maware and trojans

tomwall64 · 06-15-2008, 02:11 PM

my computer says i have alot of trojans and cookie trackers or whatever because i keep getring alot of popups. also i have this one security program that i never downloaded and its anoying me because it keeps telling me to buy a license and it give me a warning (it directs me to a different page) everytime i go on the internet, and since i have avg and this security program (winsywareprotect) my computer is very slow. i dont know how to get rid of it because its not on my progams list when i try to uninstall it. i looked at the thread to remove the programs that give me popups (which i did) but i still get them. i also downloaded hijackthis and did a scan so here is the scan log.

Logfile of HijackThis v1.99.1
Scan saved at 4:35:04 PM, on 6/15/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\ProgramData\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\explorer.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Users\TOM~1.HOU\AppData\Local\Temp\Rar$EX00.937\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...ys=DTP&M=T3604
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CenterLock module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [DmwClient] "dmwclient.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\TOM~1.HOU\AppData\Local\Temp\awttsqRL.dll,#1
O4 - HKCU\..\Run: [b0261bf0] rundll32.exe "C:\Users\TOM~1.HOU\AppData\Local\Temp\vwsmeapp.dll",b
O4 - HKCU\..\Run: [BMb315286c] Rundll32.exe "C:\Users\TOM~1.HOU\AppData\Local\Temp\usjflepv.dll",s
O4 - HKCU\..\Run: [WinSpywareProtect] "C:\ProgramData\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" /autorun
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O15 - Trusted Zone: *.line6.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

Moderators Message

Please be considerate of the fact that the people helping you are all volunteers, and in many cases usually have a job, and a limited amount of time to help, and therefore can only do so much. If no one has replied to your thread within 72hrs after you posted, please reply in your thread with the words BUMP, please to move it forward.

DO NOT Bump the thread unless 72 hours has passed. We work from oldest to newest posts so your wait will be longer if you bump it forward before the 72 hours is up. We look for 0 reply, or 1 reply threads to respond to.

Early bump posts will be deleted.

tomwall64 · 06-16-2008, 01:09 PM

i keep getting popups but my computer is not blocking them, i have my popup blocker on and the settings are set to high but nothing. also when i do a scan on AVG i have alot of warnings for tracking cookies. heres my scanlog.

Logfile of HijackThis v1.99.1
Scan saved at 4:07:35 PM, on 6/16/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\Tom.House-PC\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...ys=DTP&M=T3604
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CenterLock module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [DmwClient] "dmwclient.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\TOM~1.HOU\AppData\Local\Temp\awttsqRL.dll,#1
O4 - HKCU\..\Run: [b0261bf0] rundll32.exe "C:\Users\TOM~1.HOU\AppData\Local\Temp\vwsmeapp.dll",b
O4 - HKCU\..\Run: [BMb315286c] Rundll32.exe "C:\Users\TOM~1.HOU\AppData\Local\Temp\usjflepv.dll",s
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O15 - Trusted Zone: *.line6.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

plz help me!

tetonbob · 06-19-2008, 09:35 AM

Hello and Welcome.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a

Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.
---------------------------------------------------------------------------------------------

You are using an outdated version of HijackThis. Please uninstall from Add/Remove programs, and delete your current version.

Next, download HijackThis to your desktop

Alternate link

Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

When it does, just close it, please. Next....
---------------------------------------------------------------------------------------------

Please follow our 5 Step process outlined here:

http://www.techsupportforum.com/secu...oval-help.html

After running through all the steps, please post the requested logs.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

tomwall64 · 06-21-2008, 06:32 AM

here is my log from dss, i suppose it has the log for hijackthis as well. (extra.txt is attached) thank you for helping me.

Deckard's System Scanner v20071014.68
Run by Tom on 2008-06-21 08:43:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
12: 2008-06-21 12:37:11 UTC - RP33 - Windows Update
11: 2008-06-21 12:25:47 UTC - RP32 - Windows Update
10: 2008-06-21 04:00:04 UTC - RP31 - Scheduled Checkpoint
9: 2008-06-20 06:28:57 UTC - RP30 - Windows Update
8: 2008-06-18 22:10:40 UTC - RP29 - Windows Defender Checkpoint

-- First Restore Point --
1: 2008-06-13 03:11:13 UTC - RP21 - Windows Backup

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 79% (more than 75%).
Total Physical Memory: 1021 MiB (1024 MiB recommended).

-- HijackThis (run as Tom.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:33 AM, on 6/21/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Tom.House-PC\Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Tom.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...ys=DTP&M=T3604
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T3604
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CenterLock module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [DmwClient] "dmwclient.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: *.line6.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7930 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R2 npkcrypt - \??\c:\nexon\maplestory\npkcrypt.sys

S3 NPPTNT2 - \??\c:\windows\system32\npptnt2.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S2 STacSV (SigmaTel Audio Service) - c:\program files\sigmatel\c-major audio\wdm\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-06-20 21:20:58 422 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{F9AA926C-BDCE-4E6D-92AF-8C85B4D7E4A1}.job

-- Files created between 2008-05-21 and 2008-06-21 -----------------------------

2008-06-21 08:05:34 0 d-------- C:\ie-spyad_zo
2008-06-21 07:56:47 0 d-------- C:\Program Files\SpywareBlaster
2008-06-21 07:50:02 0 d-a------ C:\Users\All Users\TEMP
2008-06-21 02:49:48 0 d-------- C:\Program Files\Trend Micro
2008-06-21 02

32 0 d-------- C:\Program Files\Panda Security
2008-06-18 18:22:08 0 d-------- C:\Program Files\iPod
2008-06-18 18:21:57 0 d-------- C:\Program Files\iTunes
2008-06-18 18:19:58 0 d-------- C:\Program Files\QuickTime
2008-06-18 18:12:16 0 d-------- C:\Program Files\Apple Software Update
2008-06-16 19:08:28 0 d-------- C:\Program Files\Guitar Pro 5
2008-06-16 18:59:15 0 d-------- C:\Program Files\PowerISO
2008-06-11 16:15:52 0 d--h----- C:\$AVG8.VAULT$
2008-06-11 16:09:40 0 d-------- C:\Windows\system32\drivers\Avg
2008-06-11 16:09:24 0 d-------- C:\Program Files\AVG
2008-06-11 16:09:23 0 d-------- C:\Users\All Users\avg8
2008-06-11 15:29:19 0 d-------- C:\Program Files\Alwil Software
2008-06-11 13:29:18 0 d-------- C:\Users\All Users\Kaspersky Lab
2008-06-11 13:28:35 86144 -----n--- C:\Windows\system32\drivers\HdAudioo.sys
2008-06-11 13:28:24 0 d--hs---- C:\Windows\SG91c2U
2008-06-11 13:28:20 0 d-------- C:\Windows\system32\xnet2
2008-06-11 13:28:20 0 d-------- C:\Windows\system32\tz
2008-06-11 13:28:20 0 d-------- C:\Windows\system32\brem
2008-06-11 13:28:20 0 d-------- C:\Windows\system32\3057
2008-06-11 13:28:15 0 d-------- C:\Windows\system32\vntiho06
2008-06-11 13:28:15 0 d-------- C:\Temp
2008-06-11 13:27:02 0 d-------- C:\Users\All Users\Kaspersky Lab Setup Files
2008-06-10 23:01:35 0 d-------- C:\Users\All Users\Xfire
2008-06-10 23:01:32 0 d-------- C:\Program Files\Xfire
2008-06-09 19:43:50 5702 --ah----- C:\Windows\nod32restoretemdono.reg
2008-06-09 19:41:31 0 d-------- C:\Users\All Users\ESET
2008-06-09 19:29:45 262144 --a------ C:\Users\Public\NTUSER.DAT
2008-06-09 15:49:04 0 d-------- C:\Program Files\CenterLock
2008-06-09 14:15:54 0 d-------- C:\Users\All Users\Adsl Software Limited
2008-05-28 14:15:55 174592 --a------ C:\Windows\system32\framedyn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-28 14:14:15 0 d-------- C:\Windows\system32\Samsung_USB_Drivers
2008-05-28 14:13:49 5632 --a------ C:\Windows\system32\drivers\StarOpen.sys
2008-05-28 14:13:31 0 d-------- C:\Program Files\Samsung
2008-05-24 12:31:12 0 d-------- C:\Program Files\AudioCommander
2008-05-24 12:31:07 0 d-------- C:\Users\Public\Application Data
2008-05-24 12:31:07 0 d-------- C:\Users\Public\Application Data\{CD08D33B-F39B-4A65-944A-A36FE20FB7BC}
2008-05-22 16:44:15 487479 --a------ C:\Windows\system32\SkinMagic.dll <Not Verified; Appspeed Inc.; Appspeed SkinMagic Toolkit>
2008-05-22 16:44:15 60273 --a------ C:\Windows\system32\pthreadGC2.dll <Not Verified; Open Source Software community project; >
2008-05-22 16:44:15 719872 --a------ C:\Windows\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2008-05-22 16:44:15 313344 --a------ C:\Windows\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2008-05-22 16:44:15 7277568 --a------ C:\Windows\system32\3gpcore.dll
2008-05-22 16:44:14 0 d-------- C:\Windows\system32\avsplugin
2008-05-22 16:44:14 0 d-------- C:\Program Files\Smallvideosoft
2008-05-22 16:39:40 0 d-------- C:\Program Files\Xilisoft

-- Find3M Report ---------------------------------------------------------------

2008-06-19 02:46:51 0 d-------- C:\Users\Tom.House-PC\AppData\Roaming\Xfire
2008-06-16 20:34:05 0 d-------- C:\Users\Tom.House-PC\AppData\Roaming\uTorrent
2008-06-15 16:55:58 0 d-------- C:\Program Files\Viewpoint
2008-06-12 03:09:31 0 d-------- C:\Program Files\Windows Mail
2008-06-09 19:46:39 0 d-------- C:\Program Files\Common Files
2008-06-08 11:33:00 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-24 12:16:49 0 d-------- C:\Users\Tom.House-PC\AppData\Roaming\Seven Zip
2008-05-19 17:04:30 0 d-------- C:\Program Files\AIM6
2008-04-30 13:35:29 0 d-------- C:\Program Files\Windows Live
2008-04-30 13:34:59 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-26 16:10:59 0 d-------- C:\Users\Tom.House-PC\AppData\Roaming\LimeWire
2008-04-10 12:54:05 0 -rahs---- C:\MSDOS.SYS
2008-04-10 12:54:05 0 -rahs---- C:\IO.SYS

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18CB1A7B-94CD-4582-8022-ADA16851E44B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/11/2008 04:23 PM 2051328 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/11/2008 04:23 PM 2051328]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [09/05/2007 10:39 PM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [12/12/2006 12:02 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [12/12/2006 12:03 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [12/12/2006 12:02 PM]
"SigmatelSysTrayApp"="sttray.exe" [11/02/2006 02:38 PM C:\WINDOWS\sttray.exe]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [11/16/2006 08:04 PM]
"DmwClient"="dmwclient.exe" []
"NvSvc"="C:\Windows\system32\nvsvc.dll" [07/06/2007 01:15 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [07/06/2007 01:15 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [07/06/2007 01:15 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/11/2008 04:23 PM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [08/06/2007 08:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/02/2008 11:13 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/25/2008 04:21 PM]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [04/05/2008 10:14 AM]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [04/01/2008 06:35 PM]
"@"="" []

C:\Users\Tom.House-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [6/2/2008 8:55:46 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [3/5/2007 12:27:36 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
"C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DmwClient]
"dmwclient.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b10cd3c1-9a49-11dc-af34-001947aefeab}]
AutoRun\command- J:\Start.exe

*Newly Created Service* - PNKBSTRK

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

-- End of Deckard's System Scanner: finished at 2008-06-21 08:53:21 ------------

tetonbob · 06-21-2008, 07:12 AM

It looks as though the infection is neutralized, though I do see some folders usually associated with this type of infection.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

dir /a /s C:\Windows\SG91c2U > log.txt
dir /a /s C:\Windows\system32\xnet2 >> log.txt
dir /a /s C:\Windows\system32\tz >> log.txt
dir /a /s C:\Windows\system32\brem >> log.txt
dir /a /s C:\Windows\system32\3057 >> log.txt
dir /a /s C:\Windows\system32\vntiho06 >> log.txt
dir /a /s "C:\Users\All Users\Adsl Software Limited" >> log.txt

notepad log.txt
del log.txt

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:

Right click on peek.bat, choose run as administrator & allow it to run. A notepad file will open. Copy that information into your next reply, please.

tomwall64 · 06-21-2008, 08:00 PM

heres the peek.bat log,

Volume in drive C is Windows
Volume Serial Number is B026-1B5F

Directory of C:\Windows\SG91c2U

06/11/2008 01:42 PM <DIR> .
06/11/2008 01:42 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 129,725,943,808 bytes free
Volume in drive C is Windows
Volume Serial Number is B026-1B5F

Directory of C:\Windows\system32\xnet2

06/12/2008 02:20 PM <DIR> .
06/12/2008 02:20 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 129,725,943,808 bytes free
Volume in drive C is Windows
Volume Serial Number is B026-1B5F

Directory of C:\Windows\system32\tz

06/12/2008 02:19 PM <DIR> .
06/12/2008 02:19 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 129,725,939,712 bytes free
Volume in drive C is Windows
Volume Serial Number is B026-1B5F

Directory of C:\Windows\system32\brem

06/12/2008 02:09 PM <DIR> .
06/12/2008 02:09 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 129,725,939,712 bytes free
Volume in drive C is Windows
Volume Serial Number is B026-1B5F

Directory of C:\Windows\system32\3057

06/12/2008 02:09 PM <DIR> .
06/12/2008 02:09 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 129,725,939,712 bytes free
Volume in drive C is Windows
Volume Serial Number is B026-1B5F

Directory of C:\Windows\system32\vntiho06

06/12/2008 02:19 PM <DIR> .
06/12/2008 02:19 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 129,725,939,712 bytes free
Volume in drive C is Windows
Volume Serial Number is B026-1B5F

Directory of C:\Users\All Users\Adsl Software Limited

06/09/2008 02:15 PM <DIR> .
06/09/2008 02:15 PM <DIR> ..
06/09/2008 03:38 PM <DIR> WinSpywareProtect
0 File(s) 0 bytes

Directory of C:\Users\All Users\Adsl Software Limited\WinSpywareProtect

06/09/2008 03:38 PM <DIR> .
06/09/2008 03:38 PM <DIR> ..
06/10/2008 09:11 PM <DIR> BASE
06/09/2008 03:38 PM <DIR> DELETED
06/15/2008 03:37 PM <DIR> LOG
06/09/2008 03:38 PM <DIR> SAVED
06/09/2008 02:16 PM 1,174,528 WinSpywareProtect.exe
1 File(s) 1,174,528 bytes

Directory of C:\Users\All Users\Adsl Software Limited\WinSpywareProtect\BASE

06/10/2008 09:11 PM <DIR> .
06/10/2008 09:11 PM <DIR> ..
06/10/2008 09:11 PM 2,775,532 vbase.dat
1 File(s) 2,775,532 bytes

Directory of C:\Users\All Users\Adsl Software Limited\WinSpywareProtect\DELETED

06/09/2008 03:38 PM <DIR> .
06/09/2008 03:38 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\Users\All Users\Adsl Software Limited\WinSpywareProtect\LOG

06/15/2008 03:37 PM <DIR> .
06/15/2008 03:37 PM <DIR> ..
06/09/2008 07:43 PM 348 20080609153841703.log
06/09/2008 09:32 PM 82 20080609194645526.log
06/10/2008 04:40 PM 82 20080610163355291.log
06/10/2008 04:57 PM 55 20080610165559182.log
06/11/2008 01:45 AM 2,177 20080610205015695.log
06/11/2008 01:40 PM 174 20080611122437188.log
06/11/2008 01:56 PM 174 20080611134549050.log
06/11/2008 04:43 PM 174 20080611135941963.log
06/11/2008 06:13 PM 174 20080611165719990.log
06/12/2008 03:09 AM 174 20080611232410838.log
06/13/2008 10:59 PM 228 20080612133106143.log
06/14/2008 08:24 AM 147 20080613233446251.log
06/14/2008 12:00 PM 119 20080614115813488.log
06/15/2008 02:59 PM 174 20080614152116651.log
06/15/2008 05:04 PM 173 20080615153753735.log
15 File(s) 4,455 bytes

Directory of C:\Users\All Users\Adsl Software Limited\WinSpywareProtect\SAVED

06/09/2008 03:38 PM <DIR> .
06/09/2008 03:38 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
17 File(s) 3,954,515 bytes
17 Dir(s) 129,725,935,616 bytes free

tetonbob · 06-21-2008, 09:58 PM

Please download OTMoveIt2 by OldTimer.

Save it to your desktop.
Please right click on OTMoveit2.exe and select "Run as an Administrator" to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Quote:

C:\Windows\SG91c2U
C:\Windows\system32\xnet2
C:\Windows\system32\tz
C:\Windows\system32\brem
C:\Windows\system32\3057
C:\Windows\system32\vntiho06
C:\Users\All Users\Adsl Software Limited

Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

=====================================

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

=====================================

Open HijackThis (right click on HijackThis.exe and select "Run as an Administrator") and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

tomwall64 · 06-21-2008, 11:20 PM

heres my OTmoveit2 results

C:\Windows\SG91c2U moved successfully.
C:\Windows\system32\xnet2 moved successfully.
C:\Windows\system32\tz moved successfully.
C:\Windows\system32\brem moved successfully.
C:\Windows\system32\3057 moved successfully.
C:\Windows\system32\vntiho06 moved successfully.
C:\Users\All Users\Adsl Software Limited\WinSpywareProtect\SAVED moved successfully.
C:\Users\All Users\Adsl Software Limited\WinSpywareProtect\LOG moved successfully.
C:\Users\All Users\Adsl Software Limited\WinSpywareProtect\DELETED moved successfully.
C:\Users\All Users\Adsl Software Limited\WinSpywareProtect\BASE moved successfully.
C:\Users\All Users\Adsl Software Limited\WinSpywareProtect moved successfully.
C:\Users\All Users\Adsl Software Limited moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06222008_014843

heres my scanlog but i had a problem removing some of the objects, this is the error i recieved,
"certain items could not be removed! the first few are listed below. all items that could not be removed have been added to the delete on reboot list please restart your computer now. a logfile was saved to the logs folder.

C:\WINDOWS\System32\drivers\HdAudioo.sys
C:\WINDOWS\System32\drivers\core.cache.dsk

your computer needs to be restarted to complete the removal process.
would you like to continue?
Yes/No"

so heres the log,

Malwarebytes' Anti-Malware 1.18
Database version: 876

2:02:36 AM 6/22/2008
mbam-log-6-22-2008 (02-02-36).txt

Scan type: Quick Scan
Objects scanned: 37450
Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 28
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\centerlock.centerlock (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\centerlock.centerlock.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18cb1a7b-94cd-4582-8022-ada16851e44b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8b8df25f-2c47-4473-8e1c-7f54ac7ef481} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7c4bcd17-bdba-4078-9d8c-8ca8b7eabe77} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c108ae59-c97f-4517-8b74-5590be3c2a82} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2587f5f9-bcdf-4076-98ef-afc65c5bd816} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bd3c6f7c-6c8d-48f6-ac52-5e4071aeb257} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoPl.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.5.0 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Users\Tom.House-PC\AppData\Roaming\Microsoft\dtsc (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\System32\drivers\HdAudioo.sys (Rootkit.Agent) -> Delete on reboot.
C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Users\Tom.House-PC\AppData\Roaming\Microsoft\dtsc\s (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\atmtd.dll._ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot.
C:\Users\Tom.House-PC\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Tom.House-PC\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Tom.House-PC\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Users\Tom.House-PC\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.

tetonbob · 06-22-2008, 07:49 AM

Hi, that's not an error message, simply an advisement that mbam needed to reboot to complete the removals of some items. Did you click on Yes?

There's no need for the extra large fonts. I won't overlook your comments. Thanks.

Let's make sure it's gone.

Please run Deckard's System Scanner once again, this time using these instructions:

Click the Windows key + R > then copy/paste this into the run box & click OK

"C:\Users\Tom.House-PC\Downloads\dss.exe" /config

Click on "Check All"

Click Scan!

When finished, it shall produce two logs for you. Post those logs in your next reply.

tomwall64 · 06-22-2008, 11:37 AM

oh ok and yes i clicked yes. also i noticed i havent had any popups or pop unders in a while after i restarted my computer, but im still gonna need some help removeing some unwanted and hidden trojans in my computer or anything else with what your helping me with.

heres main.txt,

Deckard's System Scanner v20071014.68
Run by Tom on 2008-06-22 14:21:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
14: 2008-06-22 07:18:26 UTC - RP36 - Scheduled Checkpoint
13: 2008-06-21 12:53:37 UTC - RP35 - Avg8 Update
12: 2008-06-21 12:37:11 UTC - RP33 - Windows Update
11: 2008-06-21 12:25:47 UTC - RP32 - Windows Update
10: 2008-06-21 04:00:04 UTC - RP31 - Scheduled Checkpoint

-- First Restore Point --
1: 2008-06-13 03:11:13 UTC - RP21 - Windows Backup

Performed disk cleanup.

Percentage of Memory in Use: 78% (more than 75%).
Total Physical Memory: 1021 MiB (1024 MiB recommended).

-- HijackThis (run as Tom.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:24 PM, on 6/22/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\Tom.House-PC\Downloads\dss.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Tom.exe
C:\Program Files\Ventrilo\Ventrilo.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...ys=DTP&M=T3604
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T3604
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [DmwClient] "dmwclient.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: *.line6.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8094 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R2 npkcrypt - \??\c:\nexon\maplestory\npkcrypt.sys

S3 NPPTNT2 - \??\c:\windows\system32\npptnt2.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S2 STacSV (SigmaTel Audio Service) - c:\program files\sigmatel\c-major audio\wdm\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 6120)
2007-07-24 15:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>

-- Scheduled Tasks -------------------------------------------------------------

2008-06-22 10:30:27 422 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{F9AA926C-BDCE-4E6D-92AF-8C85B4D7E4A1}.job

-- Files created between 2008-05-22 and 2008-06-22 -----------------------------

2008-06-22 01:50:47 0 d-------- C:\Users\All Users\Malwarebytes
2008-06-22 01:50:47 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-21 12:52:41 0 d-------- C:\Program Files\GIMP-2.0
2008-06-21 12:18:04 0 d-------- C:\Program Files\Picasa2
2008-06-21 11:18:46 0 d-------- C:\Users\Tom.House-PC\.gimp-2.4
2008-06-21 08:05:34 0 d-------- C:\ie-spyad_zo
2008-06-21 07:56:47 0 d-------- C:\Program Files\SpywareBlaster
2008-06-21 07:50:02 0 d-a------ C:\Users\All Users\TEMP
2008-06-21 02:49:48 0 d-------- C:\Program Files\Trend Micro
2008-06-21 02

32 0 d-------- C:\Program Files\Panda Security
2008-06-18 18:22:08 0 d-------- C:\Program Files\iPod
2008-06-18 18:21:57 0 d-------- C:\Program Files\iTunes
2008-06-18 18:19:58 0 d-------- C:\Program Files\QuickTime
2008-06-18 18:12:16 0 d-------- C:\Program Files\Apple Software Update
2008-06-16 19:08:28 0 d-------- C:\Program Files\Guitar Pro 5
2008-06-16 18:59:15 0 d-------- C:\Program Files\PowerISO
2008-06-11 16:15:52 0 d--h----- C:\$AVG8.VAULT$
2008-06-11 16:09:40 0 d-------- C:\Windows\system32\drivers\Avg
2008-06-11 16:09:24 0 d-------- C:\Program Files\AVG
2008-06-11 16:09:23 0 d-------- C:\Users\All Users\avg8
2008-06-11 15:29:19 0 d-------- C:\Program Files\Alwil Software
2008-06-11 13:29:18 0 d-------- C:\Users\All Users\Kaspersky Lab
2008-06-11 13:28:15 0 d-------- C:\Temp
2008-06-11 13:27:02 0 d-------- C:\Users\All Users\Kaspersky Lab Setup Files
2008-06-10 23:01:35 0 d-------- C:\Users\All Users\Xfire
2008-06-10 23:01:32 0 d-------- C:\Program Files\Xfire
2008-06-09 19:43:50 5702 --ah----- C:\Windows\nod32restoretemdono.reg
2008-06-09 19:41:31 0 d-------- C:\Users\All Users\ESET
2008-06-09 19:29:45 262144 --a------ C:\Users\Public\NTUSER.DAT
2008-06-09 15:49:04 0 d-------- C:\Program Files\CenterLock
2008-05-28 14:15:55 174592 --a------ C:\Windows\system32\framedyn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-28 14:14:15 0 d-------- C:\Windows\system32\Samsung_USB_Drivers
2008-05-28 14:13:49 5632 --a------ C:\Windows\system32\drivers\StarOpen.sys
2008-05-28 14:13:31 0 d-------- C:\Program Files\Samsung
2008-05-24 12:31:12 0 d-------- C:\Program Files\AudioCommander
2008-05-24 12:31:07 0 d-------- C:\Users\Public\Application Data
2008-05-24 12:31:07 0 d-------- C:\Users\Public\Application Data\{CD08D33B-F39B-4A65-944A-A36FE20FB7BC}
2008-05-22 16:44:15 487479 --a------ C:\Windows\system32\SkinMagic.dll <Not Verified; Appspeed Inc.; Appspeed SkinMagic Toolkit>
2008-05-22 16:44:15 60273 --a------ C:\Windows\system32\pthreadGC2.dll <Not Verified; Open Source Software community project; >
2008-05-22 16:44:15 719872 --a------ C:\Windows\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2008-05-22 16:44:15 313344 --a------ C:\Windows\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2008-05-22 16:44:15 7277568 --a------ C:\Windows\system32\3gpcore.dll
2008-05-22 16:44:14 0 d-------- C:\Windows\system32\avsplugin
2008-05-22 16:44:14 0 d-------- C:\Program Files\Smallvideosoft
2008-05-22 16:39:40 0 d-------- C:\Program Files\Xilisoft

-- Find3M Report ---------------------------------------------------------------

2008-06-22 01:50:51 0 d-------- C:\Users\Tom.House-PC\AppData\Roaming\Malwarebytes
2008-06-21 16:23:48 0 d-------- C:\Users\Tom.House-PC\AppData\Roaming\Xfire
2008-06-21 13:09:35 0 d-------- C:\Users\Tom.House-PC\AppData\Roaming\uTorrent
2008-06-15 16:55:58 0 d-------- C:\Program Files\Viewpoint
2008-06-12 03:09:31 0 d-------- C:\Program Files\Windows Mail
2008-06-09 19:46:39 0 d-------- C:\Program Files\Common Files
2008-06-08 11:33:00 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-24 12:16:49 0 d-------- C:\Users\Tom.House-PC\AppData\Roaming\Seven Zip
2008-05-19 17:04:30 0 d-------- C:\Program Files\AIM6
2008-04-30 13:35:29 0 d-------- C:\Program Files\Windows Live
2008-04-30 13:34:59 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-26 16:10:59 0 d-------- C:\Users\Tom.House-PC\AppData\Roaming\LimeWire
2008-04-10 12:54:05 0 -rahs---- C:\MSDOS.SYS
2008-04-10 12:54:05 0 -rahs---- C:\IO.SYS

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/21/2008 08:53 AM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/21/2008 08:53 AM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [09/05/2007 10:39 PM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [12/12/2006 12:02 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [12/12/2006 12:03 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [12/12/2006 12:02 PM]
"SigmatelSysTrayApp"="sttray.exe" [11/02/2006 02:38 PM C:\WINDOWS\sttray.exe]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [11/16/2006 08:04 PM]
"DmwClient"="dmwclient.exe" []
"NvSvc"="C:\Windows\system32\nvsvc.dll" [07/06/2007 01:15 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [07/06/2007 01:15 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [07/06/2007 01:15 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/21/2008 08:53 AM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [08/06/2007 08:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/02/2008 11:13 AM]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [06/19/2008 05:47 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/25/2008 04:21 PM]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [04/05/2008 10:14 AM]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [04/01/2008 06:35 PM]
"@"="" []

C:\Users\Tom.House-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [6/2/2008 8:55:46 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [3/5/2007 12:27:36 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
"C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DmwClient]
"dmwclient.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b10cd3c1-9a49-11dc-af34-001947aefeab}]
AutoRun\command- J:\Start.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

-- End of Deckard's System Scanner: finished at 2008-06-22 14:30:56 ------------

heres extra.txt,

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Basic (build 6000)
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHz
Percentage of Memory in Use: 80%
Physical Memory (total/avail): 1021 MiB / 198.78 MiB
Pagefile Memory (total/avail): 2290.37 MiB / 1152.21 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1947.86 MiB

C: is Fixed (NTFS) - 215.44 GiB total, 119.99 GiB free.
D: is Fixed (NTFS) - 17.44 GiB total, 13.79 GiB free.
E: is CDROM (CDFS)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is CDROM (No Media)
K: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2500BB-00RDA0 ATA Device - 232.88 GiB - 2 partitions
\PARTITION0 - Installable File System - 17.44 GiB - D:
\PARTITION1 (bootable) - Installable File System - 215.44 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG Anti-Virus v8.0 (AVG Technologies)
AS: AVG Anti-Virus v8.0 (AVG Technologies) Disabled
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Tom.House-PC\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOUSE-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Tom.House-PC
LOCALAPPDATA=C:\Users\Tom.House-PC\AppData\Local
LOGONSERVER=\\HOUSE-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Samsung\Samsung PC Studio 3\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0605
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\TOM~1.HOU\AppData\Local\Temp
TMP=C:\Users\TOM~1.HOU\AppData\Local\Temp
USERDOMAIN=House-PC
USERNAME=Tom
USERPROFILE=C:\Users\Tom.House-PC
windir=C:\Windows

-- User Profiles ---------------------------------------------------------------

House
Tom.House-PC

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
µTorrent --> "C:\Users\Tom.House-PC\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Activation Assistant for the 2007 Microsoft Office suites --> "C:\ProgramData\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Adobe AIR --> C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR --> MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Alive PSP Video Converter (version 1.8.2.8) --> "C:\Program Files\AliveMedia\PSP Video Converter\unins000.exe"
Allied Assault Weather Enhancement --> C:\Users\Tom.House-PC\Desktop\MOHAA\main\sound\amb\Uninstal.exe
Allied Death Sounds --> C:\Users\Tom.House-PC\Desktop\MOHAA\main\sound\dialogue\Generic\A\death\Uninstal.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AudioCommander --> "C:\Users\Public\Application Data\{CD08D33B-F39B-4A65-944A-A36FE20FB7BC}\setup_ac.exe" REMOVE=TRUE MODIFY=FALSE
AVG 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BannedStory --> MsiExec.exe /I{62C81505-65E8-BBFF-5A9B-23958770F694}
BannedStory 3.0 --> C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall bs.BannedStory B138736892407FF2891DACB3EC40AB4373DCB810.1
BigFix --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34FF0741-EC67-4C05-AC2A-6D257123DF2E}\setup.exe" -l0x9 -uninst -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Call of Duty 4 Multiplayer Backup 0.9.2 --> "K:\Call of Duty 4 Multiplayer Backup\unins000.exe"
Call of Duty(R) 4 - Modern Warfare(TM) --> C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.3 Patch --> C:\Program Files\InstallShield Installation Information\{050C1C8E-4A4D-4C2F-B9AE-67E60EE91B7F}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch --> C:\Program Files\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch --> C:\Program Files\InstallShield Installation Information\{8503C901-85D7-4262-88D2-8D8B2A7B08B8}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch --> C:\Program Files\InstallShield Installation Information\{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}\setup.exe -runfromtemp -l0x0409
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
eMachines Recovery Center Installer --> MsiExec.exe /X{7F3BCF8A-8E02-4659-AF25-F9AB66BD6718}
Freez 3GP Video Converter 2.0 --> "C:\Program Files\Smallvideosoft\Freez 3GP Video Converter\unins000.exe"
GearBox 3.20 (Remove Only) --> C:\Program Files\Line6\GearBox\Uninstall.exe
GIMP 2.4.6 --> "C:\Program Files\GIMP-2.0\setup\unins000.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Guitar Pro 5.2 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel(R) Graphics Media Accelerator Driver --> C:\Windows\system32\igxpun.exe -uninstall
Intel(R) PRO Network Connections Drivers --> Prounstl.exe
iTunes --> MsiExec.exe /I{9F70BF98-003C-491D-81FC-FF9792206AF0}
Java(TM) SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
LimeWire 4.14.10 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapleStory --> MsiExec.exe /I{0A41BC21-EA0F-4B0B-BEA4-2997B80DB0D9}
MapleStory --> MsiExec.exe /I{6918E1F4-0988-433C-A418-CC0BF87A7A2B}
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB929729) --> "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M929729\M929729Uninstall.msp"
Microsoft Digital Image Starter Edition 2006 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=12
Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Move Networks Media Player for Internet Explorer --> C:\Users\Tom.House-PC\AppData\Roaming\Move Networks\ie_bin\Uninst.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Nikon RAW Codec --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C8616041-2802-4DE2-B3BD-6285AAD65C2A}\Setup.exe" -l0x9 -removeonly
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
PSP Video 9 2.25 --> C:\Program Files\Red Kawa\Video Converter\uninstaller.exe
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
RMWP --> C:\Users\Tom.House-PC\MOHAA\Uninstal.exe
Samsung Mobile phone USB driver Software --> C:\Windows\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software --> C:\Windows\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software --> C:\Windows\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3 --> "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -runfromtemp -l0x0009 -removeonly
Scientific-Atlanta WebSTAR 2000 series Cable Modem --> UNDPX2A.EXE
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F40&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDBRYCMzK.inf
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Update for Office 2007 (KB946691) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VeohTV BETA --> C:\Program Files\InstallShield Installation Information\{0405E51E-9582-4207-8F38-AC44201D3808}\setup.exe -runfromtemp -l0x0409
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"
Xilisoft 3GP Video Converter --> C:\Program Files\Xilisoft\3GP Video Converter 3\Uninstall.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type17898 / Warning
Event Submitted/Written: 06/22/2008 11:26:08 AM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
3 user registry handles leaked from \Registry\User\S-1-5-21-3167732007-3646572832-3566841481-1001:
Process 1204 (\Device\HarddiskVolume2\WINDOWS\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3167732007-3646572832-3566841481-1001\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1204 (\Device\HarddiskVolume2\WINDOWS\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3167732007-3646572832-3566841481-1001\Software\Microsoft\SystemCertificates\trust
Process 1204 (\Device\HarddiskVolume2\WINDOWS\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3167732007-3646572832-3566841481-1001\Software\Microsoft\SystemCertificates\Root

Event Record #/Type17891 / Warning
Event Submitted/Written: 06/22/2008 10:42:10 AM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3167732007-3646572832-3566841481-1001_Classes:
Process 1052 (\Device\HarddiskVolume2\WINDOWS\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3167732007-3646572832-3566841481-1001_CLASSES

Event Record #/Type17890 / Warning
Event Submitted/Written: 06/22/2008 10:42:09 AM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3167732007-3646572832-3566841481-1001:
Process 1052 (\Device\HarddiskVolume2\WINDOWS\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3167732007-3646572832-3566841481-1001

Event Record #/Type17880 / Warning
Event Submitted/Written: 06/22/2008 10:12:32 AM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3167732007-3646572832-3566841481-1002_Classes:
Process 1052 (\Device\HarddiskVolume2\WINDOWS\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3167732007-3646572832-3566841481-1002_CLASSES

Event Record #/Type17879 / Warning
Event Submitted/Written: 06/22/2008 10:12:31 AM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3167732007-3646572832-3566841481-1002:
Process 1052 (\Device\HarddiskVolume2\WINDOWS\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3167732007-3646572832-3566841481-1002

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type57540 / Error
Event Submitted/Written: 06/22/2008 02:23:08 AM
Event ID/Source: 6 / ACPI
Event Description:
IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 2, function 0.
Please contact your system vendor for technical assistance.

Event Record #/Type57535 / Warning
Event Submitted/Written: 06/22/2008 02:22:10 AM
Event ID/Source: 4001 / Microsoft-Windows-WLAN-AutoConfig
Event Description:

Event Record #/Type57523 / Warning
Event Submitted/Written: 06/22/2008 02:02:44 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%House-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %House-PC27 can't undo changes that you allow.

For more information please see the following:
%House-PC275

Scan ID: {396BD2DD-C088-4A1F-8927-7AA1458D07CA}

User: House-PC\Tom

Name: %House-PC271

ID: %House-PC272

Severity ID: %House-PC273

Category ID: %House-PC274

Path Found: %House-PC276

Alert Type: %House-PC278

Detection Type: 1.1.1505.02

Event Record #/Type57522 / Warning
Event Submitted/Written: 06/22/2008 02:02:39 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%House-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %House-PC27 can't undo changes that you allow.

For more information please see the following:
%House-PC275

Scan ID: {B200BEFD-FEF9-4891-8590-FAD469DD94B0}

User: House-PC\Tom

Name: %House-PC271

ID: %House-PC272

Severity ID: %House-PC273

Category ID: %House-PC274

Path Found: %House-PC276

Alert Type: %House-PC278

Detection Type: 1.1.1505.02

Event Record #/Type57519 / Warning
Event Submitted/Written: 06/22/2008 01:52:11 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%House-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %House-PC27 can't undo changes that you allow.

For more information please see the following:
%House-PC275

Scan ID: {CB636EC0-84F0-4F8D-BABA-B44BA209A775}

User: House-PC\Tom

Name: %House-PC271

ID: %House-PC272

Severity ID: %House-PC273

Category ID: %House-PC274

Path Found: %House-PC276

Alert Type: %House-PC278

Detection Type: 1.1.1505.02

-- End of Deckard's System Scanner: finished at 2008-06-22 14:30:56 ------------

tetonbob · 06-22-2008, 11:48 AM

Quote:

im still gonna need some help removeing some unwanted and hidden trojans in my computer

Are you receiving alerts still? If so, from what application, and what exactly are the alerts?

Things look pretty good from here, though we will still perform a couple more followup steps, after I get the answers to the above questions.

tomwall64 · 06-22-2008, 04:47 PM

yes but from 1 file, this is what my antivirus (AVG) says when there is anytype of scan on my computer, because its detected when opened.

a popup comes up and tells me this file,
C:\WINDOWS\System32\drivers\HdAudioo.sys
is a serious threat,
Trojan horse Agent.UKR
detected on open.

i havent seen the alert after that last scan and that scan said it was on deletion when i restarted the computer but i just want to make sure.

tetonbob · 06-22-2008, 07:00 PM

no problem. We're not quite done, but we've confirmed MBAM deleted that file.

From first DSS log:

2008-06-11 13:28:35 86144 -----n--- C:\Windows\system32\drivers\HdAudioo.sys

From MBAM log:

C:\WINDOWS\System32\drivers\HdAudioo.sys (Rootkit.Agent) -> Delete on reboot.

File no longer present in most recent DSS log.

================================

P2P - I see you have P2P software ( Limewire ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Vista Users: You must right click on your Internet Explorer shortcut, and selec Run as Administrator.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Open HijackThis (right click on HijackThis.exe and select "Run as an Administrator") and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

How is the machine behaving, please?

tomwall64 · 06-23-2008, 12:28 PM

the machine was running alot slower after the scan was finished so i restarted it and then it was fine, there hasnt been any popups or threats detected from my antivirus except some warnings for tracking cookies. i attactched a log from AVG about it.
heres my hijack this scanlog,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:24 PM, on 6/22/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\Tom.House-PC\Downloads\dss.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Tom.exe
C:\Program Files\Ventrilo\Ventrilo.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...ys=DTP&M=T3604
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T3604
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [DmwClient] "dmwclient.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: *.line6.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8094 bytes

i cant seem to find the log from kaspersky, i saved it to my desktop and i tried to look it up but its not saved. im certain i saved it. i only had 2 threats.

tetonbob · 06-23-2008, 01:19 PM

I'm a bit unclear about some things.

That log you've attached is from Panda ActiveScan. ANALYSIS: 2008-06-21 07:44:54, before our removal procedures. So, the main threats it found have been removed.

I'd really need to see the Kaspersky log to know what the threats are.

Also, the HijackThis log is not new.

Quote:

Scan saved at 2:24:24 PM, on 6/22/2008

This is the same time stamp of the previous log.

Did you right click on HijackThis and select Run As Administrator? HijackThis must be run this way for subsequent scans, or it just grabs the last log. A quirk of Vista.

Please try again, and also try once more to find the kaspersky scan, or run the scan again.

tomwall64 · 06-23-2008, 09:08 PM

im sorry but ive tried scaning again and ive saved it a million times but i cant find the files. ive ran it as Administrator but it still didnt work. but here is the hijack this log,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:30 AM, on 6/24/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...ys=DTP&M=T3604
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T3604
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [DmwClient] "dmwclient.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: *.line6.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8181 bytes

tetonbob · 06-23-2008, 09:41 PM

Do you recall the name of the file you saved it as?

Do you still have the scan window open, or is it closed already?

Did you run Internet Explorer as Administrator?

Quote:

Vista Users: You must right click on your Internet Explorer shortcut, and select Run as Administrator.

If you do not, the log will get saved in a virtualized environment. This sounds like what's happened. I recall when I used this scanner on Vista the first time, I had similar experience.

Did you see an image like this?

If so...you would need to click on Yes. Then, Click on C > Users > {User Name} > Desktop > {name of file kas scan was saved as}

The file can then be opened/copied/moved/posted, etc....

It's possible Kaspersky found only what we removed already with OTMI or MBAM, but I'd be remiss if I sent you away without knowing for sure.

tetonbob · 06-23-2008, 09:56 PM

If the Browser has been closed, you should be able to navigate to this location:

C:\Users\<your username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\<your username>\desktop (or wherever it was you saved the file)

tomwall64 · 06-24-2008, 12:09 AM

ok ive found it after the last post u sent for the location of the file
heres kaspersky scanlog,

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, June 23, 2008
Operating System: Microsoft Windows Vista Home Basic Edition, 32-bit (build 6000)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 23, 2008 22:19:36
Records in database: 881000
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 126355
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 03:29:52

File name / Threat name / Threats count
C:\Deckard\System Scanner\20080622142023\backup\Users\TOM~1.HOU\AppData\Local\Temp\msupdt.exe Infected: Trojan-Downloader.Win32.Injecter.tz 1
C:\_OTMoveIt\MovedFiles\06222008_014843\Users\All Users\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.v 1

The selected area was scanned.

tetonbob · 06-24-2008, 08:25 AM

Good job of perseverance!

As suspected, but now confirmed, Kaspersky has found only items which are in backup locations. This next step will eliminate those.

Please right click on OTMoveit2.exe and select "Run as an Administrator" to run it. Click on the Cleanup button. Follow the prompts. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. The system may require a reboot to complete this step. Please allow it.

===========================================

Your logs appear clean.You should be good to go. We still have a few items to address.

Reset hidden/system files and folders

To disable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
3. Click on the Control Panel menu option.
4. When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:
1. Double-click on the Folder Options icon.
2. Click on the View tab.
3. Go to step 5.

If you are in the Control Panel Home view do the following:
1. Click on the Appearance and Personalization link .
2. Click on Show Hidden Files or Folders.
3. Go to step 5.

5. Under the Hidden files and folders section select the radio button labeled Do Not Show hidden files and folders.
6. Place a checkmark in the checkbox labeled Hide extensions for known file types.
7. Place a checkmark in the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and close My Computer.
9. Now Windows Vista is configured to hide all hidden files, as is designed by default..

Clear & Reset System Restore's Cache

1. Open System by clicking the Start button , clicking Control Panel, clicking System and Maintenance, and then clicking System.

2. In the left pane, click System Protection. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. To turn off System Protection and clear old points, clear the check box next to the disk, and then click OK.

4. Next, To turn on System Protection, select the check box next to the disk, and then click OK.

Update Windows

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows, click on Start > Windows Update (or Start > All Programs > Windows Update if you are using the new Vista Start Menu). If the Windows Update is not found there, go to this link - http://update.microsoft.com/ .

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:

SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

06-15-2008, 02:11 PM	#1 (permalink)
tomwall64 Registered User Join Date: Jun 2008 Posts: 20 OS: vista home basic	maware and trojans my computer says i have alot of trojans and cookie trackers or whatever because i keep getring alot of popups. also i have this one security program that i never downloaded and its anoying me because it keeps telling me to buy a license and it give me a warning (it directs me to a different page) everytime i go on the internet, and since i have avg and this security program (winsywareprotect) my computer is very slow. i dont know how to get rid of it because its not on my progams list when i try to uninstall it. i looked at the thread to remove the programs that give me popups (which i did) but i still get them. i also downloaded hijackthis and did a scan so here is the scan log. Logfile of HijackThis v1.99.1 Scan saved at 4:35:04 PM, on 6/15/2008 Platform: Unknown Windows (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16681) Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\rundll32.exe C:\ProgramData\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe C:\Program Files\Xfire\xfire.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Internet Explorer\ieuser.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Windows\explorer.exe C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\WinRAR\WinRAR.exe C:\Users\TOM~1.HOU\AppData\Local\Temp\Rar$EX00.937\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...ys=DTP&M=T3604 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: CenterLock module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - (no file) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup O4 - HKLM\..\Run: [DmwClient] "dmwclient.exe" O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\TOM~1.HOU\AppData\Local\Temp\awttsqRL.dll,#1 O4 - HKCU\..\Run: [b0261bf0] rundll32.exe "C:\Users\TOM~1.HOU\AppData\Local\Temp\vwsmeapp.dll",b O4 - HKCU\..\Run: [BMb315286c] Rundll32.exe "C:\Users\TOM~1.HOU\AppData\Local\Temp\usjflepv.dll",s O4 - HKCU\..\Run: [WinSpywareProtect] "C:\ProgramData\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" /autorun O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International* O13 - Gopher Prefix: O15 - Trusted Zone: .line6.net O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing) O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing) O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing) O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe Moderators Message* Please be considerate of the fact that the people helping you are all volunteers, and in many cases usually have a job, and a limited amount of time to help, and therefore can only do so much. If no one has replied to your thread within 72hrs after you posted, please reply in your thread with the words BUMP, please to move it forward. DO NOT Bump the thread unless 72 hours has passed. We work from oldest to newest posts so your wait will be longer if you bump it forward before the 72 hours is up. We look for 0 reply, or 1 reply threads to respond to. Early bump posts will be deleted. Last edited by TheBruce1; 06-16-2008 at 02:39 PM.

06-16-2008, 01:09 PM	#2 (permalink)
tomwall64 Registered User Join Date: Jun 2008 Posts: 20 OS: vista home basic	help with popups i keep getting popups but my computer is not blocking them, i have my popup blocker on and the settings are set to high but nothing. also when i do a scan on AVG i have alot of warnings for tracking cookies. heres my scanlog. Logfile of HijackThis v1.99.1 Scan saved at 4:07:35 PM, on 6/16/2008 Platform: Unknown Windows (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16681) Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Xfire\xfire.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\AVG\AVG8\avgui.exe C:\Windows\explorer.exe C:\Program Files\Internet Explorer\ieuser.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Users\Tom.House-PC\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...ys=DTP&M=T3604 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: CenterLock module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - (no file) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup O4 - HKLM\..\Run: [DmwClient] "dmwclient.exe" O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\TOM~1.HOU\AppData\Local\Temp\awttsqRL.dll,#1 O4 - HKCU\..\Run: [b0261bf0] rundll32.exe "C:\Users\TOM~1.HOU\AppData\Local\Temp\vwsmeapp.dll",b O4 - HKCU\..\Run: [BMb315286c] Rundll32.exe "C:\Users\TOM~1.HOU\AppData\Local\Temp\usjflepv.dll",s O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International* O13 - Gopher Prefix: O15 - Trusted Zone: *.line6.net O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing) O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing) O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing) O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe plz help me!

06-21-2008, 11:20 PM	#8 (permalink)
tomwall64 Registered User Join Date: Jun 2008 Posts: 20 OS: vista home basic	Re: maware and trojans heres my OTmoveit2 results C:\Windows\SG91c2U moved successfully. C:\Windows\system32\xnet2 moved successfully. C:\Windows\system32\tz moved successfully. C:\Windows\system32\brem moved successfully. C:\Windows\system32\3057 moved successfully. C:\Windows\system32\vntiho06 moved successfully. C:\Users\All Users\Adsl Software Limited\WinSpywareProtect\SAVED moved successfully. C:\Users\All Users\Adsl Software Limited\WinSpywareProtect\LOG moved successfully. C:\Users\All Users\Adsl Software Limited\WinSpywareProtect\DELETED moved successfully. C:\Users\All Users\Adsl Software Limited\WinSpywareProtect\BASE moved successfully. C:\Users\All Users\Adsl Software Limited\WinSpywareProtect moved successfully. C:\Users\All Users\Adsl Software Limited moved successfully. OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06222008_014843 heres my scanlog but i had a problem removing some of the objects, this is the error i recieved, "certain items could not be removed! the first few are listed below. all items that could not be removed have been added to the delete on reboot list please restart your computer now. a logfile was saved to the logs folder. C:\WINDOWS\System32\drivers\HdAudioo.sys C:\WINDOWS\System32\drivers\core.cache.dsk your computer needs to be restarted to complete the removal process. would you like to continue? Yes/No" so heres the log, Malwarebytes' Anti-Malware 1.18 Database version: 876 2:02:36 AM 6/22/2008 mbam-log-6-22-2008 (02-02-36).txt Scan type: Quick Scan Objects scanned: 37450 Time elapsed: 5 minute(s), 15 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 28 Registry Values Infected: 4 Registry Data Items Infected: 0 Folders Infected: 4 Files Infected: 10 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\centerlock.centerlock (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\centerlock.centerlock.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18cb1a7b-94cd-4582-8022-ada16851e44b} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{8b8df25f-2c47-4473-8e1c-7f54ac7ef481} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7c4bcd17-bdba-4078-9d8c-8ca8b7eabe77} (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{c108ae59-c97f-4517-8b74-5590be3c2a82} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{2587f5f9-bcdf-4076-98ef-afc65c5bd816} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{bd3c6f7c-6c8d-48f6-ac52-5e4071aeb257} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\videoPl.chl (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Program Files\ShoppingReport\Bin\2.5.0 (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Users\Tom.House-PC\AppData\Roaming\Microsoft\dtsc (Trojan.Agent) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\System32\drivers\HdAudioo.sys (Rootkit.Agent) -> Delete on reboot. C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Users\Tom.House-PC\AppData\Roaming\Microsoft\dtsc\s (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\System32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\System32\atmtd.dll._ (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\System32\drivers\core.cache.dsk (Malware.Trace) -> Delete on reboot. C:\Users\Tom.House-PC\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Users\Tom.House-PC\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Users\Tom.House-PC\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Users\Tom.House-PC\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.

06-22-2008, 07:49 AM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,567 OS: 2000 Pro; XP Pro; XP Home	Re: maware and trojans Hi, that's not an error message, simply an advisement that mbam needed to reboot to complete the removals of some items. Did you click on Yes? There's no need for the extra large fonts. I won't overlook your comments. Thanks. Let's make sure it's gone. Please run Deckard's System Scanner once again, this time using these instructions: Click the Windows key + R > then copy/paste this into the run box & click OK "C:\Users\Tom.House-PC\Downloads\dss.exe" /config Click on "Check All" Click Scan! When finished, it shall produce two logs for you. Post those logs in your next reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message. Last edited by tetonbob; 06-22-2008 at 07:51 AM.

06-22-2008, 04:47 PM	#12 (permalink)
tomwall64 Registered User Join Date: Jun 2008 Posts: 20 OS: vista home basic	Re: maware and trojans yes but from 1 file, this is what my antivirus (AVG) says when there is anytype of scan on my computer, because its detected when opened. a popup comes up and tells me this file, C:\WINDOWS\System32\drivers\HdAudioo.sys is a serious threat, Trojan horse Agent.UKR detected on open. i havent seen the alert after that last scan and that scan said it was on deletion when i restarted the computer but i just want to make sure.

06-22-2008, 07:00 PM	#13 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,567 OS: 2000 Pro; XP Pro; XP Home	Re: maware and trojans no problem. We're not quite done, but we've confirmed MBAM deleted that file. From first DSS log: 2008-06-11 13:28:35 86144 -----n--- C:\Windows\system32\drivers\HdAudioo.sys From MBAM log: C:\WINDOWS\System32\drivers\HdAudioo.sys (Rootkit.Agent) -> Delete on reboot. File no longer present in most recent DSS log. ================================ P2P - I see you have P2P software ( Limewire ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information. Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares. References for the risk of these programs are here, here and here. I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs. --------------------------------------------------------------------------------------------- Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop. Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications." Click the "Download" button to the right. Select the Windows platform from the dropdown menu. Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version. After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH Checked Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. --------------------------------------------------------------------------------------------- Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Vista Users: You must right click on your Internet Explorer shortcut, and selec Run as Administrator. Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. Note To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. --------------------------------------------------------------------------------------------- Open HijackThis (right click on HijackThis.exe and select "Run as an Administrator") and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- How is the machine behaving, please? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

06-23-2008, 09:08 PM	#16 (permalink)
tomwall64 Registered User Join Date: Jun 2008 Posts: 20 OS: vista home basic	Re: maware and trojans im sorry but ive tried scaning again and ive saved it a million times but i cant find the files. ive ran it as Administrator but it still didnt work. but here is the hijack this log, Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:11:30 AM, on 6/24/2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16681) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Windows\System32\mobsync.exe C:\Windows\system32\taskeng.exe C:\Program Files\Internet Explorer\ieuser.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Ventrilo\Ventrilo.exe C:\Program Files\Xfire\xfire.exe C:\Program Files\Xfire\xfire.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...ys=DTP&M=T3604 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T3604 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup O4 - HKLM\..\Run: [DmwClient] "dmwclient.exe" O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O15 - Trusted Zone: .line6.net O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 8181 bytes Last edited by tomwall64; 06-23-2008 at 09:12 PM.*

06-23-2008, 09:56 PM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,567 OS: 2000 Pro; XP Pro; XP Home	Re: maware and trojans If the Browser has been closed, you should be able to navigate to this location: C:\Users\<your username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\<your username>\desktop (or wherever it was you saved the file) __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

06-24-2008, 12:09 AM	#19 (permalink)
tomwall64 Registered User Join Date: Jun 2008 Posts: 20 OS: vista home basic	Re: maware and trojans ok ive found it after the last post u sent for the location of the file heres kaspersky scanlog, -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Monday, June 23, 2008 Operating System: Microsoft Windows Vista Home Basic Edition, 32-bit (build 6000) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Monday, June 23, 2008 22:19:36 Records in database: 881000 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ K:\ Scan statistics: Files scanned: 126355 Threat name: 2 Infected objects: 2 Suspicious objects: 0 Duration of the scan: 03:29:52 File name / Threat name / Threats count C:\Deckard\System Scanner\20080622142023\backup\Users\TOM~1.HOU\AppData\Local\Temp\msupdt.exe Infected: Trojan-Downloader.Win32.Injecter.tz 1 C:\_OTMoveIt\MovedFiles\06222008_014843\Users\All Users\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.v 1 The selected area was scanned.

06-24-2008, 08:25 AM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,567 OS: 2000 Pro; XP Pro; XP Home	Re: maware and trojans Good job of perseverance! As suspected, but now confirmed, Kaspersky has found only items which are in backup locations. This next step will eliminate those. Please right click on OTMoveit2.exe and select "Run as an Administrator" to run it. Click on the Cleanup button. Follow the prompts. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. The system may require a reboot to complete this step. Please allow it. =========================================== Your logs appear clean.You should be good to go. We still have a few items to address. Reset hidden/system files and folders To disable the viewing of Hidden files follow these steps: 1. Close all programs so that you are at your desktop. 2. Click on the Start button. This is the small round button with the Windows flag in the lower left corner. 3. Click on the Control Panel menu option. 4. When the control panel opens you can either be in Classic View or Control Panel Home view: If you are in the Classic View do the following: 1. Double-click on the Folder Options icon. 2. Click on the View tab. 3. Go to step 5. If you are in the Control Panel Home view do the following: 1. Click on the Appearance and Personalization link . 2. Click on Show Hidden Files or Folders. 3. Go to step 5. 5. Under the Hidden files and folders section select the radio button labeled Do Not Show hidden files and folders. 6. Place a checkmark in the checkbox labeled Hide extensions for known file types. 7. Place a checkmark in the checkbox labeled Hide protected operating system files. 8. Press the Apply button and then the OK button and close My Computer. 9. Now Windows Vista is configured to hide all hidden files, as is designed by default.. Clear & Reset System Restore's Cache 1. Open System by clicking the Start button , clicking Control Panel, clicking System and Maintenance, and then clicking System. 2. In the left pane, click System Protection. If you are prompted for an administrator password or confirmation, type the password or provide confirmation. 3. To turn off System Protection and clear old points, clear the check box next to the disk, and then click OK. 4. Next, To turn on System Protection, select the check box next to the disk, and then click OK. Update Windows Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly. Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed. To update Windows, click on Start > Windows Update (or Start > All Programs > Windows Update if you are using the new Vista Start Menu). If the Windows Update is not found there, go to this link - http://update.microsoft.com/ . Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already: SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items . SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here Winpatrol Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can get a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.