini
C:\WINDOWS\system32\kjjlm.ini
C:\WINDOWS\system32\kjjlm.ini2
C:\WINDOWS\system32\klvaggcw.dll
C:\WINDOWS\system32\kpjfdjjn.ini
C:\WINDOWS\system32\mneawdpe.dll
C:\WINDOWS\system32\mybeipai.dll
C:\WINDOWS\system32\nccoqysp.dll
C:\WINDOWS\system32\njjdfjpk.dll
C:\WINDOWS\system32\omwkrjkr.dll
C:\WINDOWS\system32\pvepettt.exe
C:\WINDOWS\system32\qruprohs.dll
C:\WINDOWS\system32\rkjrkwmo.ini
C:\WINDOWS\system32\shorpurq.ini
C:\WINDOWS\system32\smqcjbdy.exe
C:\WINDOWS\system32\syiwmsdp.exe
C:\WINDOWS\system32\tnrtmwuk
C:\WINDOWS\system32\tnrtmwuk\bg1.gif
C:\WINDOWS\system32\tnrtmwuk\bgtop.gif
C:\WINDOWS\system32\tnrtmwuk\bottom1.gif
C:\WINDOWS\system32\tnrtmwuk\essentials.gif
C:\WINDOWS\system32\tnrtmwuk\icon1.ico
C:\WINDOWS\system32\tnrtmwuk\install1.gif
C:\WINDOWS\system32\tnrtmwuk\left1.gif
C:\WINDOWS\system32\tnrtmwuk\li.gif
C:\WINDOWS\system32\tnrtmwuk\logo.gif
C:\WINDOWS\system32\tnrtmwuk\main.htm
C:\WINDOWS\system32\tnrtmwuk\mainframe.htm
C:\WINDOWS\system32\tnrtmwuk\reinstall1.gif
C:\WINDOWS\system32\tnrtmwuk\right1.gif
C:\WINDOWS\system32\tnrtmwuk\s1.htm
C:\WINDOWS\system32\tnrtmwuk\s2.htm
C:\WINDOWS\system32\tnrtmwuk\s3.htm
C:\WINDOWS\system32\tnrtmwuk\SMTop1.gif
C:\WINDOWS\system32\tnrtmwuk\SMTop2.gif
C:\WINDOWS\system32\tnrtmwuk\SMTop3.gif
C:\WINDOWS\system32\tnrtmwuk\SMTop4.gif
C:\WINDOWS\system32\tnrtmwuk\soft1_off.gif
C:\WINDOWS\system32\tnrtmwuk\soft1_off_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft1_on.gif
C:\WINDOWS\system32\tnrtmwuk\soft1_on_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft2_off.gif
C:\WINDOWS\system32\tnrtmwuk\soft2_off_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft2_on.gif
C:\WINDOWS\system32\tnrtmwuk\soft2_on_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft3_off.gif
C:\WINDOWS\system32\tnrtmwuk\soft3_off_ext.gif
C:\WINDOWS\system32\tnrtmwuk\soft3_on.gif
C:\WINDOWS\system32\tnrtmwuk\soft3_on_ext.gif
C:\WINDOWS\system32\tnrtmwuk\softbottom_off.gif
C:\WINDOWS\system32\tnrtmwuk\softbottom_on.gif
C:\WINDOWS\system32\tnrtmwuk\softleft_off.gif
C:\WINDOWS\system32\tnrtmwuk\softleft_on.gif
C:\WINDOWS\system32\tnrtmwuk\tnrtmwuk1.exe
C:\WINDOWS\system32\tnrtmwuk\tnrtmwuk2.exe
C:\WINDOWS\system32\tnrtmwuk\tnrtmwuk3.exe
C:\WINDOWS\system32\tnrtmwuk\top1.gif
C:\WINDOWS\system32\tnrtmwuk\top2.gif
C:\WINDOWS\system32\tnrtmwuk\turnoff1.gif
C:\WINDOWS\system32\tnrtmwuk\turnon1.gif
C:\WINDOWS\system32\uggtfeih.dll
C:\WINDOWS\system32\winrvc32.dll
C:\WINDOWS\system32\wnsinticomsv32.exe
C:\WINDOWS\system32\wvsxpwlv.dll
C:\WINDOWS\system32\yyixwqju.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-11-30 23:33 . 2007-11-30 23:33 <DIR> d-------- C:\Program Files\Avira
2007-11-30 23:33 . 2007-11-30 23:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-11-28 13:18 . 2007-11-28 13:19 <DIR> d-------- C:\Program Files\MagicDisc
2007-11-28 13:18 . 2007-09-05 01:46 92,544 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2007-11-27 17:22 . 2007-11-27 17:22 754 --a------ C:\WINDOWS\WORDPAD.INI
2007-11-27 16:29 . 2007-11-27 16:29 4,625 --a------ C:\WINDOWS\imsins.BAK
2007-11-26 19:28 . 2007-11-26 19:28 <DIR> d-------- C:\WINDOWS\system32\tpcwdoia
2007-11-26 19:28 . 2007-11-26 19:28 34,304 --a------ C:\WINDOWS\system32\tuvvtts.dll
2007-11-24 18:36 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-24 01:26 . 2007-11-24 01:26 102,912 --a------ C:\WINDOWS\system32\drvfuz.dll
2007-11-23 23:46 . 2007-11-23 23:46 1,149,472 --a------ C:\Install
2007-11-23 23:40 . 2007-11-23 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2007-11-23 23:38 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-11-23 23:23 . 2007-11-24 18:06 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-11-23 22:34 . 2007-11-23 22:34 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 03:48 4,006,232 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-01 18:09 --------- d-----w C:\Program Files\Steam
2007-12-01 06:00 --------- d-----w C:\Documents and Settings\Spencer\Application Data\Azureus
2007-11-29 06:34 --------- d-----w C:\Program Files\DC++
2007-11-27 22:31 --------- d-----w C:\Program Files\Winamp
2007-11-27 22:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-27 21:57 --------- d-----w C:\Program Files\Winamp Remote
2007-11-25 23:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-25 00:30 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-25 00:19 --------- d-----w C:\Program Files\Zune
2007-11-25 00:13 --------- d-----w C:\Program Files\QuickTime
2007-11-25 00:12 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-11-25 00:12 --------- d-----w C:\Program Files\MagicISO
2007-11-25 00:11 --------- d-----w C:\Program Files\Google
2007-11-25 00:05 --------- d-----w C:\Program Files\ATI Multimedia
2007-11-24 23:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-24 07:27 --------- d-----w C:\Program Files\Microsoft Games
2007-11-18 20:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-11-17 23:10 --------- d-----w C:\Program Files\Java
2007-11-13 20:30 --------- d-----w C:\Program Files\AIM6
2007-11-13 20:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-25 16:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2007-10-25 06:19 --------- d-----w C:\Documents and Settings\Spencer\Application Data\vlc
2007-10-25 06:18 --------- d-----w C:\Program Files\VideoLAN
2007-10-25 06:09 --------- d-----w C:\Program Files\Xvid
2007-10-24 07:22 --------- d-----w C:\Documents and Settings\Spencer\Application Data\Skype
2007-10-05 19:00 --------- d-----w C:\Documents and Settings\Spencer\Application Data\Move Networks
2007-10-04 20:40 --------- d-----w C:\Program Files\FLAC
2007-09-27 17:05 16,539,254 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_09_26_19_17_15_full.dmp.zip
2007-09-27 16:57 96,204 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_26_18_30_20_small.dmp.zip
2007-09-27 16:57 88,068 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_26_18_30_36_small.dmp.zip
2007-09-27 16:57 16,847,434 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_09_26_18_30_31_full.dmp.zip
2007-09-27 16:57 16,532,501 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_09_26_18_30_12_full.dmp.zip
2007-09-27 16:57 114,883 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_26_18_24_48_small.dmp.zip
2007-05-20 21:49 155,684 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_05_20_16_47_21_small.dmp.zip
2007-05-16 18:46 153,927 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_05_16_13_43_29_small.dmp.zip
2007-05-16 09:28 36,766 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_05_15_14_27_20_small.dmp.zip
2007-05-16 09:28 35,455 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_05_15_14_27_14_small.dmp.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-05 02:05]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-04-04 13:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-13 17:52]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 16:09]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" []
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 19:05]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 03:21 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 04:04 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-11 16:48]
"WinampAgent"="C:\Program Files\Winamp\wianmpa.exe" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-11-30 23:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccawwt]
fccawwt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcdaa]
gebcdaa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\njoojktj]
njoojktj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrqqq]
urqrqqq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Spencer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Spencer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Spencer^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=C:\Documents and Settings\Spencer\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
2006-10-31 20:24 57344 --a------ C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
2006-10-31 20:27 102400 --a------ C:\Program Files\ATI Multimedia\main\launchpd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-05-12 21:05 344064 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMCService]
2006-06-29 15:39 167936 --------- C:\Program Files\ATI\Catalyst Media Center\CMCService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2006-01-13 00:46 196608 --a------ C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
2006-01-13 00:46 311296 --a------ C:\WINDOWS\system32\hphmon03.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-03-14 18:05 257088 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\MSMSGS.EXE /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 11:35 90112 --a------ C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-04-05 02:05 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2007-03-14 18:03 24104 --a------ C:\Program Files\Zune\ZuneLauncher.exe

R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;C:\WINDOWS\system32\drivers\aticxcap.sys
R3 ATICXTUN;ATI TV Wonder 200 Tuner (Philips 1236 MK3);C:\WINDOWS\system32\drivers\aticxtun.sys
R3 ATICXXBR;ATI TV Wonder 200 A/V Crossbar;C:\WINDOWS\system32\drivers\aticxxbr.sys
S3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
S3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
S3 gdrv;gdrv;\??\C:\WINDOWS\gdrv.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eed67790-0397-11dc-9e6b-806d6172696f}]
\Shell\AutoRun\command - D:\Run.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-05-07 04:04:13 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
- c:\Program Files\Microsoft IntelliPoint\ipoint.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-01 21:49:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-01 21:51:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-11-26 14:41
C:\ComboFix2.txt ... 2007-11-26 14:41
C:\ComboFix3.txt ... 2007-11-24 01:12
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:58:12 PM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\Analyze.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mg1.mail.yahoo.com/dc/laun...=2dfahiaautco3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1195950977750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195950962390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O20 - Winlogon Notify: fccawwt - fccawwt.dll (file missing)
O20 - Winlogon Notify: gebcdaa - gebcdaa.dll (file missing)
O20 - Winlogon Notify: njoojktj - njoojktj.dll (file missing)
O20 - Winlogon Notify: urqrqqq - urqrqqq.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8870 bytes
Attached Files
File Type: txt hijackthis.txt (8.7 KB, 1 views)
File Type: txt ComboFix.txt (16.0 KB, 1 views)
Last edited by tetonbob; 12-01-2007 at 09:01 PM.
CiD sucks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2007, 09:08 PM   #11 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,559
OS: 2000 Pro; XP Pro; XP Home


Re: Unwanted Sys 32 files
Please do not attach logs unless it's requested. They are more difficult to review in that form. Yes, I needed the ComboFix log. I did ask for it. Thanks.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
File::
C:\WINDOWS\system32\tuvvtts.dll
C:\WINDOWS\system32\drvfuz.dll

Folder::
C:\WINDOWS\system32\tpcwdoia

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccawwt]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcdaa]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\njoojktj]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrqqq]
Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------


Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2007, 09:37 PM   #12 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 15
OS: xp


Re: Unwanted Sys 32 files
HJT and ComboFix logs:

ComboFix 07-12-02.5 - Spencer 2007-12-01 22:20:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1429 [GMT -6:00]
Running from: C:\Documents and Settings\Spencer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Spencer\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\drvfuz.dll
C:\WINDOWS\system32\tuvvtts.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drvfuz.dll
C:\WINDOWS\system32\tpcwdoia
C:\WINDOWS\system32\tpcwdoia\bg1.gif
C:\WINDOWS\system32\tpcwdoia\bgtop.gif
C:\WINDOWS\system32\tpcwdoia\bottom1.gif
C:\WINDOWS\system32\tpcwdoia\essentials.gif
C:\WINDOWS\system32\tpcwdoia\icon1.ico
C:\WINDOWS\system32\tpcwdoia\install1.gif
C:\WINDOWS\system32\tpcwdoia\left1.gif
C:\WINDOWS\system32\tpcwdoia\li.gif
C:\WINDOWS\system32\tpcwdoia\logo.gif
C:\WINDOWS\system32\tpcwdoia\main.htm
C:\WINDOWS\system32\tpcwdoia\mainframe.htm
C:\WINDOWS\system32\tpcwdoia\reinstall1.gif
C:\WINDOWS\system32\tpcwdoia\right1.gif
C:\WINDOWS\system32\tpcwdoia\s1.htm
C:\WINDOWS\system32\tpcwdoia\s2.htm
C:\WINDOWS\system32\tpcwdoia\s3.htm
C:\WINDOWS\system32\tpcwdoia\SMTop1.gif
C:\WINDOWS\system32\tpcwdoia\SMTop2.gif
C:\WINDOWS\system32\tpcwdoia\SMTop3.gif
C:\WINDOWS\system32\tpcwdoia\SMTop4.gif
C:\WINDOWS\system32\tpcwdoia\soft1_off.gif
C:\WINDOWS\system32\tpcwdoia\soft1_off_ext.gif
C:\WINDOWS\system32\tpcwdoia\soft1_on.gif
C:\WINDOWS\system32\tpcwdoia\soft1_on_ext.gif
C:\WINDOWS\system32\tpcwdoia\soft2_off.gif
C:\WINDOWS\system32\tpcwdoia\soft2_off_ext.gif
C:\WINDOWS\system32\tpcwdoia\soft2_on.gif
C:\WINDOWS\system32\tpcwdoia\soft2_on_ext.gif
C:\WINDOWS\system32\tpcwdoia\soft3_off.gif
C:\WINDOWS\system32\tpcwdoia\soft3_off_ext.gif
C:\WINDOWS\system32\tpcwdoia\soft3_on.gif
C:\WINDOWS\system32\tpcwdoia\soft3_on_ext.gif
C:\WINDOWS\system32\tpcwdoia\softbottom_off.gif
C:\WINDOWS\system32\tpcwdoia\softbottom_on.gif
C:\WINDOWS\system32\tpcwdoia\softleft_off.gif
C:\WINDOWS\system32\tpcwdoia\softleft_on.gif
C:\WINDOWS\system32\tpcwdoia\top1.gif
C:\WINDOWS\system32\tpcwdoia\top2.gif
C:\WINDOWS\system32\tpcwdoia\turnoff1.gif
C:\WINDOWS\system32\tpcwdoia\turnon1.gif
C:\WINDOWS\system32\tuvvtts.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-11-30 23:33 . 2007-11-30 23:33 <DIR> d-------- C:\Program Files\Avira
2007-11-30 23:33 . 2007-11-30 23:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-11-28 13:18 . 2007-11-28 13:19 <DIR> d-------- C:\Program Files\MagicDisc
2007-11-28 13:18 . 2007-09-05 01:46 92,544 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2007-11-27 17:22 . 2007-11-27 17:22 754 --a------ C:\WINDOWS\WORDPAD.INI
2007-11-27 16:29 . 2007-11-27 16:29 4,625 --a------ C:\WINDOWS\imsins.BAK
2007-11-24 18:36 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-23 23:46 . 2007-11-23 23:46 1,149,472 --a------ C:\Install
2007-11-23 23:40 . 2007-11-23 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2007-11-23 23:38 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-11-23 23:23 . 2007-11-24 18:06 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-11-23 22:34 . 2007-11-23 22:34 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 03:48 4,006,232 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-01 18:09 --------- d-----w C:\Program Files\Steam
2007-12-01 06:00 --------- d-----w C:\Documents and Settings\Spencer\Application Data\Azureus
2007-11-29 06:34 --------- d-----w C:\Program Files\DC++
2007-11-27 22:31 --------- d-----w C:\Program Files\Winamp
2007-11-27 22:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-27 21:57 --------- d-----w C:\Program Files\Winamp Remote
2007-11-25 23:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-25 00:30 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-25 00:19 --------- d-----w C:\Program Files\Zune
2007-11-25 00:13 --------- d-----w C:\Program Files\QuickTime
2007-11-25 00:12 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-11-25 00:12 --------- d-----w C:\Program Files\MagicISO
2007-11-25 00:11 --------- d-----w C:\Program Files\Google
2007-11-25 00:05 --------- d-----w C:\Program Files\ATI Multimedia
2007-11-24 23:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-24 07:27 --------- d-----w C:\Program Files\Microsoft Games
2007-11-18 20:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-11-17 23:10 --------- d-----w C:\Program Files\Java
2007-11-13 20:30 --------- d-----w C:\Program Files\AIM6
2007-11-13 20:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-25 16:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2007-10-25 06:19 --------- d-----w C:\Documents and Settings\Spencer\Application Data\vlc
2007-10-25 06:18 --------- d-----w C:\Program Files\VideoLAN
2007-10-25 06:09 --------- d-----w C:\Program Files\Xvid
2007-10-24 07:22 --------- d-----w C:\Documents and Settings\Spencer\Application Data\Skype
2007-10-05 19:00 --------- d-----w C:\Documents and Settings\Spencer\Application Data\Move Networks
2007-10-04 20:40 --------- d-----w C:\Program Files\FLAC
2007-09-27 17:05 16,539,254 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_09_26_19_17_15_full.dmp.zip
2007-09-27 16:57 96,204 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_26_18_30_20_small.dmp.zip
2007-09-27 16:57 88,068 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_26_18_30_36_small.dmp.zip
2007-09-27 16:57 16,847,434 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_09_26_18_30_31_full.dmp.zip
2007-09-27 16:57 16,532,501 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_09_26_18_30_12_full.dmp.zip
2007-09-27 16:57 114,883 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_26_18_24_48_small.dmp.zip
2007-05-20 21:49 155,684 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_05_20_16_47_21_small.dmp.zip
2007-05-16 18:46 153,927 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_05_16_13_43_29_small.dmp.zip
2007-05-16 09:28 36,766 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_05_15_14_27_20_small.dmp.zip
2007-05-16 09:28 35,455 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_05_15_14_27_14_small.dmp.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-05 02:05]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-04-04 13:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-13 17:52]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 16:09]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" []
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 19:05]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 03:21 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 04:04 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-08-11 16:48]
"WinampAgent"="C:\Program Files\Winamp\wianmpa.exe" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-11-30 23:36]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Spencer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Spencer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Spencer^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=C:\Documents and Settings\Spencer\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
2006-10-31 20:24 57344 --a------ C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
2006-10-31 20:27 102400 --a------ C:\Program Files\ATI Multimedia\main\launchpd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-05-12 21:05 344064 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMCService]
2006-06-29 15:39 167936 --------- C:\Program Files\ATI\Catalyst Media Center\CMCService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2006-01-13 00:46 196608 --a------ C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
2006-01-13 00:46 311296 --a------ C:\WINDOWS\system32\hphmon03.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-03-14 18:05 257088 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\MSMSGS.EXE /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 11:35 90112 --a------ C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-04-05 02:05 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2007-03-14 18:03 24104 --a------ C:\Program Files\Zune\ZuneLauncher.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eed67790-0397-11dc-9e6b-806d6172696f}]
\Shell\AutoRun\command - D:\Run.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-05-07 04:04:13 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
- c:\Program Files\Microsoft IntelliPoint\ipoint.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-01 22:31:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-01 22:33:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-11-26 14:41
C:\ComboFix2.txt ... 2007-12-01 21:51
C:\ComboFix3.txt ... 2007-11-26 14:41
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:35:15 PM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\Analyze.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mg1.mail.yahoo.com/dc/laun...=2dfahiaautco3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1195950977750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195950962390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8642 bytes
Attached Files
File Type: txt log.txt (13.0 KB, 1 views)
File Type: txt hijackthis.txt (8.4 KB, 2 views)
Last edited by tetonbob; 12-01-2007 at 09:38 PM.
CiD sucks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2007, 09:44 PM   #13 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,559
OS: 2000 Pro; XP Pro; XP Home


Re: Unwanted Sys 32 files
Please run this online scan to help look for remnants.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2007, 09:54 AM   #14 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,559
OS: 2000 Pro; XP Pro; XP Home


Re: Unwanted Sys 32 files
There were some server issues today, and a backup has been restored.

Please repost your Kaspersky results.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2007, 02:02 PM   #15 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 15
OS: xp


Re: Unwanted Sys 32 files
Scan Results:
Attached Files
File Type: txt new_log.txt (25.2 KB, 1 views)
CiD sucks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2007, 02:06 PM   #16 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,559
OS: 2000 Pro; XP Pro; XP Home


Re: Unwanted Sys 32 files
Thanks. I had this fix posted, and saved....but needed to make sure it was for the right thread before putting it up again.


P2P - I see you have P2P software ( µTorrent, Azureus ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------

Delete this folder:

C:\avenger

The other items found by Kaspersky will be addressed by the following steps.

---------------------------------------------------------------------------------------------

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u



This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • SpywareGuard to catch and block spyware before it can execute.
  • SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here

    IE-SpyAd - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. An installation tutorial is available here.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • FIREWALL
    If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

    Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2007, 05:12 PM   #17 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 15
OS: xp


Re: Unwanted Sys 32 files
Thanks for all your help I'll do my best to keep it clean
CiD sucks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 10:11 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85