Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page No spyware remover works. Check it out.
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 01-13-2008, 07:48 PM   #1 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 14
OS: Windows XP SP2


No spyware remover works. Check it out.
I read and performed the operations this forum suggested before posting this thread. I have run Spybot and told it to fix everything it found, but it was not successful in removing everything. I have run Ad-Aware 2007 and deleted everything it found. I have run AVG Anti-spyware and AVG Anti-virus and they supposedly fixed everything it found. All programs have found many infections, but I am still bombarded with pop-up ads. I have tried the vundo fix and the smitfraud fix, but no help. I can't even type this message without 5 or 6 pop-ups occurring. Please help me. I have included my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 958 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UStorSrv.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\David Porter\Desktop\Yuckware\Hijackthis\Scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\system32\geebc.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O2 - BHO: (no name) - {467D7A87-876D-46B3-A008-5FC734531DCE} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O2 - BHO: On The Net Search Helper - {4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A} - C:\WINDOWS\system32\memomfmg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8FB6F088-AACB-466D-ADF9-CA5A3C544FED} - C:\WINDOWS\system32\geebc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C188FF47-43F8-4806-DE2B-4AE604820EC5} - C:\WINDOWS\system32\qvzeelz.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: (no name) - {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} - C:\WINDOWS\system32\iifghfe.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZSYYYYYYYYUS
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra 'Tools' menuitem: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.0.5.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145321512640
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.249.81.101/AxisCamControl.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: sfklg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: iifghfe - C:\WINDOWS\SYSTEM32\iifghfe.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Security Service (HBJK) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: service - Unknown owner - C:\WINDOWS\SERVICE.EXE (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
Danielle_2008 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 01-13-2008, 09:13 PM   #2 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Re: No spyware remover works. Check it out.
Hello Danielle_2008,

While I appreciate what you have done in regard to our instructions, you needed to continue all the way through to Step 5.

We prefer a more comprehensive set of logs to assist in detecting any malware that may be present. As noted in the final step (Step 5) of our sticky topic (Updated!) IMPORTANT - Read This Before Posting A Log, download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review.
  • DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.


Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

Please include the following in your next reply:

main.txt
an attached extra.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Last edited by Ried; 01-13-2008 at 09:14 PM.
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-14-2008, 05:24 PM   #3 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 14
OS: Windows XP SP2


Re: No spyware remover works. Check it out.
Thanks Ried

I will do that tonight and re-post.

Danielle
Danielle_2008 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-14-2008, 07:17 PM   #4 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 14
OS: Windows XP SP2


Re: No spyware remover works. Check it out.
Here are theresults of DSS


Deckard's System Scanner v20071014.68
Run by David Porter on 2008-01-14 20:59:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
47: 2008-01-15 02:59:19 UTC - RP47 - Deckard's System Scanner Restore Point
46: 2008-01-14 02:46:24 UTC - RP46 - System Checkpoint
45: 2008-01-13 02:00:47 UTC - RP45 - Installed Windows XP KB935448.
44: 2008-01-12 22:58:53 UTC - RP44 - Spybot-S&D Spyware removal
43: 2008-01-12 18:25:12 UTC - RP43 - Installed AVG 7.5


-- First Restore Point --
1: 2008-01-11 04:05:13 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as David Porter.exe) ----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:05:29 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Cox\Applications\app\Console.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Documents and Settings\David Porter\Desktop\dss.exe
C:\WINDOWS\system32\taskmgr.exe
C:\DOCUME~1\DAVIDP~1\Desktop\Yuckware\HIJACK~1\David Porter.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: (no name) - {467D7A87-876D-46B3-A008-5FC734531DCE} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O2 - BHO: On The Net Search Helper - {4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A} - C:\WINDOWS\system32\memomfmg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8FB6F088-AACB-466D-ADF9-CA5A3C544FED} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C188FF47-43F8-4806-DE2B-4AE604820EC5} - C:\WINDOWS\system32\qvzeelz.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: (no name) - {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} - C:\WINDOWS\system32\iifghfe.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ESP] c:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZSYYYYYYYYUS
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra 'Tools' menuitem: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.0.5.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145321512640
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.249.81.101/AxisCamControl.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: sfklg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Security Service (HBJK) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- HijackThis Fixed Entries (C:\DOCUME~1\DAVIDP~1\Desktop\Yuckware\HIJACK~1\backups\) --------------------------------------------------------------------------------

backup-20050106-211742-267 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
backup-20050106-211742-442 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab
backup-20050106-211742-819 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
backup-20050208-190934-851 O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
backup-20050210-225841-224 O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\temp\CXTPLS~1.EXE" /PC=CP.CDT3 /ShowLegalNote=nonbranded /ForSupportedBrowsers
backup-20050210-225841-313 O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Do.../bridge-c2.cab
backup-20050210-225841-483 O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
backup-20050210-225841-703 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
backup-20050210-225841-786 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
backup-20050210-225842-459 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
backup-20050210-225852-563 O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
backup-20050721-200453-198 O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
backup-20050721-200453-419 O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
backup-20050721-200453-501 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
backup-20060408-174934-972 O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
backup-20071221-190230-663 O2 - BHO: Dcads Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - C:\WINDOWS\system32\dcads_sidebar.dll
backup-20080112-105457-305 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
backup-20080112-105457-463 O4 - HKCU\..\Run: [comup] C:\WINDOWS\system32\mobjchku.exe
backup-20080112-105457-672 O4 - HKCU\..\Run: [Fdxggzxf] "C:\Documents and Settings\David Porter\My Documents\T?sks\??plorer.exe"
backup-20080112-105457-683 O2 - BHO: (no name) - {FB20CD61-C2A8-4B12-8B31-D726D8598524} - C:\WINDOWS\system32\jkhhh.dll
backup-20080112-105457-766 F3 - REG:win.ini: load=C:\WINDOWS\system32\jkhhh.exe
backup-20080112-105457-858 O4 - HKCU\..\Run: [Etss] "C:\PROGRA~1\COMMON~1\SKS~1\dvdplay.exe" -vt yazb
backup-20080112-105458-717 O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://a248.e.akamai.net/f/248/5462/...l/SymDlBrg.cab
backup-20080112-105458-766 O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zang...43751c242b8487
backup-20080112-105459-777 O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.rightnowtech.com/702.../java/RntX.cab
backup-20080112-105635-969 O2 - BHO: (no name) - {FB20CD61-C2A8-4B12-8B31-D726D8598524} - C:\WINDOWS\system32\jkhhh.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 GRFILTER (Authentium NDIS Driver) - c:\windows\system32\drivers\grfilter.sys <Not Verified; Global RISC; NSX>
R1 Cdr4_2K - c:\windows\system32\drivers\cdr4_2k.sys <Not Verified; Roxio; Roxio's CD-R Helper Drivers>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R1 usbintell - c:\windows\system32\drivers\usbintell.sys
R1 VIAPFD - c:\windows\system32\drivers\viapfd.sys <Not Verified; VIA Technologies. Inc.; VIA PFD driver>
R2 aslm75 - c:\windows\system32\drivers\aslm75.sys
R2 CINEMSUP (Software Cinemaster NT4.0 Driver) - c:\windows\system32\drivers\cinemsup.sys <Not Verified; Ravisent Technologies, Inc.; Software CineMaster NT 4/Win2K>
R2 GRTdiMon (Authentium TDI Mon) - c:\windows\system32\drivers\grtdimon.sys <Not Verified; Authentium Inc; NSX>
R2 LxrJD31d - c:\windows\system32\drivers\lxrjd31d.sys
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R2 ousbehci (%OWC_USBEHCD.DeviceDesc%) - c:\windows\system32\drivers\ousbehci.sys <Not Verified; OrangeWare Corporation; USB 2.0 Enhanced Host Controller Driver>
R2 WBHWDOCT - c:\windows\system32\drivers\wbhwdoct.sys <Not Verified; Winbond Electronics Corp.; Winbond Hardware Doctor>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi>
R3 cmpci (Turtle Beach Riviera) - c:\windows\system32\drivers\cmaudio.sys <Not Verified; C-Media Inc; C-Media Audio Driver (WDM)>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>
R3 ousb2hub (OrangeWare USB 2.0 Root Hub Support) - c:\windows\system32\drivers\ousb2hub.sys <Not Verified; OrangeWare Corporation; USB 2.0 Hub Driver>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 st3bus28 - c:\windows\system32\drivers\st3bus28.sys <Not Verified; Generic; >
R3 st3mp28 - c:\windows\system32\drivers\st3mp28.sys <Not Verified; Generic; >

S0 c2scsi - c:\windows\system32\drivers\c2scsi.sys (file missing)
S0 ElbyVCD - c:\windows\system32\drivers\elbyvcd.sys (file missing)
S0 IFPUSB (iRiver Internet Audio Player IFP-100) - c:\windows\system32\drivers\ifpusb.sys (file missing)
S3 BrPar - c:\windows\system32\drivers\brpar.sys (file missing)
S3 BVRPMPR5 (BVRPMPR5 NDIS Protocol Driver) - d:\instal~e\core\bvrpmpr5.sys (file missing)
S3 catchme - c:\docume~1\davidp~1\locals~1\temp\catchme.sys (file missing)
S3 ctsfm2k (Creative SoundFont Management Device Driver) - c:\windows\system32\drivers\ctsfm2k.sys (file missing)
S3 LxrSG20d - c:\windows\system32\drivers\lxrsg20d.sys
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
S3 ossrv (Creative OS Services Driver) - c:\windows\system32\drivers\ctoss2k.sys (file missing)
S3 P17 (Sound Blaster Audigy) - c:\windows\system32\drivers\p17.sys (file missing)
S3 p17filt - c:\windows\system32\drivers\p17filt.sys (file missing)
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 VICHW00 - c:\windows\system32\drivers\vichw00.sys (file missing)
S3 wceusbsh (Windows CE USB Serial Host Driver) - c:\windows\system32\drivers\wceusbsh.sys <Not Verified; Microsoft Corporation; Windows CE USB Serial Host Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 LxrJD31s (Lexar JD31) - lxrjd31s.exe
R2 PinnacleSys.MediaServer (Pinnacle Systems Media Service) - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe <Not Verified; Pinnacle Systems; Media Server>

S2 HBJK (Security Service) - c:\windows\system32\svcd\svchost.exe (file missing)
S3 LxrSG20s (Lexar SG20) - lxrsg20s.exe
S3 x10nets (X10 Device Network Service) - c:\progra~1\atimul~1\remctrl\x10nets.exe (file missing)
S4 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>
S4 bgsvcgen (B's Recorder GOLD Library General Service) - c:\windows\system32\bgsvcgen.exe <Not Verified; B.H.A Corporation; B's Recorder GOLD8>
S4 service - c:\windows\service.exe (file missing)
S4 UStorage Server Service - c:\windows\system32\ustorsrv.exe /service <Not Verified; OTi; OTi Content Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: CMI8738/C3DX PCI Audio Device
Device ID: PCI\VEN_13F6&DEV_0111&SUBSYS_80E21043&REV_10\3&61AAA01&0&28
Manufacturer: C-Media
Name: CMI8738/C3DX PCI Audio Device
PNP Device ID: PCI\VEN_13F6&DEV_0111&SUBSYS_80E21043&REV_10\3&61AAA01&0&28
Service: cmpci


-- Files created between 2007-12-14 and 2008-01-14 -----------------------------

2008-01-13 19:40:40 0 d-------- C:\Documents and Settings\Rodney\Application Data\Grisoft
2008-01-13 19:40:00 0 d-------- C:\Documents and Settings\Rodney\Application Data\AVG7
2008-01-13 18:52:04 0 d-------- C:\Program Files\Common Files\RuleSpace
2008-01-13 18:51:58 0 d-------- C:\Program Files\Common Files\Aluria
2008-01-13 11:07:31 2230 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-12 21:46:42 0 d-------- C:\VundoFix Backups
2008-01-12 12:41:55 0 d-------- C:\Documents and Settings\David Porter\Application Data\Grisoft
2008-01-12 12:34:40 0 dr-h----- C:\$VAULT$.AVG
2008-01-12 12:31:04 0 d-------- C:\Documents and Settings\David Porter\Application Data\AVG7
2008-01-12 12:25:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-12 12:25:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-12 12:25:23 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-11 22:21:49 0 d--hs---- C:\WINDOWS\RGF2aWQgUG9ydGVy
2008-01-11 22:17:08 0 d-------- C:\Program Files\Outerinfo
2008-01-11 22:16:46 0 d-------- C:\Program Files\Common Files\??sks
2008-01-11 2231 0 d-------- C:\Program Files\Router
2008-01-11 18:47:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 18:46:56 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-11 17:18:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-11 17:09:05 91520 --a------ C:\WINDOWS\system32\winsrc.dll
2008-01-11 17:04:04 111 --a------ C:\WINDOWS\system32\url3
2008-01-11 17:04:04 99 --a------ C:\WINDOWS\system32\url2
2008-01-11 17:04:04 102 --a------ C:\WINDOWS\system32\url1
2008-01-11 17:04:04 8 --a------ C:\WINDOWS\system32\CID
2008-01-11 17:04:02 4 --a------ C:\WINDOWS\system32\SvcNm
2008-01-11 17:04:02 0 d-------- C:\WINDOWS\system32\svcd
2008-01-10 22:05:01 12390 --ahs---- C:\WINDOWS\system32\hhhkj.ini2
2008-01-10 22:03:09 0 d-------- C:\Program Files\Temporary
2008-01-10 22:03:09 0 d-------- C:\Program Files\Dot1XCfg
2008-01-10 22:00:36 54033 --a------ C:\WINDOWS\system32\memouint.exe
2008-01-10 22:00:27 151552 --a------ C:\WINDOWS\system32\rushpugr.exe <Not Verified; OnThenet; OnTheNet Aider>
2008-01-10 22:00:27 151552 --a------ C:\WINDOWS\system32\bkmoopob.exe <Not Verified; OnThenet; OnTheNet Aider>
2008-01-10 22:00:17 425984 --a------ C:\WINDOWS\system32\memomfmg.dll <Not Verified; On The Net Consolidated Services, S.A.; On The Net Search Helper>
2008-01-10 22:00:07 86016 --a------ C:\WINDOWS\system32\drivers\usbintell.sys
2008-01-10 22:00:04 0 d-------- C:\WINDOWS\system32\vt8
2008-01-10 22:00:04 0 d-------- C:\WINDOWS\system32\nz0
2008-01-10 22:00:04 0 d-------- C:\WINDOWS\system32\mp2
2008-01-10 22:00:04 0 d-------- C:\WINDOWS\system32\che9
2008-01-10 21:59:49 0 d-------- C:\WINDOWS\system32\edcA18
2008-01-09 22:15:14 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-01-09 22:10:10 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-05 15:01:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Authentium
2008-01-05 15:00:23 0 d-------- C:\Program Files\Cox
2008-01-05 14:40:54 0 d-------- C:\Program Files\Common Files\Authentium Shared
2007-12-29 14:51:25 0 d-------- C:\Documents and Settings\Guest\Application Data\Sun
2007-12-26 1924 0 d-------- C:\Documents and Settings\Guest\Application Data\MySpace
2007-12-26 12:35:20 0 d-------- C:\Documents and Settings\Alex.UF-C96DFVV58QFI\Application Data\Real
2007-12-20 22:33:46 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-20 22:33:30 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-20 22:33:30 0 d-------- C:\Documents and Settings\David Porter\Application Data\SUPERAntiSpyware.com
2007-12-20 22:32:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-18 21:51:44 0 d-------- C:\Documents and Settings\David Porter\Application Data\HouseCall 6.6
2007-12-18 21:29:41 0 d-------- C:\Program Files\Trend Micro
2007-12-18 08:54:24 319488 --a------ C:\WINDOWS\system32\dcads_sidebar.dll
2007-12-16 19:58:48 0 d-------- C:\Program Files\Alienrazor Interactive
2007-12-16 19:43:14 77360 --a------ C:\WINDOWS\system32\dcads_sidebar_uninstall.exe


-- Find3M Report ---------------------------------------------------------------

2008-01-13 18:52:04 0 d-------- C:\Program Files\Common Files
2008-01-12 16:39:38 0 d-------- C:\Program Files\Common Files\??sks
2008-01-12 08:39:59 1362920 --a------ C:\WINDOWS\system32\sfklg.dat
2008-01-11 18:28:53 0 d-------- C:\Program Files\Messenger
2008-01-11 18:28:52 0 d-------- C:\Program Files\Windows NT
2008-01-11 17:18:25 0 d-------- C:\Program Files\Lavasoft
2008-01-11 17:04:08 0 d-------- C:\Documents and Settings\David Porter\Application Data\FrostWire
2008-01-11 16:50:53 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-10 22:42:14 0 d-------- C:\Program Files\FrostWire
2008-01-09 13:51:17 0 d-------- C:\Program Files\Incomplete
2008-01-06 07:51:32 0 d-------- C:\Program Files\FinePixViewer
2007-12-21 17:15:25 0 d-------- C:\Program Files\Ares
2007-12-19 18:44:51 469600 --a------ C:\Documents and Settings\David Porter\Application Data\GDIPFONTCACHEV1.DAT
2007-12-18 19:22:39 0 d-------- C:\Program Files\Spytech Software
2007-12-18 19:22:39 0 d-------- C:\Program Files\Motive
2007-12-13 14:07:08 3856 --a------ C:\WINDOWS\crmtemp1.dat
2007-12-02 16:16:45 0 d-------- C:\Program Files\AskSBar
2007-12-01 22:43:35 0 d-------- C:\Documents and Settings\David Porter\Application Data\MP3Rocket
2007-12-01 22:35:50 0 d-------- C:\Program Files\PFConfig
2007-12-01 20:25:16 0 d-------- C:\Program Files\Java
2007-11-28 20:29:41 0 d-------- C:\Program Files\Google
2007-11-27 22:55:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-27 22:53:47 0 d-------- C:\Program Files\tunebite
2007-11-27 22:53:23 0 d-------- C:\Program Files\Pegasys Inc
2007-11-27 22:44:58 0 d-------- C:\Program Files\Hunting Unlimited
2007-11-27 22:42:29 0 d-------- C:\Program Files\321Studios
2007-11-27 22:40:54 0 d-------- C:\Program Files\AviSynth 2.5
2007-11-27 22:40:16 0 d-------- C:\Program Files\DeductionPro 2006
2007-11-27 22:39:12 0 d-------- C:\Program Files\Zittware
2007-11-27 22:35:47 0 d-------- C:\Program Files\3D Live Pool
2007-11-22 07:31:29 0 d-------- C:\Program Files\Simply Safe Backup 2005
2007-11-22 01:07:39 0 d-------- C:\Program Files\QuickTime
2007-11-18 19:21:41 0 d-------- C:\Documents and Settings\David Porter\Application Data\Adobe
2007-10-17 11:23:24 10752 --a------ C:\WINDOWS\system32\WhoisCL.exe <Not Verified; NirSoft; WhoisCL>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467D7A87-876D-46B3-A008-5FC734531DCE}]
C:\WINDOWS\system32\jkhhh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A}]
12/27/2007 08:37 AM 425984 --a------ C:\WINDOWS\system32\memomfmg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FB6F088-AACB-466D-ADF9-CA5A3C544FED}]
C:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C188FF47-43F8-4806-DE2B-4AE604820EC5}]
C:\WINDOWS\system32\qvzeelz.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
12/02/2007 04:16 PM 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}]
C:\WINDOWS\system32\iifghfe.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [12/02/2007 04:16 PM 267592]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTXFIREG"="CTxfiReg.exe" []
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" []
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" []
"Auto Run Software for Photo Frame"="" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM]
"ESP"="c:\Program Files\Cox\Applications\app\start.exe" [05/09/2007 01:40 PM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 01:56 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="" []
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" []
"Aim6"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" []
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservicesonce]
"washindex"=C:\Program Files\Washer\washidx.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [12/28/2006 5:19:06 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [1/17/2007 7:31:46 PM]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [3/4/2007 5:42:12 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]
"{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}"= C:\WINDOWS\system32\iifghfe.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sfklg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geebc
"Notification Packages"= :\WINDOWS\system32\srrstr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\geebc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UStorage Server Service"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"service"=2 (0x2)
"bgsvcgen"=2 (0x2)
"AresChatServer"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe




-- End of Deckard's System Scanner: finished at 2008-01-14 2127 ------------
Attached Files
File Type: txt extra.txt (32.2 KB, 5 views)
Danielle_2008 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-14-2008, 08:31 PM   #5 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Re: No spyware remover works. Check it out.
Hello Danielle_2008,

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear', even if symptoms seemingly abate.

We'll begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-15-2008, 05:44 PM   #6 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 14
OS: Windows XP SP2


Re: No spyware remover works. Check it out.
Attached are the logs from the combofix and the new HJT.

ComboFix 08-01-16.3 - David Porter 2008-01-15 19:20:33.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.545 [GMT -6:00]
Running from: C:\Documents and Settings\David Porter\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\David Porter\Desktop\Online Security Center.URL
C:\Documents and Settings\David Porter\My Documents\TSKS~1
C:\Documents and Settings\LocalService\Desktop\Online Security Center.URL
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\sks~1\??sks\
C:\Program Files\outerinfo
C:\Program Files\Router
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\system32\hhhkj.ini
C:\WINDOWS\system32\hhhkj.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\winsrc.dll
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-15 19:30 . 2008-01-15 19:30 <DIR> d-------- C:\Temp\tn3
2008-01-15 19:05 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-15 19:05 . 2008-01-15 16:02 211 --a------ C:\Boot.bak
2008-01-15 19:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 20:58 . 2008-01-14 20:58 <DIR> d-------- C:\Deckard
2008-01-13 19:40 . 2008-01-13 19:40 <DIR> d-------- C:\Documents and Settings\Rodney\Application Data\Grisoft
2008-01-13 19:40 . 2008-01-13 19:40 <DIR> d-------- C:\Documents and Settings\Rodney\Application Data\AVG7
2008-01-13 18:52 . 2008-01-13 18:52 <DIR> d-------- C:\Program Files\Common Files\RuleSpace
2008-01-13 18:51 . 2008-01-13 18:51 <DIR> d-------- C:\Program Files\Common Files\Aluria
2008-01-13 11:07 . 2008-01-13 11:07 2,230 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-12 21:46 . 2008-01-13 13:29 <DIR> d-------- C:\VundoFix Backups
2008-01-12 19:44 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-12 12:41 . 2008-01-12 12:41 <DIR> d-------- C:\Documents and Settings\David Porter\Application Data\Grisoft
2008-01-12 12:41 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-12 12:31 . 2008-01-12 19:51 <DIR> d-------- C:\Documents and Settings\David Porter\Application Data\AVG7
2008-01-12 12:25 . 2008-01-12 12:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-12 12:25 . 2008-01-12 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-12 12:25 . 2008-01-12 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-12 11:05 . 2008-01-15 19:29 58,883 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-11 22:21 . 2008-01-12 16:39 <DIR> d--hs---- C:\WINDOWS\RGF2aWQgUG9ydGVy
2008-01-11 18:47 . 2008-01-11 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 18:46 . 2008-01-11 18:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-11 17:18 . 2008-01-11 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-11 17:06 . 2008-01-11 17:06 0 --a------ C:\WINDOWS\system32\wscmp.dll.tmp
2008-01-11 17:04 . 2008-01-12 12:43 <DIR> d-------- C:\WINDOWS\system32\svcd
2008-01-11 17:04 . 2008-01-11 17:04 111 --a------ C:\WINDOWS\system32\url3
2008-01-11 17:04 . 2008-01-11 17:04 102 --a------ C:\WINDOWS\system32\url1
2008-01-11 17:04 . 2008-01-11 17:04 99 --a------ C:\WINDOWS\system32\url2
2008-01-11 17:04 . 2008-01-11 17:04 8 --a------ C:\WINDOWS\system32\CID
2008-01-11 17:04 . 2008-01-11 17:04 4 --a------ C:\WINDOWS\system32\SvcNm
2008-01-11 17:03 . 2008-01-11 17:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-11 17:03 . 2008-01-11 17:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-10 22:03 . 2008-01-12 12:43 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-10 22:00 . 2008-01-11 18:28 <DIR> d-------- C:\WINDOWS\system32\vt8
2008-01-10 22:00 . 2008-01-10 22:00 <DIR> d-------- C:\WINDOWS\system32\nz0
2008-01-10 22:00 . 2008-01-10 22:00 <DIR> d-------- C:\WINDOWS\system32\mp2
2008-01-10 22:00 . 2008-01-10 22:00 <DIR> d-------- C:\WINDOWS\system32\che9
2008-01-10 22:00 . 2007-12-27 08:37 425,984 --a------ C:\WINDOWS\system32\memomfmg.dll
2008-01-10 22:00 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\rushpugr.exe
2008-01-10 22:00 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\bkmoopob.exe
2008-01-10 22:00 . 2008-01-10 22:00 86,016 --a------ C:\WINDOWS\system32\drivers\usbintell.sys
2008-01-10 22:00 . 2008-01-10 22:00 54,033 --a------ C:\WINDOWS\system32\memouint.exe
2008-01-10 21:59 . 2008-01-10 21:59 <DIR> d-------- C:\WINDOWS\system32\edcA18
2008-01-10 21:59 . 2008-01-10 22:00 <DIR> d-------- C:\Temp\Ryuan1
2008-01-09 22:15 . 2008-01-09 22:15 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-09 22:10 . 2008-01-11 16:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-05 15:01 . 2008-01-05 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Authentium
2008-01-05 15:00 . 2008-01-05 15:00 <DIR> d-------- C:\Program Files\Cox
2008-01-05 14:40 . 2008-01-13 18:50 <DIR> d-------- C:\Program Files\Common Files\Authentium Shared
2007-12-26 19:06 . 2007-12-26 19:06 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\MySpace
2007-12-20 22:33 . 2008-01-12 12:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-20 22:33 . 2007-12-20 22:33 <DIR> d-------- C:\Documents and Settings\David Porter\Application Data\SUPERAntiSpyware.com
2007-12-20 22:33 . 2007-12-20 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-20 22:32 . 2008-01-11 17:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-18 21:54 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-18 21:51 . 2007-12-18 22:07 <DIR> d-------- C:\Documents and Settings\David Porter\Application Data\HouseCall 6.6
2007-12-18 21:29 . 2007-12-18 21:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-18 08:54 . 2007-12-18 08:54 319,488 --a------ C:\WINDOWS\system32\dcads_sidebar.dll
2007-12-16 19:58 . 2007-12-16 19:58 <DIR> d-------- C:\Program Files\Alienrazor Interactive
2007-12-16 19:43 . 2007-12-19 21:09 77,360 --a------ C:\WINDOWS\system32\dcads_sidebar_uninstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 23:18 --------- d-----w C:\Program Files\Lavasoft
2008-01-11 23:04 --------- d-----w C:\Documents and Settings\David Porter\Application Data\FrostWire
2008-01-11 22:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-11 04:42 --------- d-----w C:\Program Files\FrostWire
2008-01-09 19:51 --------- d-----w C:\Program Files\Incomplete
2008-01-06 13:51 --------- d-----w C:\Program Files\FinePixViewer
2007-12-21 23:15 --------- d-----w C:\Program Files\Ares
2007-12-20 00:44 469,600 ----a-w C:\Documents and Settings\David Porter\Application Data\GDIPFONTCACHEV1.DAT
2007-12-19 01:22 --------- d-----w C:\Program Files\Spytech Software
2007-12-19 01:22 --------- d-----w C:\Program Files\Motive
2007-12-19 01:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 01:16 --------- d-----w C:\Documents and Settings\Rodney Porter\Application Data\MySpace
2007-12-02 22:16 --------- d-----w C:\Program Files\AskSBar
2007-12-02 04:43 --------- d-----w C:\Documents and Settings\David Porter\Application Data\MP3Rocket
2007-12-02 04:35 --------- d-----w C:\Program Files\PFConfig
2007-12-02 02:25 --------- d-----w C:\Program Files\Java
2007-11-29 02:29 --------- d-----w C:\Program Files\Google
2007-11-28 04:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-28 04:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-11-28 04:53 --------- d-----w C:\Program Files\tunebite
2007-11-28 04:53 --------- d-----w C:\Program Files\Pegasys Inc
2007-11-28 04:44 --------- d-----w C:\Program Files\Hunting Unlimited
2007-11-28 04:42 --------- d-----w C:\Program Files\321Studios
2007-11-28 04:40 --------- d-----w C:\Program Files\DeductionPro 2006
2007-11-28 04:40 --------- d-----w C:\Program Files\AviSynth 2.5
2007-11-28 04:39 --------- d-----w C:\Program Files\Zittware
2007-11-28 04:35 --------- d-----w C:\Program Files\3D Live Pool
2007-11-22 13:31 --------- d-----w C:\Program Files\Simply Safe Backup 2005
2007-11-22 07:07 --------- d-----w C:\Program Files\QuickTime
2007-02-20 02:51 30,615 ----a-w C:\Documents and Settings\David Porter\x.exe
2003-09-17 22:24 560 ------w C:\Program Files\Global.sw
2005-12-19 17:34 56 --sh--r C:\WINDOWS\system32\3676101CED.sys
.
Code:
<pre>
----a-w            49,152 2008-01-12 18:18:30  C:\Program Files\Brother\Brmfl04a\BrStDvPt .exe
----a-w           851,968 2008-01-12 18:18:32  C:\Program Files\Brother\ControlCenter2\brctrcen .exe
----a-w            61,440 2008-01-12 18:18:37  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w           171,448 2008-01-12 13:09:57  C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w           132,496 2008-01-12 18:18:31  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           445,952 2008-01-12 13:09:26  C:\Program Files\QuickTime\bak\qttask  .exe
----a-w         1,318,912 2008-01-12 18:18:36  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2007-12-21_18.42.43.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-30 16:53:32 360,832 ----a-w C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941644\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941644\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\updspapi.dll
+ 2007-11-07 09:50:47 727,040 ----a-w C:\WINDOWS\$hf_mig$\KB943485\SP2QFE\lsasrv.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\updspapi.dll
+ 2007-12-13 20:07:08 3,856 ----a-w C:\WINDOWS\crmtemp1.dat
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2008-01-16 01:04:00 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
+ 2008-01-16 01:04:00 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-16 01:04:01 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-16 01:04:01 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-16 01:04:01 10,121,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-16 01:04:01 450,560 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-01-11 23:18:39 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-01-11 23:18:39 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-01-11 23:18:39 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-01-11 23:18:39 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2007-05-09 19:39:52 103,968 ----a-w C:\WINDOWS\system32\authcrypt.dll
+ 2007-05-09 19:40:10 79,336 ----a-w C:\WINDOWS\system32\AuthWSC.dll
+ 2008-01-05 21:48:12 126,976 ----a-w C:\WINDOWS\system32\che9\farstadcom2.exe
+ 2006-07-30 18:04:40 221,184 ----a-w C:\WINDOWS\system32\DartSock.dll
- 2006-08-17 12:28:27 721,920 -c----w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 -c----w C:\WINDOWS\system32\dllcache\lsasrv.dll
- 2006-04-20 11:51:50 359,808 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2007-10-30 17:20:55 360,064 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-01-12 18:25:31 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-01-12 18:25:36 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-01-12 18:25:36 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2007-01-31 13:33:46 5,632 ----a-w C:\WINDOWS\system32\drivers\avgarkt.sys
+ 2008-01-12 18:25:37 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-01-12 18:25:37 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2007-07-11 19:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 18:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-05-09 19:41:48 16,896 ----a-w C:\WINDOWS\system32\drivers\GRFilter.sys
+ 2007-05-09 19:41:48 36,864 ----a-w C:\WINDOWS\system32\drivers\GRTdiMon.sys
+ 2007-08-07 18:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
- 2006-04-20 11:51:50 359,808 ------w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2007-10-30 17:20:55 360,064 ------w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2006-07-30 18:04:40 40,960 ----a-w C:\WINDOWS\system32\dwBkThrd.dll
+ 2006-07-30 18:04:40 200,704 ----a-w C:\WINDOWS\system32\dwSock6.dll
+ 2006-07-30 18:04:40 137,216 ----a-w C:\WINDOWS\system32\dwspy32.dll
- 2001-11-19 05:00:12 76,800 ------w C:\WINDOWS\system32\Dwspy36.dll
+ 2006-07-30 18:04:40 77,312 ----a-w C:\WINDOWS\system32\DWSPY36.dll
+ 2006-07-30 18:04:40 122,880 ----a-w C:\WINDOWS\system32\dwspyvb6.dll
+ 2008-01-09 07:35:44 32,768 ----a-w C:\WINDOWS\system32\edcA18\edcA182328.exe
+ 2006-07-30 18:04:40 405,504 ----a-w C:\WINDOWS\system32\ExComboBox.dll
+ 2006-07-30 18:04:40 63,488 ----a-w C:\WINDOWS\system32\FlexBag.dll
+ 2007-05-09 19:51:06 214,504 ----a-w C:\WINDOWS\system32\grfilter.dll
+ 2006-07-30 18:04:40 331,776 ----a-w C:\WINDOWS\system32\IMDBvb.dll
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2006-08-17 12:28:27 721,920 ------w C:\WINDOWS\system32\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 ------w C:\WINDOWS\system32\lsasrv.dll
+ 2007-04-13 20:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2007-12-02 23:00:05 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-01-02 18:21:36 17,642,616 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-01-03 19:12:54 157,189 ----a-w C:\WINDOWS\system32\nz0\jetzcomz22.exe
- 2007-12-18 04:46:53 1,311,680 ----a-w C:\WINDOWS\system32\sfklg.dat
+ 2008-01-12 14:39:59 1,362,920 ----a-w C:\WINDOWS\system32\sfklg.dat
+ 2006-07-30 18:04:40 103,424 ----a-w C:\WINDOWS\system32\sgRegExp.dll
+ 2006-07-30 18:04:40 22,528 ----a-w C:\WINDOWS\system32\SockIntf.dll
- 2002-10-06 22:11:48 129,024 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\Ps5ui.dll
+ 2004-08-04 08:56:44 132,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\PS5UI.DLL
- 2002-10-06 22:11:48 455,168 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\PSCRIPT5.DLL
+ 2004-08-04 08:56:44 464,384 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\PSCRIPT5.DLL
- 2007-12-14 03:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 14:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-05-09 19:40:10 79,336 ----a-w C:\WINDOWS\system32\wscapi.dll
+ 2006-07-30 18:04:42 456,536 ----a-w C:\WINDOWS\system32\XceedZip.dll
+ 2008-01-16 01:30:00 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_254.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 313,472 2006-03-30 21:45:08 C:\Program Files\Adobe\Acrobat 7.0\Acrobat\bak\AdobeUpdateManager.exe
----a-r 307,200 2005-08-18 19:49:06 C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

----a-w 483,328 2006-01-13 01:52:32 C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe
----a-w 483,328 2006-01-13 01:52:32 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

----a-w 57,344 2005-06-07 04:46:24 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

----a-w 57,344 2006-04-06 02:31:52 C:\Program Files\ATI Multimedia\main\bak\ATIDtct.EXE

----a-w 26,624 2006-04-06 02:33:12 C:\Program Files\ATI Multimedia\main\bak\ATISched.EXE

----a-w 45,056 2006-01-02 22:41:22 C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe

----a-w 49,152 2004-05-25 15:16:56 C:\Program Files\Brother\Brmfl04a\bak\BrStDvPt.exe

----a-w 851,968 2004-07-20 15:34:28 C:\Program Files\Brother\ControlCenter2\bak\brctrcen.exe

----a-w 445,952 2008-01-12 13:09:26 C:\Program Files\QuickTime\bak\qttask .exe

-c--a-w 278,528 2004-08-09 20:15:42 C:\Program Files\Western Digital Technologies\Spindown\bak\ExSpinDn.exe

-c--a-w 204,288 2006-10-19 02:05:26 C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe

-c--a-w 1,216,512 2001-12-07 15:24:24 C:\WINDOWS\bak\NewMixer.exe

-c--a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\bak\ctfmon.exe

-c--a-w 40,960 2002-08-20 16:29:26 C:\WINDOWS\system32\bak\ezSP_Px.exe

-c--a-w 406,016 2003-12-04 17:34:44 C:\WINDOWS\system32\bak\PSDrvCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467D7A87-876D-46B3-A008-5FC734531DCE}]
C:\WINDOWS\system32\jkhhh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A}]
2007-12-27 08:37 425984 --a------ C:\WINDOWS\system32\memomfmg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FB6F088-AACB-466D-ADF9-CA5A3C544FED}]
C:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C188FF47-43F8-4806-DE2B-4AE604820EC5}]
C:\WINDOWS\system32\qvzeelz.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-02 16:16 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}]
C:\WINDOWS\system32\iifghfe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{47833539-D0C5-4125-9FA8-0819E2EAAC93}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
{2C0A5F28-48D8-408B-9172-9C6121025BCE}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2007-12-02 16:16 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="" []
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [ ]
"Aim6"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"washindex"="C:\Program Files\Washer\washidx.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTXFIREG"="CTxfiReg.exe" []
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [ ]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [ ]
"Auto Run Software for Photo Frame"="" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"ESP"="c:\Program Files\Cox\Applications\app\start.exe" [2007-05-09 13:40 62952]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04 5562368]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 12:25 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 02:48 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2006-12-28 17:19:06]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-01-17 19:31:46]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-03-04 17:42:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
"DisableTaskMgr"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}"= C:\WINDOWS\system32\iifghfe.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sfklg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOWS\system32\srrstr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\geebc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UStorage Server Service"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"service"=2 (0x2)
"bgsvcgen"=2 (0x2)
"AresChatServer"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R0 GRFILTER;Authentium NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2007-05-09 13:41]
R1 usbintell;usbintell;C:\WINDOWS\system32\drivers\usbintell.sys [2008-01-10 22:00]
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 08:45]
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2002-01-08 10:16]
R2 GRTdiMon;Authentium TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-05-09 13:41]
R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\Drivers\ousbehci.sys [2002-01-31 17:39]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;C:\WINDOWS\system32\DRIVERS\DLKRTS.SYS [2002-06-23 22:31]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2002-01-31 17:39]
R3 st3bus28;st3bus28;C:\WINDOWS\system32\DRIVERS\st3bus28.sys [2002-12-28 11:16]
R3 st3mp28;st3mp28;C:\WINDOWS\system32\DRIVERS\st3mp28.sys [2002-12-28 11:16]
S0 c2scsi;c2scsi;C:\WINDOWS\system32\DRIVERS\c2scsi.sys []
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys []
S2 HBJK;Security Service;C:\WINDOWS\system32\svcd\svchost.exe []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 21:15]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 05:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]
S3 LxrSG20d;LxrSG20d;C:\WINDOWS\system32\Drivers\LxrSG20d.sys [2005-08-29 14:07]
S3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys []
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 02:53]
S3 VICHW00;VICHW00;C:\WINDOWS\SYSTEM32\DRIVERS\VICHW00.SYS []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 19:33:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
.
Completion time: 2008-01-15 19:40:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-16 01:39:56
ComboFix2.txt 2007-12-22 00:56:28
ComboFix3.txt 2007-12-22 00:44:20
.
2008-01-10 03:59:57 --- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 7:11:17 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\David Porter\Desktop\Yuckware\Hijackthis\Scanner.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: (no name) - {467D7A87-876D-46B3-A008-5FC734531DCE} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O2 - BHO: On The Net Search Helper - {4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A} - C:\WINDOWS\system32\memomfmg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8FB6F088-AACB-466D-ADF9-CA5A3C544FED} - C:\WINDOWS\system32\geebc.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C188FF47-43F8-4806-DE2B-4AE604820EC5} - C:\WINDOWS\system32\qvzeelz.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: (no name) - {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} - C:\WINDOWS\system32\iifghfe.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ESP] c:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZSYYYYYYYYUS
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra 'Tools' menuitem: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.0.5.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145321512640
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.249.81.101/AxisCamControl.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: sfklg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Security Service (HBJK) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
Attached Files
File Type: txt combofix_log1-15-08.txt (25.9 KB, 2 views)
File Type: txt hijackthislog1_15_08.txt (11.2 KB, 2 views)
Last edited by Ried; 01-15-2008 at 09:16 PM.
Danielle_2008 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-15-2008, 10:46 PM   #7 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Re: No spyware remover works. Check it out.
Hello Danielle_2008,

This system has been hit hard with quite a few nasties.

*Important*

One or more of the infections onboard is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords to your accounts from that clean machine. It would also be wise to contact those same financial institutions to apprise them of your situation.

Do NOT change passwords or do any transactions from this computer until we've finished cleaning it.

***************************************************

Downloads:

SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix). Do not run it yet.

-------------------

Download: ResetProtocolDefaults.reg **Note: If you are using FireFox, right click the link and select 'Save Link As'

-------------------

Right click on this link http://www.mvps.org/winhelp2002/DelDomains.inf and choose Save As. Save it to your desktop.
  • Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

---------------------------------------------------------------------

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account.

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.
--------------------------------------------------------------------

From Normal Mode....

Close/disable all anti virus and anti malware programs so they do not interfere with the fixes below.

--------------------------------------------------------------------

Locate "ResetProtocolDefaults.reg"
Right-click and select: Merge (Ok the prompt)

--------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/211550-no-spyware-remover-works-check-out-post1268675.html#post1268675

Collect::
C:\WINDOWS\system32\memomfmg.dll
C:\WINDOWS\system32\rushpugr.exe
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\memouint.exe

File::
c:\windows\system32\drivers\usbintell.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\wscmp.dll.tmp

RenV::
----a-w            49,152 2008-01-12 18:18:30  C:\Program Files\Brother\Brmfl04a\BrStDvPt .exe
----a-w           851,968 2008-01-12 18:18:32  C:\Program Files\Brother\ControlCenter2\brctrcen .exe
----a-w            61,440 2008-01-12 18:18:37  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w           171,448 2008-01-12 13:09:57  C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w           132,496 2008-01-12 18:18:31  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           445,952 2008-01-12 13:09:26  C:\Program Files\QuickTime\bak\qttask  .exe
----a-w         1,318,912 2008-01-12 18:18:36  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe

Folder::
C:\Temp
C:\VundoFix Backups
C:\WINDOWS\RGF2aWQgUG9ydGVy
C:\WINDOWS\system32\SvcNm
C:\WINDOWS\system32\vt8
C:\WINDOWS\system32\nz0
C:\WINDOWS\system32\mp2
C:\WINDOWS\system32\che9
C:\WINDOWS\system32\edcA18
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\bak
C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak
C:\Program Files\ATI Multimedia\main\bak
C:\Program Files\Brother\Brmfl04a\bak
C:\Program Files\Brother\ControlCenter2\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Windows Media Player\bak
C:\WINDOWS\bak
C:\WINDOWS\system32\bak

Driver::
HBJK

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467D7A87-876D-46B3-A008-5FC734531DCE}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FB6F088-AACB-466D-ADF9-CA5A3C544FED}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C188FF47-43F8-4806-DE2B-4AE604820EC5}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}]
C:\WINDOWS\system32\iifghfe.dll
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}"= -
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

**When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
---------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
C:\SDFix\Report.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Last edited by Ried; 01-15-2008 at 11:00 PM.
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-16-2008, 07:47 PM   #8 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 14
OS: Windows XP SP2


Re: No spyware remover works. Check it out.
Reid

First of all, thank you trying to help me with this. I have used my "clean" laptop to change my banking passwords. The SDFix ran, but with some error windows. These may show up in the log file, but if not, it was as follows:

C:\PROGRA~1\Symantec\S32EVNT1.DLL. An installable Virtual Device Driver failed DLL initialization. Choose "Close" to terminate the application.

I had to select "Close" multiple times and even "ignore" twice. It finally completed. Please see the attached files as requested. I also included the zip file from the last ComoFix run with the CFScript text file because the automated submittal function uploaded the file to bleepingcomputer.com for analysis and I was not sure you would receive it.

As an additional note, I have noticed since running this last operation, my keyboard is not functioning properly. It seems sluggish and ocassionally misses keystrokes.

SDFix: Version 1.127

Run by David Porter on Wed 01/16/2008 at 08:06 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Service

Path:
C:\WINDOWS\SERVICE.EXE

Service - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\PROGRA~1\WINDOW~1\PROGYB~1.HTM - Deleted
C:\PROGRA~1\WINDOW~1\LAWUME~1 - Deleted
C:\WINDOWS\system32\CID - Deleted
C:\WINDOWS\system32\drivers\etc\hosts.bho - Deleted
C:\WINDOWS\system32\SvcNm - Deleted
C:\WINDOWS\system32\upds.log - Deleted
C:\WINDOWS\system32\url1 - Deleted
C:\WINDOWS\system32\url2 - Deleted
C:\WINDOWS\system32\url3 - Deleted
C:\WINDOWS\system32\wscmp.dll.tmp - Deleted


Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk

Folder C:\Temp\tn3 - Removed
Folder C:\WINDOWS\system32\svcd - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 20:29:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\xe6H\xf5w\17\xe6\1]
"DisplayName"="\t"
"DeviceDesc"="\t"
"ProviderName"=""
"MFG"="\xe5c"
"ReinstallString"="2002, 6.13.10.6094"
"DeviceInstanceIds"=str(7):""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5A258FBD-3BF0-D182-E84D-9632ED1508AF}]
"abcdndobacdkjheeihghiopanifgcaikai"=hex:61,61,00,00
"bbcdndobacdkjheeihdhbmggbcljkmjbgmno"=hex:61,61,00,00

scanning hidden files ...

C:\WINDOWS\Temp\JET93AF.tmp
C:\WINDOWS\Temp\JET99CB.tmp

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------
C:\WINDOWS\system32\drivers\core.cache.dsk Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:


Finished!


ComboFix 08-01-16.3 - David Porter 2008-01-16 20:58:14.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.556 [GMT -6:00]
Running from: C:\Documents and Settings\David Porter\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Porter\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\usbintell.sys
C:\WINDOWS\system32\wscmp.dll.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Adobe\Acrobat 7.0\Acrobat\bak
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\bak\AdobeUpdateManager.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak
C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe
C:\Program Files\ATI Multimedia\main\bak
C:\Program Files\ATI Multimedia\main\bak\ATIDtct.EXE
C:\Program Files\ATI Multimedia\main\bak\ATISched.EXE
C:\Program Files\Brother\Brmfl04a\bak
C:\Program Files\Brother\Brmfl04a\bak\BrStDvPt.exe
C:\Program Files\Brother\ControlCenter2\bak
C:\Program Files\Brother\ControlCenter2\bak\brctrcen.exe
C:\Program Files\QuickTime\bak
C:\Program Files\QuickTime\bak\qttask .exe
C:\Program Files\Windows Media Player\bak
C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe
C:\Temp
C:\Temp\Ryuan1\tepU.log
C:\Temp\Thumbs.db
C:\temp\tn3
C:\Temp\WMALog.txt
C:\VundoFix Backups
C:\VundoFix Backups\cbeeg.ini.bad
C:\VundoFix Backups\cbeeg.ini2.bad
C:\VundoFix Backups\geebc.dll.bad
C:\VundoFix Backups\iifghfe.dll.bad
C:\VundoFix Backups\vtussqq.dll.bad
C:\WINDOWS\bak
C:\WINDOWS\bak\NewMixer.exe
C:\WINDOWS\RGF2aWQgUG9ydGVy
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\ezSP_Px.exe
C:\WINDOWS\system32\bak\PSDrvCheck.exe
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\che9
C:\WINDOWS\system32\che9\farstadcom2.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\usbintell.sys
C:\WINDOWS\system32\edcA18
C:\WINDOWS\system32\edcA18\edcA182328.exe
C:\WINDOWS\system32\memomfmg.dll
C:\WINDOWS\system32\memouint.exe
C:\WINDOWS\system32\mp2
C:\WINDOWS\system32\nz0
C:\WINDOWS\system32\nz0\jetzcomz22.exe
C:\WINDOWS\system32\rushpugr.exe
C:\WINDOWS\system32\vt8

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_HBJK
-------\HBJK


((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-16 19:12 . 2008-01-16 19:13 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-16 14:47 . 2008-01-16 14:48 <DIR> d-------- C:\Documents and Settings\Rodney\Application Data\AVG7
2008-01-15 20:11 . 2008-01-15 20:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-15 20:11 . 2008-01-16 18:31 <DIR> d-------- C:\Documents and Settings\David Porter\Application Data\AVG7
2008-01-15 19:52 . 2008-01-16 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-15 19:05 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-15 19:05 . 2008-01-15 16:02 211 --a------ C:\Boot.bak
2008-01-15 19:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 20:58 . 2008-01-14 20:58 <DIR> d-------- C:\Deckard
2008-01-13 19:40 . 2008-01-13 19:40 <DIR> d-------- C:\Documents and Settings\Rodney\Application Data\Grisoft
2008-01-13 18:52 . 2008-01-13 18:52 <DIR> d-------- C:\Program Files\Common Files\RuleSpace
2008-01-13 18:51 . 2008-01-13 18:51 <DIR> d-------- C:\Program Files\Common Files\Aluria
2008-01-13 11:07 . 2008-01-13 11:07 2,230 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-12 19:44 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-12 12:41 . 2008-01-12 12:41 <DIR> d-------- C:\Documents and Settings\David Porter\Application Data\Grisoft
2008-01-12 12:41 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-12 12:25 . 2008-01-15 20:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-11 18:47 . 2008-01-11 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 18:46 . 2008-01-11 18:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-11 17:18 . 2008-01-11 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-11 17:03 . 2008-01-11 17:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-11 17:03 . 2008-01-11 17:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-10 22:03 . 2008-01-16 20:58 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-09 22:15 . 2008-01-09 22:15 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-09 22:10 . 2008-01-11 16:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-05 15:01 . 2008-01-05 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Authentium
2008-01-05 15:00 . 2008-01-05 15:00 <DIR> d-------- C:\Program Files\Cox
2008-01-05 14:40 . 2008-01-13 18:50 <DIR> d-------- C:\Program Files\Common Files\Authentium Shared
2007-12-26 19:06 . 2007-12-26 19:06 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\MySpace
2007-12-20 22:33 . 2008-01-16 20:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-20 22:33 . 2007-12-20 22:33 <DIR> d-------- C:\Documents and Settings\David Porter\Application Data\SUPERAntiSpyware.com
2007-12-20 22:33 . 2007-12-20 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-20 22:32 . 2008-01-11 17:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-18 21:54 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-18 21:51 . 2007-12-18 22:07 <DIR> d-------- C:\Documents and Settings\David Porter\Application Data\HouseCall 6.6
2007-12-18 21:29 . 2007-12-18 21:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-18 08:54 . 2007-12-18 08:54 319,488 --a------ C:\WINDOWS\system32\dcads_sidebar.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 03:01 --------- d-----w C:\Program Files\QuickTime
2008-01-11 23:18 --------- d-----w C:\Program Files\Lavasoft
2008-01-11 23:04 --------- d-----w C:\Documents and Settings\David Porter\Application Data\FrostWire
2008-01-11 22:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-11 04:42 --------- d-----w C:\Program Files\FrostWire
2008-01-09 19:51 --------- d-----w C:\Program Files\Incomplete
2008-01-06 13:51 --------- d-----w C:\Program Files\FinePixViewer
2007-12-21 23:15 --------- d-----w C:\Program Files\Ares
2007-12-20 00:44 469,600 ----a-w C:\Documents and Settings\David Porter\Application Data\GDIPFONTCACHEV1.DAT
2007-12-19 01:22 --------- d-----w C:\Program Files\Spytech Software
2007-12-19 01:22 --------- d-----w C:\Program Files\Motive
2007-12-19 01:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-17 01:58 --------- d-----w C:\Program Files\Alienrazor Interactive
2007-12-07 01:16 --------- d-----w C:\Documents and Settings\Rodney Porter\Application Data\MySpace
2007-12-02 22:16 --------- d-----w C:\Program Files\AskSBar
2007-12-02 04:43 --------- d-----w C:\Documents and Settings\David Porter\Application Data\MP3Rocket
2007-12-02 04:35 --------- d-----w C:\Program Files\PFConfig
2007-12-02 02:25 --------- d-----w C:\Program Files\Java
2007-11-29 02:29 --------- d-----w C:\Program Files\Google
2007-11-28 04:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-28 04:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-11-28 04:53 --------- d-----w C:\Program Files\tunebite
2007-11-28 04:53 --------- d-----w C:\Program Files\Pegasys Inc
2007-11-28 04:44 --------- d-----w C:\Program Files\Hunting Unlimited
2007-11-28 04:42 --------- d-----w C:\Program Files\321Studios
2007-11-28 04:40 --------- d-----w C:\Program Files\DeductionPro 2006
2007-11-28 04:40 --------- d-----w C:\Program Files\AviSynth 2.5
2007-11-28 04:39 --------- d-----w C:\Program Files\Zittware
2007-11-28 04:35 --------- d-----w C:\Program Files\3D Live Pool
2007-11-22 13:31 --------- d-----w C:\Program Files\Simply Safe Backup 2005
2007-02-20 02:51 30,615 ----a-w C:\Documents and Settings\David Porter\x.exe
2003-09-17 22:24 560 ------w C:\Program Files\Global.sw
2005-12-19 17:34 56 --sh--r C:\WINDOWS\system32\3676101CED.sys
.

((((((((((((((((((((((((((((( snapshot_2008-01-15_19.39.10.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 01:04:00 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
+ 2008-01-17 02:57:45 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
- 2008-01-16 01:04:00 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 02:57:45 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 01:04:01 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-17 02:57:45 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-16 01:04:01 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 02:57:45 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-16 01:04:01 10,121,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-17 02:57:46 10,121,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-16 01:04:01 450,560 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-17 02:57:46 450,560 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-16 00:29:08 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-17 01:14:10 10,121,216 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-01-17 01:14:10 450,560 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-16 00:29:08 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-17 01:13:30 10,121,216 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-01-17 01:13:30 450,560 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2001-08-23 12:00:00 50,620 ----a-w C:\WINDOWS\system32\command.com
+ 2001-08-18 19:00:00 50,620 ----a-w C:\WINDOWS\system32\command.com
- 2008-01-12 18:25:31 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-01-16 02:11:04 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
- 2008-01-12 18:25:36 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-01-16 02:11:09 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
- 2008-01-12 18:25:36 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2008-01-16 02:11:10 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
- 2008-01-12 18:25:37 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-01-16 02:11:11 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
- 2008-01-12 18:25:37 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-01-16 02:11:11 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-01-17 03:05:00 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_264.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-02 16:16 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}]
C:\WINDOWS\system32\iifghfe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{47833539-D0C5-4125-9FA8-0819E2EAAC93}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
{2C0A5F28-48D8-408B-9172-9C6121025BCE}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2007-12-02 16:16 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="" []
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [ ]
"Aim6"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-12 12:18 1318912]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [2008-01-12 12:18 61440]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"washindex"="C:\Program Files\Washer\washidx.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTXFIREG"="CTxfiReg.exe" []
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2008-01-12 12:18 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2008-01-12 12:18 851968]
"Auto Run Software for Photo Frame"="" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"ESP"="c:\Program Files\Cox\Applications\app\start.exe" [2007-05-09 13:40 62952]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-15 20:10 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04 5562368]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-15 20:11 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 02:48 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2006-12-28 17:19:06]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-01-17 19:31:46]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-03-04 17:42:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sfklg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\geebc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UStorage Server Service"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"service"=2 (0x2)
"bgsvcgen"=2 (0x2)
"AresChatServer"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R0 GRFILTER;Authentium NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2007-05-09 13:41]
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 08:45]
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2002-01-08 10:16]
R2 GRTdiMon;Authentium TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-05-09 13:41]
R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\Drivers\ousbehci.sys [2002-01-31 17:39]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;C:\WINDOWS\system32\DRIVERS\DLKRTS.SYS [2002-06-23 22:31]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2002-01-31 17:39]
R3 st3bus28;st3bus28;C:\WINDOWS\system32\DRIVERS\st3bus28.sys [2002-12-28 11:16]
R3 st3mp28;st3mp28;C:\WINDOWS\system32\DRIVERS\st3mp28.sys [2002-12-28 11:16]
S0 c2scsi;c2scsi;C:\WINDOWS\system32\DRIVERS\c2scsi.sys []
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys []
S1 usbintell;usbintell;C:\WINDOWS\system32\drivers\usbintell.sys []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 21:15]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 05:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]
S3 LxrSG20d;LxrSG20d;C:\WINDOWS\system32\Drivers\LxrSG20d.sys [2005-08-29 14:07]
S3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys []
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 02:53]
S3 VICHW00;VICHW00;C:\WINDOWS\SYSTEM32\DRIVERS\VICHW00.SYS []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 21:08:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
.
Completion time: 2008-01-16 21:16:10 - machine was rebooted [David Porter]
ComboFix-quarantined-files.txt 2008-01-17 03:16:07
ComboFix2.txt 2008-01-16 01:40:01
ComboFix3.txt 2007-12-22 00:56:28
ComboFix4.txt 2007-12-22 00:44:20
.
2008-01-10 03:59:57 --- E O F ---
Attached Files
File Type: txt ComboFix.txt (18.6 KB, 4 views)
File Type: txt Report.txt (3.0 KB, 1 views)
Last edited by Ried; 01-16-2008 at 10:26 PM. Reason: removed infected files.zip for inspection
Danielle_2008 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-18-2008, 04:19 AM   #9 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Re: No spyware remover works. Check it out.
Hi Danielle_2008,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Using 'My Computer', navigate to and delete the following Folder

C:\Program Files\Global.sw


--------------------------------------------------------------------

Open notepad and copy/paste the entire text in the code box below: (don't forget to copy and paste REGEDIT4)

Code:
REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5A258FBD-3BF0-D182-E84D-9632ED1508AF}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

Reboot your system.

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with dss.exe.

---------------------------------------------------------------

Please include the following in your next reply:

Kaspersky results
main.txt
Update on system behavior

Also, did someone intentionally install SoftForYou Keylogging program on this system?
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-19-2008, 06:59 AM   #10 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 14
OS: Windows XP SP2


Re: No spyware remover works. Check it out.
Hi Reid

I performed those operations but did not turn off my antivirus programs. As far as I know, no scans ran while Kaspersky was scanning. I installed a Free Keylogger (KGB Free Keylogger at refog.com) on my own some time ago, but I did not install a "SoftForYou" keylogging program. As far as my current system performance, I am still getting pop-ups although not as many. When I run Internet Explorer, I get pop-ups from "rond.starsdoor.com". This one seems to popup at regular time intervals (about every 2 minutes) and internet explorer runs slow along with intermittent keystrokes. When I run Firefox, pop-ups are from "Dcads" and provides advertisements based on the words that I type.

Deckard's System Scanner v20071014.68
Run by David Porter on 2008-01-19 08:22:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 78% (more than 75%).


-- HijackThis (run as David Porter.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:39 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Cox\Applications\app\Console.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Documents and Settings\David Porter\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\David Porter.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: (no name) - {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} - C:\WINDOWS\system32\iifghfe.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ESP] c:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-602162358-1801674531-725345543-1016\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-602162358-1801674531-725345543-1016\..\Run: [zanu] c:\program files\zangoclient\zanu.exe (User '?')
O4 - HKUS\S-1-5-21-602162358-1801674531-725345543-1016\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h (User '?')
O4 - HKUS\S-1-5-21-602162358-1801674531-725345543-1016\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZSYYYYYYYYUS
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra 'Tools' menuitem: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.0.5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145321512640
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.249.81.101/AxisCamControl.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O20 - AppInit_DLLs: sfklg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 12757 bytes

-- Files created between 2007-12-19 and 2008-01-19 -----------------------------

2008-01-18 18:35:01 5664 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-18 18:35:01 5802528 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-18 18:30:54 0 d-------- C:\Program Files\Kaspersky Lab
2008-01-18 18:25:48 0 d-------- C:\KAV
2008-01-16 19:12:49 0 d-------- C:\WINDOWS\ERUNT
2008-01-16 19:00:00 0 dr-h----- C:\$VAULT$.AVG
2008-01-16 14:47:14 0 d-------- C:\Documents and Settings\Rodney\Application Data\AVG7
2008-01-15 20:11:24 0 d-------- C:\Documents and Settings\David Porter\Application Data\AVG7
2008-01-15 20:11:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-15 19:52:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-15 19:05:41 0 d-------- C:\cmdcons
2008-01-13 19:40:40 0 d-------- C:\Documents and Settings\Rodney\Application Data\Grisoft
2008-01-13 18:52:04 0 d-------- C:\Program Files\Common Files\RuleSpace
2008-01-13 18:51:58 0 d-------- C:\Program Files\Common Files\Aluria
2008-01-13 11:07:31 2230 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-12 12:41:55 0 d-------- C:\Documents and Settings\David Porter\Application Data\Grisoft
2008-01-12 12:25:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-11 18:47:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 18:46:56 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-11 17:18:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-10 22:03:09 0 d-------- C:\Program Files\Dot1XCfg
2008-01-09 22:15:14 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-01-09 22:10:10 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-05 15:01:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Authentium
2008-01-05 15:00:23 0 d-------- C:\Program Files\Cox
2008-01-05 14:40:54 0 d-------- C:\Program Files\Common Files\Authentium Shared
2007-12-29 14:51:25 0 d-------- C:\Documents and Settings\Guest\Application Data\Sun
2007-12-26 1924 0 d-------- C:\Documents and Settings\Guest\Application Data\MySpace
2007-12-26 12:35:20 0 d-------- C:\Documents and Settings\Alex.UF-C96DFVV58QFI\Application Data\Real
2007-12-20 22:33:46 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-20 22:33:30 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-20 22:33:30 0 d-------- C:\Documents and Settings\David Porter\Application Data\SUPERAntiSpyware.com
2007-12-20 22:32:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-01-19 08:00:31 319488 --a------ C:\WINDOWS\system32\dcads_sidebar.dll
2008-01-19 08:00:31 253117 --a----c- C:\WINDOWS\onemx.exe
2008-01-16 21:01:48 0 d-------- C:\Program Files\QuickTime
2008-01-16 20:19:14 0 d-------- C:\Program Files\Windows NT
2008-01-15 19:25:33 0 d-------- C:\Program Files\Common Files
2008-01-12 08:39:59 1362920 --a------ C:\WINDOWS\system32\sfklg.dat
2008-01-11 18:28:53 0 d-------- C:\Program Files\Messenger
2008-01-11 17:18:25 0 d-------- C:\Program Files\Lavasoft
2008-01-11 17:04:08 0 d-------- C:\Documents and Settings\David Porter\Application Data\FrostWire
2008-01-11 16:50:53 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-10 22:42:14 0 d-------- C:\Program Files\FrostWire
2008-01-09 13:51:17 0 d-------- C:\Program Files\Incomplete
2008-01-06 07:51:32 0 d-------- C:\Program Files\FinePixViewer
2007-12-21 17:15:25 0 d-------- C:\Program Files\Ares
2007-12-19 21:09:39 77360 --a------ C:\WINDOWS\system32\dcads_sidebar_uninstall.exe
2007-12-19 18:44:51 469600 --a------ C:\Documents and Settings\David Porter\Application Data\GDIPFONTCACHEV1.DAT
2007-12-18 22:07:11 0 d-------- C:\Documents and Settings\David Porter\Application Data\HouseCall 6.6
2007-12-18 21:29:41 0 d-------- C:\Program Files\Trend Micro
2007-12-18 19:22:39 0 d-------- C:\Program Files\Spytech Software
2007-12-18 19:22:39 0 d-------- C:\Program Files\Motive
2007-12-16 19:58:48 0 d-------- C:\Program Files\Alienrazor Interactive
2007-12-13 14:07:08 3856 --a------ C:\WINDOWS\crmtemp1.dat
2007-12-02 16:16:45 0 d-------- C:\Program Files\AskSBar
2007-12-01 22:43:35 0 d-------- C:\Documents and Settings\David Porter\Application Data\MP3Rocket
2007-12-01 22:35:50 0 d-------- C:\Program Files\PFConfig
2007-12-01 20:25:16 0 d-------- C:\Program Files\Java
2007-11-28 20:29:41 0 d-------- C:\Program Files\Google
2007-11-27 22:55:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-27 22:53:47 0 d-------- C:\Program Files\tunebite
2007-11-27 22:53:23 0 d-------- C:\Program Files\Pegasys Inc
2007-11-27 22:44:58 0 d-------- C:\Program Files\Hunting Unlimited
2007-11-27 22:42:29 0 d-------- C:\Program Files\321Studios
2007-11-27 22:40:54 0 d-------- C:\Program Files\AviSynth 2.5
2007-11-27 22:40:16 0 d-------- C:\Program Files\DeductionPro 2006
2007-11-27 22:39:12 0 d-------- C:\Program Files\Zittware
2007-11-27 22:35:47 0 d-------- C:\Program Files\3D Live Pool
2007-11-22 07:31:29 0 d-------- C:\Program Files\Simply Safe Backup 2005


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
12/02/2007 04:16 PM 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}]
C:\WINDOWS\system32\iifghfe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTXFIREG"="CTxfiReg.exe" []
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [01/12/2008 12:18 PM]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [01/12/2008 12:18 PM]
"Auto Run Software for Photo Frame"="" []
"ESP"="c:\Program Files\Cox\Applications\app\start.exe" [05/09/2007 01:40 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/15/2008 08:10 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [11/19/2007 02:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="" []
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" []
"Aim6"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [01/12/2008 12:18 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" []
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [01/12/2008 12:18 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservicesonce]
"washindex"=C:\Program Files\Washer\washidx.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [12/28/2006 5:19:06 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [1/17/2007 7:31:46 PM]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [3/4/2007 5:42:12 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sfklg.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UStorage Server Service"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"service"=2 (0x2)
"bgsvcgen"=2 (0x2)
"AresChatServer"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe




-- End of Deckard's System Scanner: finished at 2008-01-19 08:23:48 ------------
Attached Files
File Type: txt Kaspersky results.txt (547.1 KB, 1 views)
File Type: txt main.txt (22.5 KB, 1 views)
Last edited by Ried; 01-19-2008 at 09:54 PM.
Danielle_2008 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-19-2008, 10:07 PM   #11 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Re: No spyware remover works. Check it out.
Hi Danielle_2008,

This Kaspersky report has a different output that usual. Did you actually install Kaspersky AV? If so, you may as well let it clean what it found.

It's never a good idea to have more than 1 AV installed at one time as they will conflict with one another and cause system issues. What you need to do is uninstall AVG free, and reboot.

Empty your Spybot S&D Recovery. Launch Spybot S&D, and click on Recovery in the left panel. 'Purge' all items.

Now please run a full system scan with Kaspersky and let it clean everything it finds.

------------------------

Run a new scan with dss.exe and post the main.txt along with an update on system behavior.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-21-2008, 09:11 PM   #12 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 14
OS: Windows XP SP2


Re: No spyware remover works. Check it out.
Hello Reid

Attached is the dss scan results. I have also included the list of actions from the Kaspersky 7.0 scan performed last night. I told it to fix everything it found, but I am not sure that was a good idea since I can no longer access the internet from my computer. Internet explorer nor Firefox will load. My connection is fine as I am sending this info via my laptop over the same wireless connection as my home computer. Kaspersky also appears to have deleted Combofix and I don't know what else. Thanks for your help. By the way, I did uninstall AVG Free and emptied the Spybot recovery items as you suggested.
Attached Files
File Type: txt main.txt (21.1 KB, 1 views)
File Type: txt Kaspersky Report.txt (26.5 KB, 1 views)
Danielle_2008 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-21-2008, 09:30 PM   #13 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Re: No spyware remover works. Check it out.
Hi,

Download WinsockFix to any removable media. Transfer it to the desktop of the afflicted PC, and unzip it. Then double click on WinsockFix.exe to run it.

Please let me know if that restored the internet for you, as well as any remaining symptoms you're experiencing.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 08:30 PM   #14 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 14
OS: Windows XP SP2


Re: No spyware remover works. Check it out.
Well, I have my internet back. It appeared to be related to some instability with Kaspersky and Cox Security Suite Parental Control. It took me a few tries to remove, but finally uninstalled Cox as well as Super Anti-spyware. I haven't had too much access to the system since repairing all this stuff, but I am still getting the rond.starsdoor pop ups. That's all I notice at this time.
Danielle_2008 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 08:56 PM   #15 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Re: No spyware remover works. Check it out.
Please run a new scan with dss.exe and post the main.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-23-2008, 07:32 PM   #16 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 14
OS: Windows XP SP2


Re: No spyware remover works. Check it out.
Reid

Attached is the main.txt from the lastest dss. Still seeing popups moreso on Internet Explorer than Firefox.

Deckard's System Scanner v20071014.68
Run by David Porter on 2008-01-23 21:24:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 9.64 GiB (less than 15%) free.


-- HijackThis (run as David Porter.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:47 PM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\David Porter\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\DAVIDP~1.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: (no name) - {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} - C:\WINDOWS\system32\iifghfe.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZSYYYYYYYYUS
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra 'Tools' menuitem: Active Whois - {BAB9A4F4-C201-4fcf-A5D3-BA77BC9FBEB2} - C:\Program Files\Active Whois\ieshow.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.0.5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145321512640
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.249.81.101/AxisCamControl.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O20 - AppInit_DLLs: sfklg.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 11072 bytes

-- Files created between 2007-12-23 and 2008-01-23 -----------------------------

2008-01-20 22:51:23 91492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-20 22:51:23 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-20 22:50:23 0 d-------- C:\Program Files\Kaspersky Lab
2008-01-20 22:41:00 0 d-------- C:\Documents and Settings\All Users\Application Data\AVG7
2008-01-20 19:24:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-20 19:24:28 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-18 18:35:01 55840 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-18 18:35:01 12232224 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-18 18:25:48 0 d-------- C:\KAV
2008-01-16 19:12:49 0 d-------- C:\WINDOWS\ERUNT
2008-01-15 19:05:41 0 d-------- C:\cmdcons
2008-01-13 19:40:40 0 d-------- C:\Documents and Settings\Rodney\Application Data\Grisoft
2008-01-13 11:07:31 2230 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-12 12:25:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-11 17:18:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-10 22:03:09 0 d-------- C:\Program Files\Dot1XCfg
2008-01-09 22:15:14 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-01-09 22:10:10 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-05 15:01:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Authentium
2008-01-05 15:00:23 0 d-------- C:\Program Files\Cox
2008-01-05 14:40:54 0 d-------- C:\Program Files\Common Files\Authentium Shared
2007-12-29 14:51:25 0 d-------- C:\Documents and Settings\Guest\Application Data\Sun
2007-12-26 1924 0 d-------- C:\Documents and Settings\Guest\Application Data\MySpace
2007-12-26 12:35:20 0 d-------- C:\Documents and Settings\Alex.UF-C96DFVV58QFI\Application Data\Real


-- Find3M Report ---------------------------------------------------------------

2008-01-22 22:18:06 0 d-------- C:\Documents and Settings\David Porter\Application Data\SUPERAntiSpyware.com
2008-01-22 22:15:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 22:15:43 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-22 21:50:40 0 d-------- C:\Program Files\Common Files
2008-01-21 01:24:53 0 d-------- C:\Program Files\Ares
2008-01-16 21:01:48 0 d-------- C:\Program Files\QuickTime
2008-01-16 20:19:14 0 d-------- C:\Program Files\Windows NT
2008-01-12 08:39:59 1362920 --a------ C:\WINDOWS\system32\sfklg.dat
2008-01-11 18:28:53 0 d-------- C:\Program Files\Messenger
2008-01-11 17:18:25 0 d-------- C:\Program Files\Lavasoft
2008-01-11 17:04:08 0 d-------- C:\Documents and Settings\David Porter\Application Data\FrostWire
2008-01-11 16:50:53 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-10 22:42:14 0 d-------- C:\Program Files\FrostWire
2008-01-09 13:51:17 0 d-------- C:\Program Files\Incomplete
2008-01-06 07:51:32 0 d-------- C:\Program Files\FinePixViewer
2007-12-19 21:09:39 77360 --a------ C:\WINDOWS\system32\dcads_sidebar_uninstall.exe
2007-12-19 18:44:51 469600 --a------ C:\Documents and Settings\David Porter\Application Data\GDIPFONTCACHEV1.DAT
2007-12-18 22:07:11 0 d-------- C:\Documents and Settings\David Porter\Application Data\HouseCall 6.6
2007-12-18 21:29:41 0 d-------- C:\Program Files\Trend Micro
2007-12-18 19:22:39 0 d-------- C:\Program Files\Spytech Software
2007-12-18 19:22:39 0 d-------- C:\Program Files\Motive
2007-12-16 19:58:48 0 d-------- C:\Program Files\Alienrazor Interactive
2007-12-13 14:07:08 3856 --a------ C:\WINDOWS\crmtemp1.dat
2007-12-02 16:16:45 0 d-------- C:\Program Files\AskSBar
2007-12-01 22:43:35 0 d-------- C:\Documents and Settings\David Porter\Application Data\MP3Rocket
2007-12-01 22:35:50 0 d-------- C:\Program Files\PFConfig
2007-12-01 20:25:16 0 d-------- C:\Program Files\Java
2007-11-28 20:29:41 0 d-------- C:\Program Files\Google
2007-11-27 22:55:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-27 22:53:47 0 d-------- C:\Program Files\tunebite
2007-11-27 22:53:23 0 d-------- C:\Program Files\Pegasys Inc
2007-11-27 22:44:58 0 d-------- C:\Program Files\Hunting Unlimited
2007-11-27 22:42:29 0 d-------- C:\Program Files\321Studios
2007-11-27 22:40:54 0 d-------- C:\Program Files\AviSynth 2.5
2007-11-27 22:40:16 0 d-------- C:\Program Files\DeductionPro 2006
2007-11-27 22:39:12 0 d-------- C:\Program Files\Zittware
2007-11-27 22:35:47 0 d-------- C:\Program Files\3D Live Pool


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
12/02/2007 04:16 PM 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}]
C:\WINDOWS\system32\iifghfe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTXFIREG"="CTxfiReg.exe" []
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [01/12/2008 12:18 PM]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [01/12/2008 12:18 PM]
"Auto Run Software for Photo Frame"="" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [12/18/2007 12:43 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="" []
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" []
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" []
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [01/12/2008 12:18 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservicesonce]
"washindex"=C:\Program Files\Washer\washidx.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [12/28/2006 5:19:06 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [1/17/2007 7:31:46 PM]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [3/4/2007 5:42:12 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sfklg.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UStorage Server Service"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"service"=2 (0x2)
"bgsvcgen"=2 (0x2)
"AresChatServer"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe




-- End of Deckard's System Scanner: finished at 2008-01-23 21:25:35 ------------
Attached Files
File Type: txt main.txt (19.4 KB, 2 views)
Last edited by Ried; 01-23-2008 at 08:23 PM.
Danielle_2008 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-24-2008, 06:38 PM   #17 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Re: No spyware remover works. Check it out.
Hi Danielle_2008,

Your copy of ComboFix.exe is about to expire. Please delete ComboFix.exe and download a current version from one of the links below and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Disconnect from the internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:
File::
C:\WINDOWS\system32\drivers\usbintell.sys
C:\WINDOWS\system32\dcads_sidebar_uninstall.exe
C:\WINDOWS\crmtemp1.dat

Driver::
usbintell

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}]
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

--------------------------------------------------------------------

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic along with the C:\ComboFix.txt and an update on system behavior.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-25-2008, 04:20 AM   #18 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 14
OS: Windows XP SP2


Re: No spyware remover works. Check it out.
Hi Reid

Attached are the scan results you requested. Using Firefox, I haven't see any pop-up ads. However, nothing has changed using internet explorer. Continue to see pop ups from "rond.starsdoor".

Danielle
Attached Files
File Type: txt ComboFix.txt (12.2 KB, 1 views)
File Type: txt ESET_log.txt (2.0 KB, 2 views)
Danielle_2008 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-25-2008, 08:27 AM   #19 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista


Re: No spyware remover works. Check it out.
Ack..I missed one, sorry about that.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:
Folder::
C:\Program Files\Dot1XCfg
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

Post the C:\ComboFix.txt. Are the pop ups gone now?
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-25-2008, 08:31 PM   #20 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 14
OS: Windows XP SP2


Re: No spyware remover works. Check it out.
Hello Reid

Attached is my latest ComboFix.txt

This evening my computer shutdown and locked up every time I tried to logon. I would reboot in Safe Mode OK, but when I tried a normal boot, it would freeze during logon again. Eventually I did a System Restore point set prior to last night's Combo Fix run and it booted normally. I re-ran Combo Fix including the code from last night with the code you told me to run in your last reply (ie, Folder:: C:\Program Files\Dot1XCfg). I re-booted several times normally with no problems. Also, I have seen no popups on Internet Explorer or Firefox. My computer seems to be running fine now. Is it clean of spyware now?

ComboFix 08-01-23.1C - David Porter 2008-01-25 20:56:58.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.603 [GMT -6:00]
Running from: C:\Documents and Settings\David Porter\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Porter\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\crmtemp1.dat
C:\WINDOWS\system32\dcads_sidebar_uninstall.exe
C:\WINDOWS\system32\drivers\usbintell.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Dot1XCfg
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\WINDOWS\system32\dcads_sidebar_uninstall.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_USBINTELL
-------\usbintell


((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-24 22:13 . 2008-01-25 00:23 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-20 22:51 . 2008-01-20 22:51 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-20 22:51 . 2008-01-20 22:51 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-20 22:50 . 2008-01-20 22:50 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-20 19:24 . 2008-01-20 19:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-18 18:35 . 2008-01-25 21:09 26,591,520 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-18 18:35 . 2008-01-25 21:05 359,228 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-18 18:35 . 2008-01-25 21:09 69,152 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-18 18:35 . 2008-01-25 21:05 8,552 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-18 18:25 . 2008-01-20 22:49 <DIR> d-------- C:\KAV
2008-01-16 19:12 . 2008-01-16 19:13 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-15 19:05 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-15 19:05 . 2008-01-15 16:02 211 --a------ C:\Boot.bak
2008-01-15 19:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 20:58 . 2008-01-14 20:58 <DIR> d-------- C:\Deckard
2008-01-13 11:07 . 2008-01-13 11:07 2,230 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-11 17:03 . 2008-01-11 17:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-11 17:03 . 2008-01-11 17:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-09 22:15 . 2008-01-09 22:15 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-05 15:00 . 2008-01-05 15:00 <DIR> d-------- C:\Program Files\Cox
2008-01-05 14:40 . 2008-01-22 21:51 <DIR> d-------- C:\Program Files\Common Files\Authentium Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 04:15 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-23 04:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 07:24 --------- d-----w C:\Program Files\Ares
2008-01-17 03:01 --------- d-----w C:\Program Files\QuickTime
2008-01-11 23:18 --------- d-----w C:\Program Files\Lavasoft
2008-01-11 22:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-11 04:42 --------- d-----w C:\Program Files\FrostWire
2008-01-09 19:51 --------- d-----w C:\Program Files\Incomplete
2008-01-06 13:51 --------- d-----w C:\Program Files\FinePixViewer
2007-12-19 03:29 --------- d-----w C:\Program Files\Trend Micro
2007-12-19 01:22 --------- d-----w C:\Program Files\Spytech Software
2007-12-19 01:22 --------- d-----w C:\Program Files\Motive
2007-12-18 06:43 23,396 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2007-12-17 01:58 --------- d-----w C:\Program Files\Alienrazor Interactive
2007-12-13 19:28 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
2007-12-02 22:16 --------- d-----w C:\Program Files\AskSBar
2007-12-02 04:35 --------- d-----w C:\Program Files\PFConfig
2007-12-02 02:25 --------- d-----w C:\Program Files\Java
2007-11-29 02:29 --------- d-----w C:\Program Files\Google
2007-11-28 04:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-28 04:53 --------- d-----w C:\Program Files\tunebite
2007-11-28 04:53 --------- d-----w C:\Program Files\Pegasys Inc
2007-11-28 04:44 --------- d-----w C:\Program Files\Hunting Unlimited
2007-11-28 04:42 --------- d-----w C:\Program Files\321Studios
2007-11-28 04:40 --------- d-----w C:\Program Files\DeductionPro 2006
2007-11-28 04:40 --------- d-----w C:\Program Files\AviSynth 2.5
2007-11-28 04:39 --------- d-----w C:\Program Files\Zittware
2007-11-28 04:35 --------- d-----w C:\Program Files\3D Live Pool
2005-12-19 17:34 56 --sh--r C:\WINDOWS\system32\3676101CED.sys
.

((((((((((((((((((((((((((((( snapshot_2008-01-16_21.15.41.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-17 02:57:45 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
+ 2008-01-26 02:55:24 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
- 2008-01-17 02:57:45 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-26 02:55:25 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-17 02:57:45 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-26 02:55:25 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-17 02:57:45 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-26 02:55:25 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-17 02:57:46 10,121,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-26 02:55:25 10,141,696 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-17 02:57:46 450,560 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-26 02:55:25 450,560 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2004-10-21 01:03:04 16,384 -c----w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-26 02:29:22 16,384 -c----w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2004-10-21 01:03:04 32,768 -c----w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-26 02:29:22 32,768 -c----w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-26 02:29:22 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-31 19:41:16 110,096 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2007-12-19 20:49:38 194,832 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-12-18 06:44:54 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
- 2007-12-19 01:22:50 1,981,364 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-01-26 02:25:58 248,588 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-01-25 22:21:58 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-02 16:16 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{47833539-D0C5-4125-9FA8-0819E2EAAC93}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
{2C0A5F28-48D8-408B-9172-9C6121025BCE}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="" []
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [ ]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"washindex"="C:\Program Files\Washer\washidx.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTXFIREG"="CTxfiReg.exe" []
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2008-01-12 12:18 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2008-01-12 12:18 851968]
"Auto Run Software for Photo Frame"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04 5562368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 02:48 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2006-12-28 17:19:06 294912]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-01-17 19:31:46 114688]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-03-04 17:42:12 819200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sfklg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UStorage Server Service"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"service"=2 (0x2)
"bgsvcgen"=2 (0x2)
"AresChatServer"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 08:45]
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [2002-01-08 10:16]
R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\Drivers\ousbehci.sys [2002-01-31 17:39]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;C:\WINDOWS\system32\DRIVERS\DLKRTS.SYS [2002-06-23 22:31]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2002-01-31 17:39]
R3 st3bus28;st3bus28;C:\WINDOWS\system32\DRIVERS\st3bus28.sys [2002-12-28 11:16]
R3 st3mp28;st3mp28;C:\WINDOWS\system32\DRIVERS\st3mp28.sys [2002-12-28 11:16]
S0 c2scsi;c2scsi;C:\WINDOWS\system32\DRIVERS\c2scsi.sys []
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 21:15]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 05:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]
S3 LxrSG20d;LxrSG20d;C:\WINDOWS\system32\Drivers\LxrSG20d.sys [2005-08-29 14:07]
S3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys []
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 02:53]
S3 VICHW00;VICHW00;C:\WINDOWS\SYSTEM32\DRIVERS\VICHW00.SYS []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 21:10:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-25 21:18:11 - machine was rebooted [David Porter]
ComboFix-quarantined-files.txt 2008-01-26 03:18:03
ComboFix2.txt 2008-01-17 03:16:10
ComboFix3.txt 2008-01-16 01:40:01
ComboFix4.txt 2007-12-22 00:56:28
ComboFix5.txt 2007-12-22 00:44:20
.
2008-01-10 03:59:57 --- E O F ---
Attached Files
File Type: txt ComboFix.txt (12.3 KB, 3 views)
Last edited by Ried; 01-25-2008 at 08:36 PM.
Danielle_2008 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:00 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84