annoying pop-ups and adwareBHO

**zuluclayman** · 03-24-2008, 05:23 AM

Hi
over the last couple of months I have had the following problems:
Mcafee has detected a PuP - Adware BHO - a message from Mcafee comes up every time I attempt to open a folder etc. I read the advisory notes on Mcafee site and did some trawling around the net reading about it and it seemed to be low level threat so I trusted it (mainly to stop the annoying alerts

) I tried to remove it but couldn't (was always in use and changed locations and name of files using it

)
After this Internet Explorer kept opening up with pop-ups (I use Mozilla as my default browser) every 5 minutes or so! I blocked access for Internet Explorer in Mcafee control panel to stop this (which it did) but Internet Explorer always runs in the background now - I see 2 or more instances of iexplore.exe in Task Manager and when I shut down it asks me to end iexplore.exe.
I am sick of this and would like some help in getting rid of AdwareBHO so I can unblock Internet Explorer without having annoying pop-ups!
I read that AdwareBHO may have come with Messenger Plus which my son installed - I have since uninstalled this and won't have it back on my comp.
Next post (lol this one is a novella sorry) has my Hijack This log

**zuluclayman** · 03-24-2008, 05:24 AM

Deckard's System Scanner v20071014.68
Run by john on 2008-03-24 22:01:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as john.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:22 PM, on 24/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\john\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\john.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.optusnet.com.au/?brand=ODSL&panel=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: (no name) - {EFAF6EA3-615D-4F83-8748-2F7A576FCEA6} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C83 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /O6 "USB001" /M "Stylus C83"
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [part chin math idol] C:\Documents and Settings\All Users\Application Data\That size part chin\media two.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [EPSON Stylus C83 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /M "Stylus C83" /EF "HKCU"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...6/mcinsctl.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O21 - SSODL: E404Helper - {bc576ea5-bcca-4ba1-ae78-16d02d9d1041} - e404d.dll (file missing)
O22 - SharedTaskScheduler: edgers - {d66c22b6-2217-4d1a-9a90-1a54de1fc706} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 10755 bytes

-- Files created between 2008-02-24 and 2008-03-24 -----------------------------

2008-03-24 22:02:06 0 d-------- C:\Program Files\Trend Micro
2008-03-22 23:01:45 679936 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-03-21 23

55 0 d-------- C:\Program Files\Safari
2008-03-21 23:05:36 0 d-------- C:\Program Files\iTunes
2008-03-17 21:51:49 0 d-------- C:\WINDOWS\NV676144.TMP
2008-03-17 21:31:46 13369344 --a------ C:\Documents and Settings\john\ntuser.dat
2008-03-07 22:18:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-07 22:17:58 0 d-------- C:\Documents and Settings\john\Application Data\Azureus
2008-03-07 22:16:40 0 d-------- C:\Documents and Settings\john\Temp
2008-03-07 21:38:04 0 d-------- C:\Program Files\Veoh Networks
2008-03-04 23:20:33 0 d-------- C:\Documents and Settings\john\Application Data\Media Player Classic
2008-02-27 23:01:48 0 d-------- C:\Program Files\StuffPlug3
2008-02-27 22:39:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-27 22:38:57 0 d-------- C:\Program Files\Windows Live
2008-02-27 22:38:43 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

-- Find3M Report ---------------------------------------------------------------

2008-03-23 18:26:43 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-03-22 23:43:07 0 d-------- C:\Documents and Settings\john\Application Data\Canon
2008-03-22 21:38:22 541 --a------ C:\Documents and Settings\john\Application Data\AutoGK.ini
2008-03-21 23:59:12 0 d-------- C:\Documents and Settings\john\Application Data\Adobe
2008-03-21 23:19:12 0 d-------- C:\Documents and Settings\john\Application Data\Apple Computer
2008-03-21 23:05:41 0 d-------- C:\Program Files\iPod
2008-03-21 23:04:16 0 d-------- C:\Program Files\QuickTime
2008-03-20 21:53:25 0 d-------- C:\Program Files\EA GAMES
2008-03-17 22:04:32 8 --a------ C:\WINDOWS\system32\nvModes.dat
2008-03-07 21:39:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-27 22:39:15 0 d-------- C:\Program Files\Common Files
2008-02-21 23:19:35 0 d-------- C:\Program Files\Terragen
2008-02-16 14:54:12 0 d-------- C:\Program Files\MSN Messenger
2008-02-15 13:40:37 0 d-------- C:\Program Files\McAfee
2008-02-12 23:02:35 0 d-------- C:\Program Files\Lavalys
2008-02-10 17:37:06 0 d-------- C:\Program Files\particleIllusion_3
2008-02-06 23:58:40 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-03 20:05:06 0 d-------- C:\Documents and Settings\john\Application Data\HOLEBYTEACID
2008-02-03 16:29:35 0 d-------- C:\Program Files\Lavasoft
2008-02-03 16:28:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-03 16:24:32 0 d-------- C:\Program Files\Java
2008-02-03 16:21:27 0 d-------- C:\Documents and Settings\john\Application Data\Lavasoft
2008-02-02 11:02:45 0 d-------- C:\Program Files\Celestia
2008-01-05 08:58:50 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-05 08:57:22 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-01-05 08:57:22 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-01-05 08:57:12 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-05 08:57:10 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-01-05 08:57:10 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-05 08:57:10 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-05 08:56:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [18/06/2004 07:31 PM C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22/10/2006 03:22 PM]
"nwiz"="nwiz.exe" [22/10/2006 03:22 PM C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50 AM]
"EPSON Stylus C83 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [27/05/2003 02:08 PM]
"OmniPage"="C:\Program Files\Caere\OmniPagePro90\opware32.exe" [12/10/1998 06:13 PM]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [22/03/2002 03:41 PM]
"POINTER"="point32.exe" []
"Desktop Service Centre"="C:\Program Files\OptusNet DSL Internet\DSC.exe" [06/09/2004 01:50 PM]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [28/06/2004 09:29 PM]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [15/06/2006 01:36 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [23/09/2006 12:29 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [03/10/2006 06:09 AM]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [27/10/2005 05:01 PM]
"pdfFactory Dispatcher v3"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [20/04/2007 03:42 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [22/10/2006 03:22 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [03/08/2007 10:33 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 02:11 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 10:16 PM]
"part chin math idol"="C:\Documents and Settings\All Users\Application Data\That size part chin\media two.exe" [24/03/2008 10:00 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [24/10/2007 12:18 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [31/01/2008 11:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 01:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus C83 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [27/05/2003 02:08 PM]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [27/06/2006 05:21 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 11:00 PM]
"@"="" []

C:\Documents and Settings\john\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16/03/2005 8:16:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16/03/2005 8:16:50 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"E404Helper"= {bc576ea5-bcca-4ba1-ae78-16d02d9d1041} - e404d.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

-- End of Deckard's System Scanner: finished at 2008-03-24 22:02:48 ------------

**zuluclayman** · 03-28-2008, 05:07 PM

Further to the above - computer beginning to restart itself, sometimes during session, sometimes at startup - gets to user logon screen then restarts. If I send the error report it comes back saying it was a stop error caused by driver problem. Last night comp wouldn't turn off - kept wanting me to end program for iexplore.exe but when I would "end now" it would just come back up with another instance of end program for iexplore.
HELP PLEASE!!!

**zuluclayman** · 03-28-2008, 10:54 PM

Bump

Ried · 03-28-2008, 11:57 PM

Hello zuluclayman and welcome,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Please download SmitfraudFix (by S!Ri) to your Desktop.

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

O4 - HKLM\..\Run: [part chin math idol] C:\Documents and Settings\All Users\Application Data\That size part chin\media two.exe
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O21 - SSODL: E404Helper - {bc576ea5-bcca-4ba1-ae78-16d02d9d1041} - e404d.dll (file missing)
O22 - SharedTaskScheduler: edgers - {d66c22b6-2217-4d1a-9a90-1a54de1fc706} - (no file)

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Folder

C:\Documents and Settings\All Users\Application Data\That size part chin

--------------------------------------------------------------------

Reboot your system.

--------------------------------------------------------------------

Double-click smitfraudfix.exe to start the tool.

Select option #1 - Search by typing 1 and press "Enter"
A text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so

--------------------------------------------------------------------

Download fl.zip

Extract the contents of the fl.zip to a new folder on Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt.

----------------------------------------------------------------------

Run a new scan with HijackThis.exe and save the log.

----------------------------------------------------------------------

Please include the following in your next reply:

C:\findlop.txt
SmitfraudFix report
New HijackThis log
extra.txt (*see note below)

*When you first ran dss.exe, it should have produced and extra.txt. You'll find it located at C:\Deckard\System Scanner

**zuluclayman** · 03-29-2008, 03:43 AM

Thanks for reply - find following those logs you requested:

Volume in drive C has no label.
Volume Serial Number is C4BD-4820

Directory of C:\Documents and Settings\All Users\Application Data

29/03/2008 03:38 PM <DIR> Adobe
07/01/2007 12:45 PM <DIR> Adobe Systems
07/01/2005 05:52 AM <DIR> Ahead
30/06/2007 04:08 PM <DIR> Apple
06/12/2006 07:44 PM <DIR> Apple Computer
07/03/2008 10:18 PM <DIR> Azureus
12/12/2005 02:57 PM <DIR> CyberLink
22/08/2006 06:13 PM <DIR> Downloaded Installations
18/02/2007 08:18 PM <DIR> DVD Shrink
03/02/2008 04:30 PM <DIR> Lavasoft
26/12/2006 07:17 PM <DIR> Links 2003 Demo
03/06/2005 10:37 PM <DIR> Macromedia
17/09/2007 12:08 AM <DIR> Macrovision
02/11/2006 10:22 PM <DIR> McAfee
02/11/2006 10:22 PM <DIR> McAfee.com
15/06/2007 10:40 PM <DIR> NVIDIA
04/11/2007 01:10 PM <DIR> nView_Profiles
22/08/2006 06:15 PM <DIR> PC Suite
19/07/2007 10:38 PM 1,379 QTSBandwidthCache
09/04/2005 02:01 PM <DIR> QuickTime
09/09/2007 01:02 AM <DIR> SiteAdvisor
01/04/2007 05:47 PM <DIR> SwiftSwitch
03/01/2008 10:10 AM <DIR> TEMP
12/12/2005 09:43 PM <DIR> Windows Genuine Advantage
27/02/2008 10:38 PM <DIR> WLInstaller
1 File(s) 1,379 bytes
24 Dir(s) 20,330,258,432 bytes free
Volume in drive C has no label.
Volume Serial Number is C4BD-4820

Directory of C:\Documents and Settings\jacob\Application Data

01/02/2008 09:47 PM <DIR> Adobe
14/01/2007 10:51 AM <DIR> Apple Computer
22/07/2007 09:51 PM <DIR> Canon
23/06/2007 02:37 PM <DIR> CyberLink
24/12/2007 08:25 PM <DIR> DivX
18/12/2007 06:44 PM <DIR> HOLEBYTEACID
05/01/2005 06:37 AM <DIR> Identities
01/09/2007 10:40 PM <DIR> LimeWire
29/09/2007 12:22 AM <DIR> Macromedia
25/03/2007 01:14 PM <DIR> MoyeaFLV2Video
06/07/2007 09:41 PM <DIR> Mozilla
12/10/2007 06:35 PM <DIR> Notepad++
14/01/2007 10:37 AM <DIR> PC Suite
14/01/2007 10:38 AM <DIR> Real
19/12/2007 10:13 AM <DIR> SiteAdvisor
14/01/2007 01:47 PM <DIR> Sun
25/05/2007 07:23 PM <DIR> SystemRequirementsLab
06/07/2007 09:41 PM <DIR> Talkback
06/07/2007 09:41 PM <DIR> Thunderbird
25/05/2007 09:46 PM <DIR> Turbine
0 File(s) 0 bytes
20 Dir(s) 20,330,258,432 bytes free
Volume in drive C has no label.
Volume Serial Number is C4BD-4820

Directory of C:\Documents and Settings\john\Application Data

07/01/2005 12:27 PM <DIR> ACD Systems
07/01/2005 12:26 PM <DIR> ACDInTouch
29/03/2008 03:38 PM <DIR> Adobe
30/06/2006 11:11 AM <DIR> AdobeAUM
17/04/2007 05:17 PM <DIR> AdobeUM
30/12/2006 10:16 PM <DIR> Ahead
21/03/2008 11:19 PM <DIR> Apple Computer
02/04/2006 12:59 PM <DIR> Autodesk
22/03/2008 09:38 PM 541 AutoGK.ini
07/03/2008 10:22 PM <DIR> Azureus
22/03/2008 11:43 PM <DIR> Canon
07/01/2005 06:40 PM <DIR> CoreFTP
26/12/2005 12:54 PM <DIR> CyberLink
11/10/2006 03:42 PM <DIR> DataLayer
27/10/2007 01:02 PM <DIR> DivX
27/07/2005 12:02 AM <DIR> Google
08/05/2005 05:44 PM <DIR> Help
03/02/2008 08:05 PM <DIR> HOLEBYTEACID
05/01/2005 06:37 AM <DIR> Identities
21/10/2007 12:30 PM <DIR> InstallShield
03/02/2008 04:21 PM <DIR> Lavasoft
11/07/2006 08:00 PM <DIR> Leadertech
21/09/2005 11:10 PM <DIR> Macromedia
02/11/2006 10:28 PM <DIR> McAfee
04/03/2008 11:21 PM <DIR> Media Player Classic
17/06/2007 02:41 PM <DIR> Moyea
23/05/2007 10:27 PM <DIR> MoyeaFLV2Video
04/02/2006 12:03 PM <DIR> Mozilla
09/04/2007 10:26 AM <DIR> MPEG Streamclip
03/01/2007 10:47 AM 523,530 NMM-MetaData.db
08/09/2006 08:08 PM <DIR> Nokia
08/06/2007 09:23 PM <DIR> Nokia Multimedia Player
11/12/2006 03:32 PM <DIR> OLYMPUS
07/03/2006 11:04 PM <DIR> Opera
21/08/2006 09:03 PM <DIR> PC Suite
14/12/2005 05:25 PM <DIR> PC Tools
23/09/2006 12:34 PM <DIR> Real
19/12/2007 02:16 PM <DIR> SiteAdvisor
10/01/2005 08:41 PM <DIR> Sun
15/12/2006 06:12 PM <DIR> System Requirements Lab
05/05/2007 01:40 AM <DIR> SystemRequirementsLab
04/02/2006 12:03 PM <DIR> Talkback
04/02/2006 12:03 PM <DIR> Thunderbird
22/01/2008 11:29 PM <DIR> uk.co.planetside
25/01/2007 03:32 PM 1,024 WavCodec.wff
3 File(s) 525,095 bytes
42 Dir(s) 20,330,274,816 bytes free
Volume in drive C has no label.
Volume Serial Number is C4BD-4820

Directory of C:\Documents and Settings\Default User\Application Data

05/01/2005 06:40 AM <DIR> .
05/01/2005 06:40 AM <DIR> ..
04/01/2005 10:31 PM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 20,330,254,336 bytes free
Volume in drive C has no label.
Volume Serial Number is C4BD-4820

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is C4BD-4820

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'AppleSoftwareUpdate.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Apple Software Update\SoftwareUpdate.exe'
Parameters: '-task'
WorkingDirectory: ''
Comment: ''
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 01/16/2008 11:08:00
NextRun: 04/02/2008 11:08:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: ...W...
StartDate: 09/15/2007
EndDate: 00/00/0000
StartTime: 11:08
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'B0FC56F796A7CA4F.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\jacob\applic~1\holeby~1\Once Flag Site.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'jacob'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 03/29/2008 19:00:00
NextRun: 03/29/2008 21:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/05/1999
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'McDefragTask.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\system32\defrag.exe'
Parameters: 'C: -f'
WorkingDirectory: ''
Comment: 'Disk Defragmenter'
Creator: 'john'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 12/15/2006 1:00:00
NextRun: 04/15/2008 1:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: MonthlyDate
Days: 15
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/02/2006
EndDate: 00/00/0000
StartTime: 01:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'McQcTask.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\program files\mcafee\mqc\QcConsol.exe'
Parameters: '14 0'
WorkingDirectory: 'c:\program files\mcafee\mqc'
Comment: 'McAfee McAfee QuickClean'
Creator: 'john'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/01/2007 1:00:00
NextRun: 04/01/2008 1:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: MonthlyDate
Days: 1
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/02/2006
EndDate: 00/00/0000
StartTime: 01:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

SmitFraudFix v2.309

Scan done at 20:31:22.26, Sat 29/03/2008
Run from C:\Documents and Settings\john\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\john

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\john\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\john\FAVORI~1

C:\DOCUME~1\john\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~4\\GOEC62~1.DLL"
"LoadAppInit_DLLs"=dword:00000001

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC #2 - Packet Scheduler Miniport
DNS Server Search Order: 211.29.132.12
DNS Server Search Order: 198.142.0.51

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{11463229-A19E-48D0-8234-B37097CE95FC}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A4943221-AF64-4F0B-8F97-8D5E95D7CA7C}: DhcpNameServer=211.29.132.12 198.142.0.51
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EB7BBFD3-B18E-4E61-84C5-B74132395EFF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{11463229-A19E-48D0-8234-B37097CE95FC}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A4943221-AF64-4F0B-8F97-8D5E95D7CA7C}: DhcpNameServer=211.29.132.12 198.142.0.51
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EB7BBFD3-B18E-4E61-84C5-B74132395EFF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{11463229-A19E-48D0-8234-B37097CE95FC}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A4943221-AF64-4F0B-8F97-8D5E95D7CA7C}: DhcpNameServer=211.29.132.12 198.142.0.51
HKLM\SYSTEM\CS3\Services\Tcpip\..\{EB7BBFD3-B18E-4E61-84C5-B74132395EFF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:38 PM, on 29/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.optusnet.com.au/?brand=ODSL&panel=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: (no name) - {EFAF6EA3-615D-4F83-8748-2F7A576FCEA6} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C83 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /O6 "USB001" /M "Stylus C83"
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [EPSON Stylus C83 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /M "Stylus C83" /EF "HKCU"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...6/mcinsctl.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O21 - SSODL: E404Helper - {bc576ea5-bcca-4ba1-ae78-16d02d9d1041} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 9924 bytes

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 3.20GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.20GHz
Percentage of Memory in Use: 39%
Physical Memory (total/avail): 1023.48 MiB / 622.91 MiB
Pagefile Memory (total/avail): 2464.19 MiB / 2088.59 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1912.84 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 15.38 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Fixed (NTFS) - 37.27 GiB total, 13.73 GiB free.
J: is Removable (FAT)

\\.\PHYSICALDRIVE1 - ST340016A - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.27 GiB - I:

\\.\PHYSICALDRIVE0 - ST380817AS - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:

\\.\PHYSICALDRIVE3 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE5 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE2 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB SM Reader USB Device

\\.\PHYSICALDRIVE6 - TOSHIBA TransMemory USB Device - 1961.06 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 1966.98 MiB - J:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE:*:Enabled:SAgent4"
"C:\\Program Files\\CoreFTP\\coreftp.exe"="C:\\Program Files\\CoreFTP\\coreftp.exe:*:Enabled:Core FTP App"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Documents and Settings\\john\\Desktop\\games\\New Folder\\MAIN.EXE"="C:\\Documents and Settings\\john\\Desktop\\games\\New Folder\\MAIN.EXE:*:Disabled:MAIN"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Microsoft Games\\Links 2003 Demo\\LinksMMIII.exe"="C:\\Program Files\\Microsoft Games\\Links 2003 Demo\\LinksMMIII.exe:*:Enabled:Links 2003"
"C:\\Program Files\\SwiftSwitch\\SwiftSwitch.exe"="C:\\Program Files\\SwiftSwitch\\SwiftSwitch.exe:*:Enabled:World Switcher for RuneScape"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\EA GAMES\\Need for Speed Most Wanted\\speed.exe"="C:\\Program Files\\EA GAMES\\Need for Speed Most Wanted\\speed.exe:*:Disabled:speed"
"C:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"="C:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe:*:Enabled:lotroclient.exe"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\Messenger\\Msmsgs.exe"="C:\\Program Files\\Messenger\\Msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\john\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MAIN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\john
LOGONSERVER=\\MAIN
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\john\LOCALS~1\Temp
TMP=C:\DOCUME~1\john\LOCALS~1\Temp
USERDOMAIN=MAIN
USERNAME=john
USERPROFILE=C:\Documents and Settings\john
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

john (admin)
jacob (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> C:\WINDOWS\UNNVEContent.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
100% Free Chess 7.12 --> C:\Documents and Settings\john\My Documents\Free Chess\uninstall.exe
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5102}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 2.0 --> MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Premiere Elements 2.0 --> msiexec /I {11C98E1A-EC91-4B38-B44C-C562292D8453}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}
Advanced RealMedia Export Plug-in for Premiere 6.0 --> C:\Program Files\Adobe\Premiere 6.0\Plug-ins\RNCompiler\rnuninst.exe RealNetworks|RNCompiler|6.0
AnswerWorks Runtime --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\WexTech\AnswerWorks\Uninst.isu"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
Auto Gordian Knot 2.45 --> C:\Program Files\AutoGK\uninst.exe
AutoCAD 2002 --> MsiExec.exe /I{5783F2D7-0101-0409-0000-0060B0CE6BBA}
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Blender (remove only) --> "C:\Program Files\Blender Foundation\Blender\uninstall.exe"
C-Dilla Licence Management System --> C:\C_DILLA\setup\cdunin16.exe
Canon ScanGear Toolbox 3.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\ScanGear Toolbox Ver3.1\Uninst.isu" -c"C:\Program Files\Canon\ScanGear Toolbox Ver3.1\uninst.dll"
Celestia 1.5.0 --> "C:\Program Files\Celestia\unins000.exe"
Chicken Invaders v1.30 --> "C:\Program Files\Chicken Invaders\unins000.exe"
Cleaner 5 EZ --> C:\WINDOWS\unvise32.exe C:\Program Files\Cleaner 5 EZ\uninstal.log
Command & Conquer Generals --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{06F80017-8F98-4C94-B868-52358569FC32}
Core FTP Lite 1.3 --> C:\PROGRA~1\CoreFTP\UNWISE.EXE C:\PROGRA~1\CoreFTP\INSTALL.LOG
D-Link DSL-302G USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACCEC3BD-FFCA-4146-8587-17650B86165B}\Setup.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX User Guide --> C:\Program Files\DivX\DivXUserGuideUninstall /USERGUIDE
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
DVD Solution --> "C:\Program Files\Uninstall_CDS.exe"
e-tax 2006 --> C:\Program Files\etax2006\e-tax 2006_uninstall.exe
e-tax 2007 --> C:\etax2007\e-tax 2007_uninstall.exe
e-tax 2007 - Publications --> C:\etax2007\publications 2007_uninstall.exe
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /r
ESC83 Software Guide --> C:\Program Files\EPSON\ESC83\PQU_G\DOCUNINS.EXE
EVEREST Home Edition v2.20 --> "C:\Program Files\Lavalys\EVEREST Home Edition\unins000.exe"
FinePrint pdfFactory Pro (1.x) --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppinst1.exe /uninstall
FLV Player 1.3.3 --> "C:\Program Files\FLVPlayer\uninstall.exe"
Game Cam v1.4 --> MsiExec.exe /I{EBE7050B-7988-4BC3-BBFD-5C6828859483}
Gloodle --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gloodle\Uninst.isu"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9 -removeonly
Grand Theft Auto Vice City --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B35F00C-E63D-40DC-9839-DF15A33EAC46}\Setup.exe" -l0x9
Guild Wars --> "C:\Program Files\Guild Wars\Gw.exe" -uninstall
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
Home Plan Pro for Windows 95/98/00/ME/NT/XP --> "C:\Documents and Settings\john\Desktop\kids\kynans\Design\Home Plan Pro\Remove.exe" /U:"C:\Documents and Settings\john\Desktop\kids\kynans\Design\Home Plan Pro\Remove.log"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
InterVideo FilterSDK --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A15ED800-19FF-11D5-AF7F-0050BA1191E9}\setup.exe" REMOVEALL
iPod for Windows 2005-09-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC} /l1033
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 8 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LimeWire 4.14.8 --> "C:\Program Files\LimeWire\uninstall.exe"
liteCAM --> C:\Program Files\InstallShield Installation Information\{BC8373FC-142C-40B9-AB2A-DA984391A9BD}\setup.exe -runfromtemp -l0x0009 -removeonly
Logitech Gaming Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B9242864-2841-4ADE-86E0-8F90F91B04DD}\setup.exe" -l0x9
LOTR The Return of the King tm --> C:\Program Files\EA GAMES\LOTR The Return of the King tm\EAUninstall.exe
LQfix 2.1 --> "C:\WINDOWS\LQfix\unins000.exe"
Macromedia Flash MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F353D44-73BB-4971-B31D-F7642E9E9531}\Setup.exe" -l0x9 UNINSTALL
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Encarta Encyclopedia Standard - WE 2003 --> MsiExec.exe /I{035A0010-3975-4267-9F39-1DC4745090B7}
Microsoft Links 2003 Demo --> "C:\Program Files\Microsoft Games\Links 2003 Demo\UNINSTAL.EXE" /runtemp /addremove
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTS.inf, Uninstall
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MIKSOFT Mobile AMR converter --> "C:\Program Files\MIKSOFT\Mobile AMR converter\unins000.exe"
Moyea FLV Downloader version 1.7.0.0 --> "C:\Program Files\Moyea\FLV Downloader\unins001.exe"
Moyea FLV to Video Converter Pro version 1.29.2.11 --> "C:\Program Files\Moyea\FLV to Video Pro\unins000.exe"
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.12) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
Multimedia Card Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{07B02BD4-E799-4945-B240-166CA9A9BE2D} /l1033
MultiMedia Software --> C:\Program Files\Video Add-on\uninst.exe
Myst III: Exile --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F05B89E-2873-11D5-9E9D-0050DA1EA555}\setup.exe"
Need for Speed Underground 2 --> C:\Program Files\EA GAMES\Need for Speed Underground 2\EAUninstall.exe
Need for Speed™ Most Wanted --> C:\Program Files\EA GAMES\Need for Speed Most Wanted\EAUninstall.exe
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\Setup.exe /uninstall
Nokia Connectivity Cable Driver --> MsiExec.exe /X{6882DD11-33B8-4DEA-8305-7E765BF74BD3}
Nokia PC Connectivity Solution --> MsiExec.exe /I{0D80391C-0A72-43BB-9BC2-143F63CC111D}
Nokia PC Suite --> MsiExec.exe /I{531317A5-586A-4E36-87C1-CA823447B375}
Notepad++ --> C:\Program Files\Notepad++\uninstall.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OmniPage Pro 9.0 --> C:\Program Files\Caere\OmniPagePro90\Deinstall.exe "C:\Program Files\Caere\OmniPagePro90\uninstall.exe -f'C:\Program Files\Caere\OmniPagePro90\DeIsL1.isu'"
OptusNet --> C:\PROGRA~1\ONLINE~1\Optus\UNWISE.EXE C:\PROGRA~1\ONLINE~1\Optus\INSTALL.LOG
OptusNet DSL --> C:\Program Files\OptusNet DSL Internet\Uninstall.exe
particleIllusion 3.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\particleIllusion_3\Uninst.isu"
particleIllusion 3.0.2 --> "C:\Program Files\particleIllusion_3\uninstall\unins000.exe"
pdfFactory --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppinst3.exe /uninstall
PowerDirector Express --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EDE721EC-870A-11D8-9D75-000129760D75}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
progeCAD LT 2006 SP1 --> C:\PROGRA~1\PROGES~1\PROGEC~1\UNWISE.EXE C:\PROGRA~1\PROGES~1\PROGEC~1\install.log
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Safari --> MsiExec.exe /I{0AFC9710-5DD6-4C6A-BA52-91AE992B2C9D}
Scan Manager 5.2 --> MsiExec.exe /I{E0A1559B-9886-11D4-8D06-0050DA284A39}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Sony Jam Trax 2.0a --> MsiExec.exe /I{6D8E2EDF-B870-4EF0-8D30-1CA13F397735}
StuffPlug 3 --> C:\Program Files\StuffPlug3\Uninstall.exe
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Terragen --> MsiExec.exe /I{CCEB53A5-A252-4CF3-8602-429AB06BF0AE}
The Emporer's Mahjong --> "C:\Program Files\Emperors Mahjong\unins000.exe"
The Lord of the Rings Online™: Shadows of Angmar™ v07.12.30.54 --> "C:\Program Files\Turbine\The Lord of the Rings Online\unins000.exe"
VeohTV BETA --> C:\Program Files\InstallShield Installation Information\{D1B11537-EA51-4DD8-BF1E-098BEE48868D}\setup.exe -runfromtemp -l0x0409
Volo View Express --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Volo View Express\DeIsL1.isu"
Vuze Launcher --> C:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://www.vuze.com/jws/vuze.jnlp?m=RWIIXDRZ744LY3D7VVXK5PP6KIW2JDYQ"
Warcraft III --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
WavePad Uninstall --> C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_62A340731F8930057B44B8864F236850B0D49D65\nokbtmdm.inf
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Messenger 5.1 --> MsiExec.exe /I{A44413DC-17D5-4F0B-A128-8B590B20323C}
WinMorph™ 3.01 --> "C:\Program Files\Debugmode\WinMorph\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XviD MPEG4 Video Codec (remove only) --> "C:\WINDOWS\system32\xvid-uninstall.exe"
Yahtzee Master v1.44 --> "C:\Program Files\Yahtzee Master\unins000.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type20456 / Success
Event Submitted/Written: 03/24/2008 06:30:20 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type20449 / Error
Event Submitted/Written: 03/24/2008 05:40:30 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Ad-Aware2007.exe, version 7.0.2.6, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type20446 / Success
Event Submitted/Written: 03/24/2008 01:57:29 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type20430 / Success
Event Submitted/Written: 03/23/2008 11:38:56 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type20418 / Success
Event Submitted/Written: 03/23/2008 10:22:46 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type35901 / Error
Event Submitted/Written: 03/24/2008 06:29:09 PM
Event ID/Source: 10001 / DCOM
Event Description:
Unable to start a DCOM Server: {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} as /.
The error:
"%%233"
Happened while starting this command:
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe -Embedding

Event Record #/Type35877 / Error
Event Submitted/Written: 03/24/2008 06:05:54 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The AVerMedia, DVB-T WDM Crossbar service failed to start due to the following error:
%%1058

Event Record #/Type35876 / Error
Event Submitted/Written: 03/24/2008 06:05:54 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The AVerMedia, DVB-T WDM Video Capture service failed to start due to the following error:
%%1058

Event Record #/Type35875 / Error
Event Submitted/Written: 03/24/2008 06:05:54 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The AVerMedia, WDM MPEG-2 TS Capture (DVBT) service failed to start due to the following error:
%%1058

Event Record #/Type35866 / Warning
Event Submitted/Written: 03/24/2008 02:53:48 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

-- End of Deckard's System Scanner: finished at 2008-03-24 21:39:11 ------------

wow! that's a lot of reading! thanks again for your time

Ried · 03-29-2008, 10:03 AM

You're welcome, zuluclayman.

As before, please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Run a scan with HijackThis and 'check' the following entry:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following folders:

C:\Documents and Settings\jacob\Application Data\HOLEBYTEACID
C:\Documents and Settings\john\Application Data\HOLEBYTEACID

--------------------------------------------------------------------

Open Notepad and copy and paste the content of the code box in it:

Code:

C:\
cd C:\Windows\Tasks
attrib -r -s -h B0FC56F796A7CA4F.job
del B0FC56F796A7CA4F.job

Save this Notepad file as remjobs.bat , choose to save as *all files
and place it on your desktop. It should look like this:

Doubleclick on remjobs.bat. A doswindow will open and close again, this is normal.

--------------------------------------------------------------------

Double-click on SmitfraudFix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

--------------------------------------------------------------------

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck everything and delete everything except 'My Current Home Page'

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

--------------------------------------------------------------------

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

--------------------------------------------------------------------

Double-click on SmitfraudFix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note

If you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Then post the following logs in your next reply...

c:\rapport.txt
Kaspersky results
New Hijackthis log

**zuluclayman** · 03-29-2008, 07:10 PM

please find following:
smitfraud log
kapersky log
hijack this log

SmitFraudFix v2.309

Scan done at 9:51:26.59, Sun 30/03/2008
Run from C:\Documents and Settings\john\Desktop\security stuff\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\john\FAVORI~1\Online Security Test.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{11463229-A19E-48D0-8234-B37097CE95FC}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A4943221-AF64-4F0B-8F97-8D5E95D7CA7C}: DhcpNameServer=211.29.132.12 198.142.0.51
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EB7BBFD3-B18E-4E61-84C5-B74132395EFF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{11463229-A19E-48D0-8234-B37097CE95FC}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A4943221-AF64-4F0B-8F97-8D5E95D7CA7C}: DhcpNameServer=211.29.132.12 198.142.0.51
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EB7BBFD3-B18E-4E61-84C5-B74132395EFF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{11463229-A19E-48D0-8234-B37097CE95FC}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A4943221-AF64-4F0B-8F97-8D5E95D7CA7C}: DhcpNameServer=211.29.132.12 198.142.0.51
HKLM\SYSTEM\CS3\Services\Tcpip\..\{EB7BBFD3-B18E-4E61-84C5-B74132395EFF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 30, 2008 12:02:55 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/03/2008
Kaspersky Anti-Virus database records: 672629
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 111661
Number of viruses found: 5
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 01:19:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{F96185B4-EB6C-45EC-B939-06223617B339}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR5.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0927250a0e3cf7500a5c9e270fa2f596_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\094746e0a9f2b34186e476ddc6d833b0_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0c4669c2b14c50b6db4e11da1d41735b_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1205266597f00ef89a3921004f81bebc_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\13e74932ef352fd68479a0c99cb3503f_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1481635e2c561ea674a364dc77b3cef8_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\15ae00e1ff54091429958631f2e5ac28_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1870d4fc34a420f21aa4ed07a79a343a_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1c29f30dbc7028c326381e52c1dc096f_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1f2654e5c2bf68fc0bc666a51cdd774e_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\22417429fc7dfde796b9aa2391d141f5_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2ea398c0597c9e9268c9a4ecdd89116d_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\36448534a85ea8f99d5d04562189f7d1_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\37e0d24ec89e06c95bef55602beca0ef_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3abec406bc036bbce595a469ee4b0c2f_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3b3c2d12b17a35bebde232d7ee11ef4e_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3e5772044465bb5fb7e5ae5f2acb7aed_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\44d1a51c7ef1465919b4a73b48c350ac_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4a2ef8e355e320b718c2218889cf666a_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4e8439acaec06b8b68baaac5081cf848_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4ed70c7c6e35bc246719782cafddc497_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5320ff0131c2ae5d9eb8ccbed424b76c_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\59dbdc2361fda117cf56f19d7b6a1a6e_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5d5840010d6ea1ab34a2ddd07b36b0f8_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\60731d4649819cb3b3f73369dc73e4ee_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\609a9a3b10195d546bd1820b7a26a096_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\61269475db9afb23ad4b11a0f211937c_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6358ecd0a43fc278f85d030fca320d29_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\64f5cd9639aa543b9522d3dd205ac2db_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\675104e41023fc6eba78cb41ab4626f5_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\67d34eacb445ac4ee36da909624140c0_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\68b5718f5e360c0e69e4bd4ef7d25bb0_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6f0121cd5f5ac9a3b3baaaf290f78da5_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6f8b3331bbbb2c2fcbbbe43ea417885a_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\72bd63df27f05fd1f244d9ff9ba590d6_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7bd784beec25f8a3b2a80a1ca224afe7_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7ddf14d350fdcfdc32b15340913d575a_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\89007030a6113e89b82778f4e45710a2_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8eb28f1a19f5bf7a177532e837c24584_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9a021ddf5a3e390ffa03f68565ec43a2_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9a8a72dc7ef8a1107a24160936613cb8_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a3b91daed186f64e52b4d310989b215a_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aac1241c3d6606a34c3d11efa5de197a_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ac0b32f591b668151882f652e40a2073_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b16e7de8667afec6b41b5a76fee01849_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b2bbe27076190a9c87b8b9ed3d7f095c_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b7ab3b927d872283c24dcb82d2a04e8d_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b7d1d6fc0e7eca845f23285783a3c0d9_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\becf329c25cf49639faa11ae9a6a6847_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c3c6968789cb1bdc26bc80f0e5a023af_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c405d2afafe9b95f4934e458d3f1477b_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c6c51ba73c4f0777d428016b9fd1cd09_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c6f304b85e4f4b2c759f4cff49ca772d_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c891c7dc1ec9dfb44d777d7f983ee963_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c896353ea6dc4884b6800d7b21d626d9_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d82d28f85a561021fd5e62664f61e8a3_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d8e6d65297fc54dd1cc8b82dc60b9dc2_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d9733ed90affb9c8425ad0c07f15ee62_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\db4b95e43102e193a8e1b40da4a7f560_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dd21bce039d494c11bca32a1495ce83f_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e0ec28ad40f575ef8dd9d4bb1e22514b_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e1d3cf2a001a93915bd820cfa0ec7532_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e25440691fa9b808b978f059d6676ed7_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e7280c1c670c373731a3efafbb3d5e35_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eda8e7fe0e7327f83bd9468dc317730a_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eec97102f9828e128c05a1efde9d3ade_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f06b81a2710a9440f4c05f5942d9630b_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f1456bbde1247a3388a74679b4bf499b_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f44c953493955e2a0e0b19d4ec727760_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f58c8b60f6231d4c2ffc55b38000bfe9_108b46ae-156d-4ae1-9aba-fc78fdceeab5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\jacob\Local Settings\Temp\133588_2744_2744_640.19169.tmp Infected: Trojan.Win32.Agent.fxn skipped
C:\Documents and Settings\jacob\Local Settings\Temp\133720_2744_2744_4020.19169.tmp Infected: Trojan.Win32.Agent.fxn skipped
C:\Documents and Settings\jacob\Local Settings\Temp\330260_2744_2744_2352.19169.tmp Infected: Trojan.Win32.Agent.fxn skipped
C:\Documents and Settings\jacob\Local Settings\Temp\395524_2744_2744_3388.19169.tmp Infected: Trojan.Win32.Agent.fxn skipped
C:\Documents and Settings\jacob\Local Settings\Temp\67092_2744_2744_2624.19169.tmp Infected: Trojan.Win32.Agent.fxn skipped
C:\Documents and Settings\john\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\john\Desktop\security stuff\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\john\Desktop\security stuff\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\john\Desktop\security stuff\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\john\Desktop\security stuff\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\john\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temp\~DFC804.tmp Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\john\My Documents\My Music\iTunes\iTunes Music\Wicked Remix.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\john\ntuser.dat Object is locked skipped
C:\Documents and Settings\john\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\produkey\ProduKey.exe Infected: not-a-virus:PSWTool.Win32.Dialupass.o skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4F9C36DC-5039-482D-B3A6-E7495D7957AA}\RP760\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\e404d.dll Infected: Trojan.Win32.Agent.dmp skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_DjzVhQaLdg2zhjj Object is locked skipped
C:\WINDOWS\Temp\mcmsc_EAEhybhOttkckdU Object is locked skipped
C:\WINDOWS\Temp\mcmsc_q0bv4shn9YtWd48 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_QrnZexOpASlI1Eh Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
I:\software\produkey\ProduKey.exe Infected: not-a-virus:PSWTool.Win32.Dialupass.o skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:31 PM, on 30/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C83 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /O6 "USB001" /M "Stylus C83"
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [EPSON Stylus C83 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /M "Stylus C83" /EF "HKCU"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...6/mcinsctl.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O21 - SSODL: E404Helper - {bc576ea5-bcca-4ba1-ae78-16d02d9d1041} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 9659 bytes

again thank you for your time!

**zuluclayman** · 03-29-2008, 07:55 PM

Just an anomaly I have found in McAfee program permissions list

There are two instances of Internet Explorer, one blocked, one not.
I do remember blocking Internet Explorer to stop pop-ups when all this stuff started happening. I did remove one version of Internet Explorer using add remove programs some time in the last month.
Two questions:
1. Why are there two versions still showing? I have checked in C:Program Files/Internet Explorer
2. Why do they have dates that are in the year 2010?
(see screenshot attached) the other BLOCKED one has date
2nd March 2010

Don't know that this is important - just puzzling atm

Ried · 03-29-2008, 11:41 PM

Let's see what McAfee shows when we're through here.

Download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help should your computer have a problem after an attempted removal of malware.

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

**zuluclayman** · 03-30-2008, 02:58 AM

please find under:
1. ComboFix log
2. Hijack This log

ComboFix 08-03-30.1 - john 2008-03-30 19:40:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.586 [GMT 11:00]
Running from: C:\Documents and Settings\john\Desktop\security stuff\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\e404d.dll
C:\WINDOWS\system32\rightonadz-uninst.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-30 10:09 . 2008-03-30 10:09 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-30 10:09 . 2008-03-30 10:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-30 09:40 . 2005-01-07 04:53 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-03-30 09:40 . 2005-01-05 07:50 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-03-29 20:31 . 2008-03-30 09:51 4,530 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-24 22:02 . 2008-03-24 22:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-24 21:35 . 2008-03-24 21:35 <DIR> d-------- C:\Deckard
2008-03-22 23:13 . 2008-03-22 23:13 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-03-22 23:01 . 2004-11-28 21:09 679,936 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-03-22 23:01 . 2008-03-22 23:01 10,240 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-03-21 23:06 . 2008-03-21 23:07 <DIR> d-------- C:\Program Files\Safari
2008-03-21 23:05 . 2008-03-21 23:05 <DIR> d-------- C:\Program Files\iTunes
2008-03-17 21:51 . 2008-03-17 22:29 <DIR> d-------- C:\WINDOWS\NV676144.TMP
2008-03-17 21:51 . 2007-12-10 14:24 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-03-07 22:18 . 2008-03-07 22:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-07 22:17 . 2008-03-07 22:22 <DIR> d-------- C:\Documents and Settings\john\Application Data\Azureus
2008-03-07 22:16 . 2008-03-07 22:16 <DIR> d-------- C:\Documents and Settings\john\Temp
2008-03-07 21:38 . 2008-03-07 21:38 <DIR> d-------- C:\Program Files\Veoh Networks
2008-03-04 23:20 . 2008-03-04 23:21 <DIR> d-------- C:\Documents and Settings\john\Application Data\Media Player Classic
2008-03-01 13:23 . 2008-03-01 13:23 244 --ah----- C:\sqmnoopt03.sqm
2008-03-01 13:23 . 2008-03-01 13:23 232 --ah----- C:\sqmdata03.sqm
2008-02-28 17:15 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-28 17:15 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-28 17:15 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-27 23:01 . 2008-02-29 18:41 <DIR> d-------- C:\Program Files\StuffPlug3
2008-02-27 22:39 . 2008-02-27 22:45 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-27 22:38 . 2008-02-27 22:45 <DIR> d-------- C:\Program Files\Windows Live
2008-02-27 22:38 . 2008-02-27 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-15 22:33 . 2008-02-15 22:33 244 --ah----- C:\sqmnoopt01.sqm
2008-02-15 22:33 . 2008-02-15 22:33 232 --ah----- C:\sqmdata01.sqm
2008-02-15 22:33 . 2008-02-15 22:33 172 --ah----- C:\sqmnoopt02.sqm
2008-02-15 22:33 . 2008-02-15 22:33 172 --ah----- C:\sqmdata02.sqm
2008-02-15 22:24 . 2008-02-15 22:24 244 --ah----- C:\sqmnoopt00.sqm
2008-02-15 22:24 . 2008-02-15 22:24 232 --ah----- C:\sqmdata00.sqm
2008-02-12 23:02 . 2008-02-12 23:02 <DIR> d-------- C:\Program Files\Lavalys
2008-02-10 17:30 . 2008-02-10 17:37 <DIR> d-------- C:\Program Files\particleIllusion_3
2008-02-03 16:29 . 2008-02-03 16:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-03 16:29 . 2008-02-03 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 16:28 . 2008-02-03 16:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 10:46 . 2008-02-02 11:02 <DIR> d-------- C:\Program Files\Celestia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 08:21 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-24 11:06 --------- d-----w C:\Program Files\Java
2008-03-22 12:43 --------- d-----w C:\Documents and Settings\john\Application Data\Canon
2008-03-21 12:19 --------- d-----w C:\Documents and Settings\john\Application Data\Apple Computer
2008-03-21 12:05 --------- d-----w C:\Program Files\iPod
2008-03-21 12:04 --------- d-----w C:\Program Files\QuickTime
2008-03-20 10:53 --------- d-----w C:\Program Files\EA GAMES
2008-03-07 10:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-21 12:19 --------- d-----w C:\Program Files\Terragen
2008-02-16 03:54 --------- d-----w C:\Program Files\MSN Messenger
2008-02-15 02:40 --------- d-----w C:\Program Files\McAfee
2008-02-06 12:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-03 05:21 --------- d-----w C:\Documents and Settings\john\Application Data\Lavasoft
2008-01-15 04:41 90,112 ----a-w C:\WINDOWS\DUMP35c5.tmp
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-01-03 09:37 40 ----a-w C:\Documents and Settings\john\language.dat
2007-12-14 00:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2001-11-05 05:47 585,475 -c----w C:\Program Files\convert.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus C83 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2003-05-27 14:08 99840]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 19:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 15:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 15:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"EPSON Stylus C83 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2003-05-27 14:08 99840]
"OmniPage"="C:\Program Files\Caere\OmniPagePro90\opware32.exe" [1998-10-12 18:13 44032]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 15:41 94208]
"POINTER"="point32.exe" []
"Desktop Service Centre"="C:\Program Files\OptusNet DSL Internet\DSC.exe" [2004-09-06 13:50 2125956]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-06-28 21:29 32768]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 13:36 229376]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-23 12:29 180269]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-10-03 06:09 35928]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2005-10-27 17:01 139264]
"pdfFactory Dispatcher v3"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-04-20 15:42 503808]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 15:22 86016]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-24 00:18 29744]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\CoreFTP\\coreftp.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Microsoft Games\\Links 2003 Demo\\LinksMMIII.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\EA GAMES\\Need for Speed Most Wanted\\speed.exe"=
"C:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Messenger\\Msmsgs.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S2 ATTSCAP;AVerMedia, WDM MPEG-2 TS Capture (DVBT);C:\WINDOWS\system32\drivers\attscap.sys [2003-06-24 22:19]
S2 ATVCAP;AVerMedia, DVB-T WDM Video Capture;C:\WINDOWS\system32\drivers\atvcap.sys [2003-06-24 22:22]
S2 ATXBAR;AVerMedia, DVB-T WDM Crossbar;C:\WINDOWS\system32\drivers\ATXBAR.sys [2003-06-24 22:23]
S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys [2003-12-10 18:21]
S3 C-Dilla;C-Dilla;C:\WINDOWS\system32\drivers\CDANT.SYS [2001-09-10 19:09]
S3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2003-03-07 15:07]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-24 00:18]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 00:08:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-04-14 15:00:01 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-12-31 14:00:03 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 19:43:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus C83 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /M "Stylus C83" /EF "HKCU"???????E???N?<??????????????????a?w6????????????????????????????????????b?w????????????????8???????????h??w????????????z??w????????????)??|???????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-30 19:44:49
ComboFix-quarantined-files.txt 2008-03-30 08:44:40
Pre-Run: 20,307,570,688 bytes free
Post-Run: 20,294,651,904 bytes free
.
2008-03-23 10:01:44 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:41 PM, on 30/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C83 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /O6 "USB001" /M "Stylus C83"
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [EPSON Stylus C83 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /M "Stylus C83" /EF "HKCU"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...6/mcinsctl.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O21 - SSODL: E404Helper - {bc576ea5-bcca-4ba1-ae78-16d02d9d1041} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 10085 bytes

Ried · 03-30-2008, 07:54 AM

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/233206-annoying-pop-ups-adwarebho.html#post1401945

Collect::
C:\Documents and Settings\jacob\Local Settings\Temp\133588_2744_2744_640.19169.tmp
C:\Documents and Settings\jacob\Local Settings\Temp\133720_2744_2744_4020.19169.tmp
C:\Documents and Settings\jacob\Local Settings\Temp\330260_2744_2744_2352.19169.tmp
C:\Documents and Settings\jacob\Local Settings\Temp\395524_2744_2744_3388.19169.tmp
C:\Documents and Settings\jacob\Local Settings\Temp\67092_2744_2744_2624.19169.tmp

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"E404Helper"=-

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply along with a new HijackThis log.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.
A browser will open.
Simply follow the instructions to copy/paste/send the requested file.

How is the system behaving now?

**zuluclayman** · 03-31-2008, 12:12 AM

"When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

* Ensure you are connected to the internet and click OK on the message box.
* A browser will open."

this did not happen

please find under the following:
Combo Fix log
HijackThis log

System seems fine. No longer have pop ups from IE. iexplore.exe not running in task manager any more, haven't had any restarts (though this was always pretty random)
Still have some pretty funny dates and instances of program permissions (lots of doubles) in Mcafee (might be a McAfee bug tho' lol)

ComboFix 08-03-30.1 - john 2008-03-31 16:55:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.589 [GMT 11:00]
Running from: C:\Documents and Settings\john\Desktop\security stuff\ComboFix.exe
Command switches used :: C:\Documents and Settings\john\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-30 10:09 . 2008-03-30 10:09 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-30 10:09 . 2008-03-30 10:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-30 09:40 . 2005-01-07 04:53 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-03-30 09:40 . 2005-01-05 07:50 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-03-29 20:31 . 2008-03-30 09:51 4,530 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-24 22:02 . 2008-03-24 22:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-24 21:35 . 2008-03-24 21:35 <DIR> d-------- C:\Deckard
2008-03-22 23:13 . 2008-03-22 23:13 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-03-22 23:01 . 2004-11-28 21:09 679,936 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-03-22 23:01 . 2008-03-22 23:01 10,240 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-03-21 23:06 . 2008-03-21 23:07 <DIR> d-------- C:\Program Files\Safari
2008-03-21 23:05 . 2008-03-21 23:05 <DIR> d-------- C:\Program Files\iTunes
2008-03-17 21:51 . 2008-03-17 22:29 <DIR> d-------- C:\WINDOWS\NV676144.TMP
2008-03-17 21:51 . 2007-12-10 14:24 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-03-07 22:18 . 2008-03-07 22:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-07 22:17 . 2008-03-07 22:22 <DIR> d-------- C:\Documents and Settings\john\Application Data\Azureus
2008-03-07 22:16 . 2008-03-07 22:16 <DIR> d-------- C:\Documents and Settings\john\Temp
2008-03-07 21:38 . 2008-03-07 21:38 <DIR> d-------- C:\Program Files\Veoh Networks
2008-03-04 23:20 . 2008-03-04 23:21 <DIR> d-------- C:\Documents and Settings\john\Application Data\Media Player Classic
2008-03-01 13:23 . 2008-03-01 13:23 244 --ah----- C:\sqmnoopt03.sqm
2008-03-01 13:23 . 2008-03-01 13:23 232 --ah----- C:\sqmdata03.sqm
2008-02-28 17:15 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-28 17:15 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-28 17:15 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-27 23:01 . 2008-02-29 18:41 <DIR> d-------- C:\Program Files\StuffPlug3
2008-02-27 22:39 . 2008-02-27 22:45 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-27 22:38 . 2008-02-27 22:45 <DIR> d-------- C:\Program Files\Windows Live
2008-02-27 22:38 . 2008-02-27 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-15 22:33 . 2008-02-15 22:33 244 --ah----- C:\sqmnoopt01.sqm
2008-02-15 22:33 . 2008-02-15 22:33 232 --ah----- C:\sqmdata01.sqm
2008-02-15 22:33 . 2008-02-15 22:33 172 --ah----- C:\sqmnoopt02.sqm
2008-02-15 22:33 . 2008-02-15 22:33 172 --ah----- C:\sqmdata02.sqm
2008-02-15 22:24 . 2008-02-15 22:24 244 --ah----- C:\sqmnoopt00.sqm
2008-02-15 22:24 . 2008-02-15 22:24 232 --ah----- C:\sqmdata00.sqm
2008-02-12 23:02 . 2008-02-12 23:02 <DIR> d-------- C:\Program Files\Lavalys
2008-02-10 17:30 . 2008-02-10 17:37 <DIR> d-------- C:\Program Files\particleIllusion_3
2008-02-03 16:29 . 2008-02-03 16:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-03 16:29 . 2008-02-03 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 16:28 . 2008-02-03 16:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-02 10:46 . 2008-02-02 11:02 <DIR> d-------- C:\Program Files\Celestia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 05:46 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-24 11:06 --------- d-----w C:\Program Files\Java
2008-03-22 12:43 --------- d-----w C:\Documents and Settings\john\Application Data\Canon
2008-03-21 12:19 --------- d-----w C:\Documents and Settings\john\Application Data\Apple Computer
2008-03-21 12:05 --------- d-----w C:\Program Files\iPod
2008-03-21 12:04 --------- d-----w C:\Program Files\QuickTime
2008-03-20 10:53 --------- d-----w C:\Program Files\EA GAMES
2008-03-07 10:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-21 12:19 --------- d-----w C:\Program Files\Terragen
2008-02-16 03:54 --------- d-----w C:\Program Files\MSN Messenger
2008-02-15 02:40 --------- d-----w C:\Program Files\McAfee
2008-02-06 12:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-03 05:21 --------- d-----w C:\Documents and Settings\john\Application Data\Lavasoft
2008-01-15 04:41 90,112 ----a-w C:\WINDOWS\DUMP35c5.tmp
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-01-03 09:37 40 ----a-w C:\Documents and Settings\john\language.dat
2007-12-14 00:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2001-11-05 05:47 585,475 -c----w C:\Program Files\convert.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-30_19.44.30.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-30 06:54:52 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-31 05:45:40 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-30 06:54:52 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-31 05:45:40 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-30 06:54:52 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-31 05:45:40 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus C83 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2003-05-27 14:08 99840]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 19:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 15:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 15:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"EPSON Stylus C83 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2003-05-27 14:08 99840]
"OmniPage"="C:\Program Files\Caere\OmniPagePro90\opware32.exe" [1998-10-12 18:13 44032]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 15:41 94208]
"POINTER"="point32.exe" []
"Desktop Service Centre"="C:\Program Files\OptusNet DSL Internet\DSC.exe" [2004-09-06 13:50 2125956]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-06-28 21:29 32768]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 13:36 229376]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-23 12:29 180269]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2006-10-03 06:09 35928]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2005-10-27 17:01 139264]
"pdfFactory Dispatcher v3"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-04-20 15:42 503808]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 15:22 86016]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-24 00:18 29744]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\CoreFTP\\coreftp.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Microsoft Games\\Links 2003 Demo\\LinksMMIII.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\EA GAMES\\Need for Speed Most Wanted\\speed.exe"=
"C:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Messenger\\Msmsgs.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S2 ATTSCAP;AVerMedia, WDM MPEG-2 TS Capture (DVBT);C:\WINDOWS\system32\drivers\attscap.sys [2003-06-24 22:19]
S2 ATVCAP;AVerMedia, DVB-T WDM Video Capture;C:\WINDOWS\system32\drivers\atvcap.sys [2003-06-24 22:22]
S2 ATXBAR;AVerMedia, DVB-T WDM Crossbar;C:\WINDOWS\system32\drivers\ATXBAR.sys [2003-06-24 22:23]
S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys [2003-12-10 18:21]
S3 C-Dilla;C-Dilla;C:\WINDOWS\system32\drivers\CDANT.SYS [2001-09-10 19:09]
S3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2003-03-07 15:07]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-24 00:18]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 00:08:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-04-14 15:00:01 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-12-31 14:00:03 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 16:59:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus C83 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /M "Stylus C83" /EF "HKCU"???????E???N?<??????????????????a?w6????????????????????????????????????b?w????????????????8???????????h??w????????????z??w????????????)??|???????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
-> C:\Program Files\SiteAdvisor\6172\saHook.dll
.
Completion time: 2008-03-31 16:59:52
ComboFix-quarantined-files.txt 2008-03-31 05:59:42
ComboFix2.txt 2008-03-30 08:44:49
Pre-Run: 21,229,174,784 bytes free
Post-Run: 21,216,043,008 bytes free
.
2008-03-23 10:01:44 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:10 PM, on 31/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C83 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /O6 "USB001" /M "Stylus C83"
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [EPSON Stylus C83 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /M "Stylus C83" /EF "HKCU"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...6/mcinsctl.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary...t.cab56907.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 9901 bytes

Ried · 04-01-2008, 12:56 AM

Hi,

Quote:

"When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

* Ensure you are connected to the internet and click OK on the message box.
* A browser will open."

this did not happen

That's fine--it means those files were no longer present.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

**zuluclayman** · 04-01-2008, 02:22 AM

Thank you for spending so much of your time to help others (in this case me)

I very much appreciate the help you have given me.
I have McAfee Site Advisor, adAware and SpywareBlaster (oops - hadn't updated for some time

) installed on my machine and regularly use McAfee's cleaner to clean cache, cookies and temp internet files etc.
Probably spent too much time looking for good freeware downloads

I passed all but the cookie tests on the Jason Levine test site you had a link too

so here's hoping no more malware
Now I need to educate my son a little more in the dangers of free surfing

Once again thankyou

and yes you can declare this thread closed

Ried · 04-01-2008, 06:04 AM

You're quite welcome.

Your initially stated that you noticed problems first started after your son installed Messenger. Since you uninstalled it before posting logs here, I'm going to guess that is was Messenger Plus! 3 as this program is known to install one of the malware that was indeed present-- a LOP infection. If the program is a 'must have', simply reinstall it and decline when asked to install the sponsor's software.

Read the installation procedures carefully. When you get to the Sponsor Agreement, SELECT:

’I Refuse to give my support. Install Messenger Plus! without the sponsor'.

You can pass this info on to your son as well--perhaps it will help him better understand the risks. While Limewire is a "safe" P2P program, it is only the program that is safe. When using P2P programs, you're sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Good luck, and take care.

03-24-2008, 05:23 AM	#1 (permalink)
zuluclayman Design Team Member Join Date: Dec 2005 Location: Newcastle, Australia Posts: 3,049 OS: Windows Vista Home Premium My System	annoying pop-ups and adwareBHO Hi over the last couple of months I have had the following problems: Mcafee has detected a PuP - Adware BHO - a message from Mcafee comes up every time I attempt to open a folder etc. I read the advisory notes on Mcafee site and did some trawling around the net reading about it and it seemed to be low level threat so I trusted it (mainly to stop the annoying alerts ) I tried to remove it but couldn't (was always in use and changed locations and name of files using it) After this Internet Explorer kept opening up with pop-ups (I use Mozilla as my default browser) every 5 minutes or so! I blocked access for Internet Explorer in Mcafee control panel to stop this (which it did) but Internet Explorer always runs in the background now - I see 2 or more instances of iexplore.exe in Task Manager and when I shut down it asks me to end iexplore.exe. I am sick of this and would like some help in getting rid of AdwareBHO so I can unblock Internet Explorer without having annoying pop-ups! I read that AdwareBHO may have come with Messenger Plus which my son installed - I have since uninstalled this and won't have it back on my comp. Next post (lol this one is a novella sorry) has my Hijack This log

03-28-2008, 05:07 PM	#3 (permalink)
zuluclayman Design Team Member Join Date: Dec 2005 Location: Newcastle, Australia Posts: 3,049 OS: Windows Vista Home Premium My System	Re: annoying pop-ups and adwareBHO Further to the above - computer beginning to restart itself, sometimes during session, sometimes at startup - gets to user logon screen then restarts. If I send the error report it comes back saying it was a stop error caused by driver problem. Last night comp wouldn't turn off - kept wanting me to end program for iexplore.exe but when I would "end now" it would just come back up with another instance of end program for iexplore. HELP PLEASE!!!

03-28-2008, 10:54 PM	#4 (permalink)
zuluclayman Design Team Member Join Date: Dec 2005 Location: Newcastle, Australia Posts: 3,049 OS: Windows Vista Home Premium My System	Re: annoying pop-ups and adwareBHO Bump Last edited by zuluclayman; 03-28-2008 at 11:20 PM.

03-28-2008, 11:57 PM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,884 OS: WinXP and Vista	Re: annoying pop-ups and adwareBHO Hello zuluclayman and welcome, Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. Also be sure to carry out the instructions in the sequence listed below. ************************************************* Please download SmitfraudFix (by S!Ri) to your Desktop. -------------------------------------------------------------------- Close any open browsers. -------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries: O4 - HKLM\..\Run: [part chin math idol] C:\Documents and Settings\All Users\Application Data\That size part chin\media two.exe O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing) O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing) O21 - SSODL: E404Helper - {bc576ea5-bcca-4ba1-ae78-16d02d9d1041} - e404d.dll (file missing) O22 - SharedTaskScheduler: edgers - {d66c22b6-2217-4d1a-9a90-1a54de1fc706} - (no file) Click 'Fix Checked' and close HijackThis. -------------------------------------------------------------------- Using 'My Computer', navigate to and delete the following Folder C:\Documents and Settings\All Users\Application Data\That size part chin -------------------------------------------------------------------- Reboot your system. -------------------------------------------------------------------- Double-click smitfraudfix.exe to start the tool. Select option #1 - Search by typing 1 and press "Enter" A text file will appear which lists infected files (if present). Please copy/paste the content of that report into your next reply. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so -------------------------------------------------------------------- Download fl.zip Extract the contents of the fl.zip to a new folder on Desktop. Within the folder, locate & double-click fl.bat. It should produce a report at c:\findlop.txt. ---------------------------------------------------------------------- Run a new scan with HijackThis.exe** and save the log. ---------------------------------------------------------------------- Please include the following in your next reply: C:\findlop.txt SmitfraudFix report New HijackThis log extra.txt (see note below) When you first ran dss.exe, it should have produced and extra.txt. You'll find it located at C:\Deckard\System Scanner __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-29-2008, 10:03 AM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,884 OS: WinXP and Vista	Re: annoying pop-ups and adwareBHO You're welcome, zuluclayman. As before, please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ************************************************* Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Run a scan with HijackThis and 'check' the following entry: O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) Click 'Fix Checked' and close HijackThis. -------------------------------------------------------------------- Using 'My Computer', navigate to and delete the following folders: C:\Documents and Settings\jacob\Application Data\HOLEBYTEACID C:\Documents and Settings\john\Application Data\HOLEBYTEACID -------------------------------------------------------------------- Open Notepad and copy and paste the content of the code box in it: Code: C:\ cd C:\Windows\Tasks attrib -r -s -h B0FC56F796A7CA4F.job del B0FC56F796A7CA4F.job Save this Notepad file as remjobs.bat** , choose to save as all files and place it on your desktop. It should look like this: Doubleclick on remjobs.bat. A doswindow will open and close again, this is normal. -------------------------------------------------------------------- Double-click on SmitfraudFix.exe* to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. -------------------------------------------------------------------- Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck everything and delete everything except 'My Current Home Page' Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. -------------------------------------------------------------------- Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin. -------------------------------------------------------------------- Double-click on SmitfraudFix.exe to start the tool. Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note If you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. -------------------------------------------------------------------- Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------- Then post the following logs in your next reply... c:\rapport.txt Kaspersky results New Hijackthis log __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-29-2008, 11:41 PM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,884 OS: WinXP and Vista	Re: annoying pop-ups and adwareBHO Let's see what McAfee shows when we're through here. Download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help should your computer have a problem after an attempted removal of malware. When the tool is finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-30-2008, 07:54 AM	#12 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,884 OS: WinXP and Vista	Re: annoying pop-ups and adwareBHO Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. ************************************************* Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. --------------------------------------------------------------------- Open notepad and copy/paste the text in the code box below into it: Code: http://www.techsupportforum.com/security-center/hijackthis-log-help/233206-annoying-pop-ups-adwarebho.html#post1401945 Collect:: C:\Documents and Settings\jacob\Local Settings\Temp\133588_2744_2744_640.19169.tmp C:\Documents and Settings\jacob\Local Settings\Temp\133720_2744_2744_4020.19169.tmp C:\Documents and Settings\jacob\Local Settings\Temp\330260_2744_2744_2352.19169.tmp C:\Documents and Settings\jacob\Local Settings\Temp\395524_2744_2744_3388.19169.tmp C:\Documents and Settings\jacob\Local Settings\Temp\67092_2744_2744_2624.19169.tmp Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "E404Helper"=- Save this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply along with a new HijackThis log. Note** When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file. How is the system behaving now? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-01-2008, 02:22 AM	#15 (permalink)
zuluclayman Design Team Member Join Date: Dec 2005 Location: Newcastle, Australia Posts: 3,049 OS: Windows Vista Home Premium My System	Re: annoying pop-ups and adwareBHO Thank you for spending so much of your time to help others (in this case me) I very much appreciate the help you have given me. I have McAfee Site Advisor, adAware and SpywareBlaster (oops - hadn't updated for some time) installed on my machine and regularly use McAfee's cleaner to clean cache, cookies and temp internet files etc. Probably spent too much time looking for good freeware downloads I passed all but the cookie tests on the Jason Levine test site you had a link too so here's hoping no more malware Now I need to educate my son a little more in the dangers of free surfing Once again thankyou and yes you can declare this thread closed

04-01-2008, 06:04 AM	#16 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,884 OS: WinXP and Vista	Re: annoying pop-ups and adwareBHO You're quite welcome. Your initially stated that you noticed problems first started after your son installed Messenger. Since you uninstalled it before posting logs here, I'm going to guess that is was Messenger Plus! 3 as this program is known to install one of the malware that was indeed present-- a LOP infection. If the program is a 'must have', simply reinstall it and decline when asked to install the sponsor's software. Read the installation procedures carefully. When you get to the Sponsor Agreement, SELECT: ’I Refuse to give my support. Install Messenger Plus! without the sponsor'. You can pass this info on to your son as well--perhaps it will help him better understand the risks. While Limewire is a "safe" P2P program, it is only the program that is safe. When using P2P programs, you're sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares. Good luck, and take care. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."