Tech Support banner
Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter · #1 ·
I am having some serious issues with my laptop. I would have love to go thru all the steps (mentioned in the first post), if it was possible.
Here is the deal. Something has taken over my computer. I got my HijackThisLog, which took me about an hour to get. It took me about 10 minutes to actually get the desktop to come up after I logged in. Then I clicked on HijackThis, and about another 10 minutes later the Icon on the desktop, finally highlighted. Then about another 15 minutes later, the program finally opened. Then I waited another 30 minutes for the scan to finish. Something is running on my computer, that is taking over everything. My CPU is always at 100% use, and I have no clue what is causing this. SO if someone can look over my HijackThis Log and let me know if u see what can be causing this problem...I will be ever greatful to you.... IT would mean the world to me....Thanks you guys for all your help & your time!!


Logfile of HijackThis v1.99.1
Scan saved at 6:25:37 AM, on 1/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\MissLani\Desktop\HijackThis.exe
C:\Documents and Settings\MissLani\Desktop\HijackThis.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\{E04762CB-0A61-1033-0503-050406240001}\Update.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30904729-F021-4730-8670-C11C2FE5FDA2} - C:\WINDOWS\system32\vtssr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {9476B23E-74F5-4A22-B701-5D19562301FB} - C:\WINDOWS\system32\urqpqpq.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n024p/EN/install/gtdownlr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161599833173
O20 - Winlogon Notify: urqpqpq - C:\WINDOWS\SYSTEM32\urqpqpq.dll
O20 - Winlogon Notify: vtssr - C:\WINDOWS\system32\vtssr.dll
O20 - Winlogon Notify: winyxm32 - C:\WINDOWS\SYSTEM32\winyxm32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWlzc0xhbmk\command.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
 

·
Registered
Joined
·
2,335 Posts
Hello MissLaniS, and welcome to TSF


Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools,
then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.



IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.


----------------------------------------

DOWNLOADS


ComboFix



1. Download this file - You MUST save it to your desktop

COMBOFIX





2. 2. Go to <<Start>> then <<Run>> then paste in the single line command then click OK

"%userprofile%\desktop\combofix.exe" /v vtssr urqpqpq winyxm32



3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

DISABLE NT SERVICES


Click Start->Run - type services.msc & then click on the OK button
*Locate the service - Command Service
*Double-click on it to open the Properties dialog.
*Stop the service by using the Stop button.
*Change the Startup type to Disabled & then click on the OK button

Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
*In the popup box that appears, type in the cmdService.
*Click OK
Allow a reboot into Safe Mode as listed next.

----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS


Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)


O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n024p/EN/install/gtdownlr.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWlzc0xhbmk\command.exe (file missing)


Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\TWlzc0xhbmk

----------------------------------------

SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------

FOLLOW-UP

Please return and post these items in the order listed:

c:\combofix.txt
A new HJT log run in Normal Mode


Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #3 ·
Reply.

I figured out what was causing my computer to not allow me to do anything. (it always used 100% of my CPU) It was some system scan thing from Norton. So I had to go into my Services, and disable it. Now I can actually get onto my computer, without having to wait an hour just for a program to finally open.
But I know I am still infected with some adware/spyware/viruses. So I did the ComboFix thing... and here is the log:
(I believe that I now have some new virus's and stuff....Great!!)

________________________________________________________

"MissLani" - 07-01-29 13:31:04 Service Pack 2
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\MissLani\desktop"
Command switches used :: /v vtssr urqpqpq winyxm32

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\vtssr.dll
C:\WINDOWS\system32\urqpqpq.dll
C:\WINDOWS\system32\winyxm32.dll
C:\WINDOWS\system32\rsstv.bak1
C:\WINDOWS\system32\rsstv.bak2
C:\WINDOWS\system32\rsstv.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\wtssvcc.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\DOCUME~1\LOCALS~1\Application Data\NetMon
C:\WINDOWS\TWlzc0xhbmk
C:\Program Files\Common Files\{30476~1
C:\Program Files\Common Files\{30476~2
C:\Program Files\Common Files\{E0476~2
C:\DOCUME~1\MissLani\Application Data\SearchToolbarCorp
C:\Program Files\InetGet2
C:\Program Files\Inetget2
C:\Program Files\network monitor
C:\Program Files\Network Monitor
C:\Program Files\VSAdd-in
C:\Program Files\Common Files\{E0476~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\SCURIT~1
C:\qoobox\purity\Program Files\Common Files\ASKS~1
C:\qoobox\purity\Program Files\Common Files\ASKS~1\notepad.exe
C:\qoobox\purity\Program Files\Common Files\ASKS~1\?asks
C:\qoobox\purity\Program Files\Common Files\ASKS~1\?asks\!update-4300.0000
C:\qoobox\purity\Program Files\SCURIT~1\t?skmgr.exe
C:\qoobox\purity\WINDOWS\system32\SMANTE~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-29 to 2007-01-29 ))))))))))))))))))))))))))))))))))


2007-01-29 13:38 <DIR> d-------- C:\WINDOWS\erdnt
2007-01-29 13:18 88,340 --a------ C:\WINDOWS\system32\vxhewnrp.exe
2007-01-29 13:18 44,165 --a------ C:\WINDOWS\system32\wbexycwd.dll
2007-01-29 13:18 118,804 --a------ C:\WINDOWS\system32\dcerbcvw.dll
2007-01-29 03:23 <DIR> d-------- C:\Program Files\Magic Ball 3
2007-01-29 01:51 <DIR> d-------- C:\DOCUME~1\MissLani\Application Data\Skype
2007-01-29 01:50 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-01-29 01:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Skype
2007-01-29 01:49 <DIR> d-------- C:\Program Files\Skype
2007-01-23 22:45 <DIR> d-------- C:\WINDOWS\pss
2007-01-23 22:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Sony
2007-01-23 22:15 155,648 ---h----- C:\DOCUME~1\ALLUSE~1\Application Data\svchost.exe
2007-01-23 01:29 76,412 --a------ C:\WINDOWS\system32\putwsbpa.dll
2007-01-19 23:09 155,648 ---h----- C:\Program Files\Common Files\svchost.exe
2007-01-19 22:54 774,144 --a------ C:\Program Files\RngInterstitial.dll
2007-01-19 22:35 76,412 --a------ C:\WINDOWS\system32\jsnpkyqk.dll
2007-01-19 21:58 115,013 --a------ C:\tdd.exe
2007-01-19 21:56 151,552 --a------ C:\WINDOWS\nvchost.exe
2007-01-19 00:00 <DIR> d-------- C:\DOCUME~1\MissLani\Application Data\URSE Games
2007-01-18 23:52 <DIR> d-------- C:\DOCUME~1\MissLani\Application Data\Zak&Jack
2007-01-18 10:21 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-18 10:21 <DIR> d-------- C:\Program Files\Grisoft
2007-01-17 07:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\Google
2007-01-17 00:30 5,513 --a------ C:\WINDOWS\system32\drivers\musm3gld.sys
2007-01-17 00:00 0 --a------ C:\ryembqbd.exe
2007-01-16 23:58 0 --a------ C:\vimsflwp.exe
2007-01-16 23:58 0 --a------ C:\baiod.exe
2007-01-16 23:41 620,544 --a------ C:\WINDOWS\system32\stlpmt45.dll
2007-01-16 23:41 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-01-16 23:41 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-01-16 23:41 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-01-16 23:41 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-01-16 23:41 <DIR> d-------- C:\Program Files\AVSMedia
2007-01-16 13:27 2,200 --a------ C:\xklxhlc.exe
2007-01-16 08:25 <DIR> d-------- C:\Program Files\TangleBee
2007-01-16 08:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\TangleBee
2007-01-16 06:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe Systems
2007-01-16 05:55 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-01-16 05:31 <DIR> d-------- C:\DOCUME~1\MissLani\Application Data\Corel
2007-01-16 05:30 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-01-16 05:28 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-01-16 05:25 <DIR> d-------- C:\Program Files\Corel
2007-01-16 04:15 57,344 --a------ C:\WINDOWS\system32\packet.dll
2007-01-16 04:15 53,299 --a------ C:\WINDOWS\system32\pthreadVC.dll
2007-01-16 04:15 208,896 --a------ C:\WINDOWS\system32\wpcap.dll
2007-01-16 04:14 <DIR> d-------- C:\Program Files\ExploreAnywhere
2007-01-15 18:39 <DIR> d-------- C:\DOCUME~1\MissLani\Application Data\SurveilleTech
2007-01-15 18:33 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-01-15 16:09 <DIR> d-------- C:\DOCUME~1\MissLani\Application Data\MySpace
2007-01-15 16:08 <DIR> d-------- C:\Program Files\MySpace
2007-01-15 13:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\TangleBee - BigFish
2007-01-15 03:39 <DIR> d-------- C:\Program Files\Totem Treasure 2
2007-01-15 03:39 <DIR> d-------- C:\Program Files\Paparazzi
2007-01-15 03:39 <DIR> d-------- C:\Program Files\BFG
2007-01-14 22:19 <DIR> d-------- C:\Program Files\thriXXX
2007-01-14 12:21 <DIR> d-------- C:\Program Files\Mozilla Firefox
2007-01-12 18:08 520,192 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-01-12 18:08 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-12 18:08 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-12 18:08 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-12 18:03 806,912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-01-12 18:03 806,912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-01-12 18:03 790,528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-01-12 18:03 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-12 18:03 635,486 --a------ C:\WINDOWS\system32\DivX.dll
2007-01-12 18:03 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-01-12 18:03 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-12 18:03 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-01-12 18:03 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-12 18:03 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-12 18:03 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-01-12 18:03 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-12 03:52 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-11 18:19 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-01-11 18:19 118,784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-01-11 15:55 <DIR> d-------- C:\Program Files\Brain Booster
2007-01-10 01:19 <DIR> d-------- C:\Program Files\LEGO Chic Boutique
2007-01-10 01:18 <DIR> d-------- C:\Program Files\Bejeweled 2 Deluxe
2007-01-06 21:34 <DIR> d-------- C:\Program Files\DNA
2007-01-06 21:33 <DIR> d-------- C:\Program Files\Flower Shop Big City Break
2007-01-02 19:39 <DIR> d-------- C:\Program Files\Super Granny 3
2007-01-02 15:33 <DIR> d-------- C:\Program Files\Common Files\Broderbund
2007-01-02 15:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Broderbund Software
2007-01-01 23:21 1,056,768 --a------ C:\WINDOWS\system32\ROBOEX32.DLL
2007-01-01 23:21 <DIR> d-------- C:\Program Files\Ulead Systems
2007-01-01 23:14 <DIR> d-------- C:\WINDOWS\Noslip
2007-01-01 23:11 <DIR> d-------- C:\Downloads
2007-01-01 13:49 <DIR> d-------- C:\Program Files\SymNetDrv
2006-12-29 16:13 <DIR> d-------- C:\DOCUME~1\MissLani\Application Data\Real
2006-12-29 11:21 <DIR> d-------- C:\Program Files\Common Files\xing shared
2006-12-29 03:18 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Application Data\Symantec
2006-12-29 03:08 <DIR> d-------- C:\Program Files\Norton AntiVirus
2006-12-29 03:07 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-12-29 03:07 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-12-29 03:07 <DIR> d-------- C:\DOCUME~1\MissLani\Application Data\Symantec
2006-12-29 03:05 <DIR> d-------- C:\Program Files\Symantec
2006-12-29 03:05 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-29 03:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Symantec
2006-12-29 03:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Google Updater


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-29 13:41 1048 --a------ C:\sccfg.sys
2007-01-29 03:20 -------- d-------- C:\Documents and Settings\MissLani\Application Data\skype
2007-01-29 01:47 -------- d-------- C:\Program Files\dap
2007-01-26 07:52 -------- d--h----- C:\Program Files\installshield installation information
2007-01-26 07:49 -------- d-------- C:\Program Files\bearshare
2007-01-23 23:19 -------- d-------- C:\Program Files\quicktime
2007-01-19 22:53 -------- d-------- C:\Program Files\winamp
2007-01-19 22:48 -------- d-------- C:\Program Files\real
2007-01-19 00:00 -------- d-------- C:\Documents and Settings\MissLani\Application Data\urse games
2007-01-18 23:52 -------- d-------- C:\Documents and Settings\MissLani\Application Data\zak&jack
2007-01-18 10:25 -------- d-------- C:\Program Files\divx
2007-01-16 16:52 -------- d-------- C:\Program Files\folder lock
2007-01-16 06:32 -------- d-------- C:\Documents and Settings\MissLani\Application Data\adobe
2007-01-16 05:56 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-16 05:31 -------- d-------- C:\Documents and Settings\MissLani\Application Data\corel
2007-01-15 18:39 -------- d-------- C:\Documents and Settings\MissLani\Application Data\surveilletech
2007-01-15 16:09 -------- d-------- C:\Documents and Settings\MissLani\Application Data\myspace
2007-01-14 12:21 -------- d-------- C:\Documents and Settings\MissLani\Application Data\mozilla
2007-01-14 00:35 -------- d-------- C:\Documents and Settings\MissLani\Application Data\limewire
2007-01-05 07:42 -------- d-------- C:\Program Files\gamehouse
2007-01-02 15:32 -------- d-------- C:\Program Files\broderbund
2007-01-01 20:56 -------- d-------- C:\Documents and Settings\MissLani\Application Data\real
2007-01-01 16:36 966656 --a------ C:\WINDOWS\unrecode.exe
2007-01-01 16:36 966656 --a------ C:\WINDOWS\unnerovision.exe
2007-01-01 16:36 966656 --a------ C:\WINDOWS\unneroshowtime.exe
2007-01-01 16:36 966656 --a------ C:\WINDOWS\unneromediahome.exe
2007-01-01 16:36 966656 --a------ C:\WINDOWS\unnerobackitup.exe
2007-01-01 16:36 86016 --a------ C:\WINDOWS\unvise32qt.exe
2007-01-01 16:32 71680 --a------ C:\WINDOWS\st5unst.exe
2007-01-01 16:32 24064 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-01-01 16:26 531968 --a------ C:\WINDOWS\system32\rmactivate_isv.exe
2007-01-01 16:26 523776 --a------ C:\WINDOWS\system32\rmactivate.exe
2007-01-01 16:26 358400 --a------ C:\WINDOWS\system32\rmactivate_ssp.exe
2007-01-01 16:26 354816 --a------ C:\WINDOWS\system32\rmactivate_ssp_isv.exe
2007-01-01 15:38 51712 --a------ C:\WINDOWS\system32\migpwd.exe
2007-01-01 15:37 7540224 --a------ C:\WINDOWS\system32\logonuix.exe
2007-01-01 15:34 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2007-01-01 15:32 61440 --a------ C:\WINDOWS\system32\hpzinw12.exe
2007-01-01 15:29 249856 --a------ C:\WINDOWS\system32\drmupgds.exe
2007-01-01 15:24 28672 --a------ C:\WINDOWS\ciaunwdm.exe
2007-01-01 15:24 20480 --a------ C:\WINDOWS\system32\cliconfg.exe
2007-01-01 15:23 65536 --a------ C:\WINDOWS\system32\ati2mdxx.exe
2007-01-01 15:23 17408 --a------ C:\WINDOWS\system32\atiqipcl.exe
2006-12-30 07:10 12288 --a------ C:\WINDOWS\system32\msfeedssync.exe
2006-12-29 11:20 -------- d-------- C:\Program Files\Common Files\real
2006-12-29 11:13 -------- d-------- C:\Program Files\google
2006-12-29 11:08 299520 --a------ C:\WINDOWS\uninst.exe
2006-12-29 11:05 86016 -ra------ C:\WINDOWS\system32\cnmcp5u.exe
2006-12-29 11:03 306688 --a------ C:\WINDOWS\isuninst.exe
2006-12-29 03:32 69632 --a------ C:\WINDOWS\system32\hpzipm12.exe
2006-12-29 03:16 -------- d-------- C:\Documents and Settings\MissLani\Application Data\symantec
2006-12-27 00:56 -------- d-------- C:\Documents and Settings\MissLani\Application Data\nokia
2006-12-25 22:18 -------- d-------- C:\Program Files\epson
2006-12-21 08:18 -------- d-------- C:\Documents and Settings\MissLani\Application Data\pi eye games
2006-12-18 10:31 -------- d-------- C:\Program Files\rip 3 the last hero
2006-12-14 03:29 -------- d-------- C:\Documents and Settings\MissLani\Application Data\gtek
2006-12-13 03:16 -------- d-------- C:\Program Files\msxml 4.0
2006-12-11 13:51 -------- d-------- C:\Documents and Settings\MissLani\Application Data\image zone express
2006-12-11 13:37 -------- d-------- C:\Documents and Settings\MissLani\Application Data\hp
2006-12-11 13:33 -------- d-------- C:\Program Files\hp
2006-12-11 13:33 -------- d-------- C:\Program Files\Common Files\hp
2006-12-11 13:31 -------- d-------- C:\Program Files\hewlett-packard
2006-12-11 13:30 -------- d-------- C:\Program Files\Common Files\hewlett-packard
2006-12-11 05:06 -------- d-------- C:\Program Files\java
2006-12-11 02:47 -------- d-------- C:\Program Files\temple of tangram
2006-12-11 01:50 -------- d-------- C:\Documents and Settings\MissLani\Application Data\playfirst
2006-12-10 07:59 -------- d-------- C:\Program Files\pipeline
2006-12-10 07:58 -------- d-------- C:\Program Files\lggsm
2006-12-07 07:35 -------- d-------- C:\Documents and Settings\MissLani\Application Data\ahead
2006-12-03 10:53 -------- d-------- C:\Program Files\windows media connect 2
2006-12-03 02:20 22768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
2006-12-02 01:20 -------- d-------- C:\Program Files\saints and sinners bingo
2006-11-30 13:23 -------- d---s---- C:\Documents and Settings\MissLani\Application Data\microsoft
2006-11-29 22:37 -------- d-------- C:\Documents and Settings\MissLani\Application Data\nokia multimedia player
2006-11-25 23:11 121045 --a------ C:\Documents and Settings\MissLani\Application Data\nmm-metadata.db
2006-11-25 00:18 86 --ahs---- C:\Documents and Settings\MissLani\Application Data\desktop.ini
2006-11-08 00:28 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2006-11-07 22:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --a------ C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --a------ C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --a------ C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --a------ C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-06 11:35 519280 --a------ C:\WINDOWS\system32\secproc_isv.dll
2006-11-06 11:35 518768 --a------ C:\WINDOWS\system32\secproc.dll
2006-11-06 11:35 323696 --a------ C:\WINDOWS\system32\msdrm.dll
2006-11-06 11:35 192624 --a------ C:\WINDOWS\system32\secproc_ssp_isv.dll
2006-11-06 11:35 192624 --a------ C:\WINDOWS\system32\secproc_ssp.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 03:47 2207232 --a------ C:\WINDOWS\system32\kernel1.exe
2006-11-03 22:47 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-10-29 11:58 35363 --a------ C:\WINDOWS\system32\windrvnt.sys
2006-10-23 03:28 879 --a--c--- C:\Documents and Settings\MissLani\Application Data\adobedlm.log
2006-10-23 03:28 0 --a--c--- C:\Documents and Settings\MissLani\Application Data\dm.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DllRunning"="rundll32.exe \"C:\\WINDOWS\\system32\\dcerbcvw.dll\",setvm"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.2480\\GoogleToolbarNotifier.exe"
"WhenUSave"="\"C:\\Program Files\\Save\\Save.exe\""
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"BellesBeautyBoutiqueSetup.exe"="C:\\DOCUME~1\\MissLani\\MYDOCU~1\\MYCOMP~1\\BELLES~1.EXE /r"
"TangleBeeSetup.exe"="C:\\DOCUME~1\\MissLani\\Desktop\\TANGLE~2.EXE /r"
"Blar"="\"C:\\PROGRA~1\\COMMON~1\\ASKS~1\\notepad.exe\" -vt tzt"
"CursorXP"="C:\\Program Files\\CursorXP\\CursorXP.exe"
"Pnr"="C:\\Program Files\\s?curity\\t?skmgr.exe"
"STYLEXP"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DownloadAccelerator"="\"C:\\Program Files\\DAP\\DAP.EXE\" /STARTUP"
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"AtiCwd32"="Aticwd32.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"{E04762CB-0A61-1033-0503-050406240001}"="\"C:\\Program Files\\Common Files\\{E04762CB-0A61-1033-0503-050406240001}\\Update.exe\" mc-110-12-0000272"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnk.disabledCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk.disabled"
"item"="Adobe Reader Speed Launch.lnk"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk.disabled]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Device Detector 3.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\Device Detector 3.lnk.disabledCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Device Detector 3.lnk.disabled"
"item"="Device Detector 3.lnk"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk.disabled]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Google Updater.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\Google Updater.lnk.disabledCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Google Updater.lnk.disabled"
"item"="Google Updater.lnk"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnk.disabledCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk.disabled"
"item"="HP Digital Imaging Monitor.lnk"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^MissLani^Start Menu^Programs^Startup^Adobe Gamma.lnk.disabled]
"path"="C:\\Documents and Settings\\MissLani\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk.disabled"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnk.disabledStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\MissLani\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk.disabled"
"item"="Adobe Gamma.lnk"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgas"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ipwins"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ipwindows\\ipwins.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="logonstudio"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlogon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nvchost"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\nvchost.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{E04762CB-0A61-1033-0503-050406240001}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Update"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\{E04762CB-0A61-1033-0503-050406240001}\\Update.exe\" mc-110-12-0000272"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{E04762CB-0A62-1033-0503-050406240001}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Update"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\{E04762CB-0A62-1033-0503-050406240001}\\Update.exe\" mc-110-12-0000272"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\control panel\load]
"cryptpa"=hex:21,df,db,f4,20

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"="C:\\Program Files\\Common Files\\svchost.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - MissLani.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{7E47A932-A464-49FF-9403-38FB09B43DAF}.job
C:\WINDOWS\tasks\WebReg Officejet 5600 series.job

Completion time: 07-01-29 13:42:56




The I followed your directions, and here is the last HiJackThis Log:


Logfile of HijackThis v1.99.1
Scan saved at 13:54, on 07-01-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\MissLani\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\wbexycwd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\dcerbcvw.dll",setvm
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161599833173
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe




So there ya go. Now what goodies have taken over my computer?? Help. Thanks for your help!
 

·
Registered
Joined
·
2,335 Posts
Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.



IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

ComboFix deleted some major infections, but we still have a good bit of junk to get rid of. Let's go to the next round.


----------------------------------------

P2P - I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept.
However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more
susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

These programs are:

BearShare
Limewire


----------------------------------------

DOWNLOADS


CLEANUP! version 4.52 – TEMP FILE CLEANING


Please download Cleanup! and install it. You will use this later.

Alternative link Cleanup Alt


*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.



AVG Anti-Spyware 7.5


I see you have this program installed. Please update its definitions, as we will use this later.

  1. Install AVG Anti-Spyware 7.5.
  2. Double-click the icon on Desktop to launch AVG A-S 7.5
  3. On the top of the main screen click Shield
  4. Click the word active to change it to inactive
  5. On the top of the main screen click Update.
  6. Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  7. I also recommend changing the "Update interval" to something more reasonable like 12 hours.



KILLBOX


Download KillBox (it's important that you get version v2.0.0.175)
Do not run it yet.

----------------------------------------

REGISTRY FIX

Download the attached misslani.zip file at the bottom of this post to your desktop. Double click on the zip folder,
then double click on the .reg file within.
Click yes to allow it to merge into your registry.

----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS


Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:


Download Accelerator - DAP>>>You are using Download Accelerator - DAP. Be informed that it delivers popup/popunder ads,

and tracks your internet usage. You can find safer alternatives here: spywareinfo



----------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\dcerbcvw.dll",setvm


Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.


C:\Program Files\dap

C:\DOCUME~1\ALLUSE~1\Application Data\svchost.exe>>>Delete from this location only. NOT System 32
C:\Program Files\Common Files\svchost.exe>>>Delete from this location only. NOT System 32

C:\Documents and Settings\MissLani\Application Data\surveilletech


Refer to This Site for information on this program.
The decision to leave to deleate is up to you.


----------------------------------------

KILLBOX


Launch KillBox.exe & select the following options:




  • Delete on Reboot
  • All files (if available)
Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:


C:\WINDOWS\system32\cliconfg.exe
C:\WINDOWS\system32\vxhewnrp.exe
C:\WINDOWS\system32\wbexycwd.dll
C:\WINDOWS\system32\dcerbcvw.dll
C:\WINDOWS\system32\putwsbpa.dll
C:\WINDOWS\system32\jsnpkyqk.dll
C:\WINDOWS\nvchost.exe
C:\WINDOWS\uninst.exe
C:\WINDOWS\isuninst.exe
C:\tdd.exe
C:\ryembqbd.exe
C:\vimsflwp.exe
C:\baiod.exe
C:\xklxhlc.exe
C:\sccfg.sys
C:\WINDOWS\system32\drivers\musm3gld.sys





In Killbox, go to the File menu, and choose Paste from Clipboard
*Click on the dropdown menu next to Full Path of File to Delete field.
*Verify that the filenames you pasted are found there.

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File


Click the RED X button.

Click Yes at the 'Delete on Reboot' prompt. Click NO at the Pending Operations prompt. (Do not allow reboot)

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid."
when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

----------------------------------------

RUNNING SCANNERS


Cleanup

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (if present)
  • Cleanup! All Users
  • Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.
Click OK
Press the CleanUp! button to start the program and DO NOT reboot when prompted.


AVG Anti-Spyware 7.5

  • Run AVG A-s with it's updated definitions: (...it's important that all windows must be closed)
    This scan can take quite a while to run, so be prepared.
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.



  • When the scan is complete click Recommended Action and change it to Quarantine (1),
  • If not click Recommended Action and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)

When done, click the Save Scan Report button. (4) then click Save Report As and save it to your desktop.

IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.



Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will
reinfect your system or will not be cleaned properly.

----------------------------------------

SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------


ON-LINE SCANS

Perform an online scan with Internet Explorer with Panda ActiveScan

  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting

  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


----------------------------------------

FOLLOW-UP

Please return and post these items in the order listed:


AVG A/S
Panda scan
A new HJT log run in Normal Mode


Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.
 

Attachments

1 - 4 of 4 Posts
Status
Not open for further replies.
Top