[eddiedenise]

I got a trojan agent Winlogonhook and a try a lot a program to remove but still when i run spy seewper still show up pls. help me. Thanks

Deckard's System Scanner v20071014.68
Run by ilopez on 2008-06-22 16:49:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
62: 2008-06-22 23:51:25 UTC - RP116 - Deckard's System Scanner Restore Point
61: 2008-06-22 22:28:07 UTC - RP115 - System Checkpoint
60: 2008-06-21 20:04:09 UTC - RP114 - Avira AntiVir Personal - 6/21/2008 13:03
59: 2008-06-21 05:29:25 UTC - RP113 - Removed Encompass
58: 2008-06-21 05:26:54 UTC - RP112 - Removed Google Toolbar for Internet Explorer


-- First Restore Point --
1: 2008-06-19 23:33:56 UTC - RP55 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 77% (more than 75%).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-22 16:56:22
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.5730.13)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ilopez\My Documents\My Documents 2008\Installer's 2008\dss.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {8E6B1182-1BA4-42E3-87E9-48086AC71EF6} - C:\WINDOWS\system32\ssqQgFVn.dll (file missing)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSzed001YYUS_ZR
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} () - http://ak.exe.imgfarm.com/images/no...ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
O16 - DPF: {3AA42713-5C1E-48E2-B432-D8BF420DD31D} () - http://virus-scanonline.com/AntvrsInstall.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/30.66/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183530393644
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {944713E8-1F29-42D9-ABD5-557728B9AC97} (PtClickLoanWF Control) - https://ilnet.wellsfargo.com/ilonline/clickloan/ptclickloanwf.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.30.16/ttinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLoan/1,0,0,12/PtClickLoan.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\Software\..\Telephony: DomainName = aztec.local
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = aztec.local
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = aztec.local
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = aztec.local
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: winafg32 - C:\WINDOWS\system32\winafg32.dll
O20 - Winlogon Notify: winrnt32 - C:\WINDOWS\system32\winrnt32.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\hphipm11.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUPnPRenderer - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\system32\WLTRYSVC.EXE


--
End of file - 13280 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R1 OMCI (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>

S3 catchme - c:\docume~1\ilopez\locals~1\temp\catchme.sys (file missing)
S3 SABProcEnum - c:\program files\internet explorer\sabprocenum.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 SQTECH905C (DB CIF Cam) - c:\windows\system32\drivers\capt905c.sys <Not Verified; Service & Quality Technology.; SQ905c>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 WLSetupSvc (Windows Live Setup Service) - "c:\program files\windows live\installer\wlsetupsvc.exe" <Not Verified; Microsoft Corporation; Windows Live installer>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-22 16:59:08 256 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-06-21 17:00:01 378 --a------ C:\WINDOWS\Tasks\XoftSpySE 2.job
2008-06-20 22:19:30 498 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
2008-06-20 06:00:00 442 --a------ C:\WINDOWS\Tasks\SpyHunter.job
2008-06-19 22:00:04 1620 --a------ C:\WINDOWS\Tasks\wrSpySweeper_BB49D0C6F0C24578900579482936030A.job
2008-06-18 16:57:00 272 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-05-08 08:15:55 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-12-30 05:00:00 328 --a------ C:\WINDOWS\Tasks\Registry Medic Schedule.job
2007-08-13 16:57:04 394 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job


-- Files created between 2008-05-22 and 2008-06-22 -----------------------------

2008-06-22 16:40:01 0 d-------- C:\WINDOWS\LastGood
2008-06-21 17:41:23 0 d-------- C:\ie-spyad_zo
2008-06-21 17:40:11 0 d-------- C:\Program Files\SpywareBlaster
2008-06-21 13:21:07 0 d-------- C:\Program Files\Panda Security
2008-06-20 23:24:59 0 d-------- C:\Program Files\Alwil Software
2008-06-20 23:05:51 0 d-------- C:\HaxFix
2008-06-20 22:19:25 0 d-------- C:\Documents and Settings\Ilopez\Application Data\AdwareAlert
2008-06-20 21:49:24 0 d-------- C:\Documents and Settings\Ilopez\Application Data\Antivirus2008y
2008-06-20 21:48:33 0 d-------- C:\Program Files\Antivirus2008y
2008-06-20 19:42:31 0 d-------- C:\Program Files\Signatures
2008-06-20 10:15:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-19 13:57:57 741589 --ahs---- C:\WINDOWS\system32\nVFgQqss.ini2
2008-06-19 13:52:48 32768 --a------ C:\WINDOWS\system32\winafg32.dll
2008-06-07 22:31:23 0 d-------- C:\Program Files\Adobe Media Player
2008-06-07 22:31:18 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-05-23 11:31:26 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-05-23 11:29:53 0 d-------- C:\Program Files\Windows Live Toolbar


-- Find3M Report ---------------------------------------------------------------

2008-06-20 22:35:56 0 d-------- C:\Program Files\Google
2008-06-20 22:26:30 0 d-------- C:\Program Files\IrfanView
2008-06-20 22:25:44 0 d-------- C:\Program Files\RegCure
2008-06-20 22:25:00 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-19 18:39:48 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-19 16:38:36 23240 --a------ C:\WINDOWS\system32\nvModes.dat
2008-06-13 12:37:44 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-08 21:19:01 0 d-------- C:\Documents and Settings\Ilopez\Application Data\Moyea
2008-06-07 22:31:31 0 d-------- C:\Documents and Settings\Ilopez\Application Data\Adobe
2008-06-07 22:31:18 0 d-------- C:\Program Files\Common Files
2008-06-04 15:20:30 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-24 22:39:07 0 d-------- C:\Documents and Settings\Ilopez\Application Data\MSN6
2008-05-06 16:11:43 0 d-------- C:\Documents and Settings\Ilopez\Application Data\Move Networks


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E6B1182-1BA4-42E3-87E9-48086AC71EF6}]
C:\WINDOWS\system32\ssqQgFVn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 04:19 PM]
"NvCplDaemon"="RUNDLL32.exe" [08/12/2004 06:27 AM C:\WINDOWS\system32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 09:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/12/2004 06:18 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06/19/2008 06:39 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 06/19/2008 06:39 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winafg32]
winafg32.dll 06/19/2008 01:52 PM 32768 C:\WINDOWS\system32\winafg32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrnt32]
winrnt32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqQgFVn

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act! Preloader]
"C:\Program Files\ACT\ACT for Windows\ActSage.exe" -preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act.Outlook.Service]
"C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus2008y]
C:\Program Files\Antivirus2008y\antvrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
"C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
"C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fssui]
"C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
C:\WINDOWS\system32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
"C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
?

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"




-- End of Deckard's System Scanner: finished at 2008-06-22 17:00:55 ------------

 

[tetonbob]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

If you have any questions along the way, STOP and ask them before proceeding.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

It does not appear as though DSS was allowed to download and install HijackThis. To produce a HijackThis log for your next reply, please do this:

Please download HijackThis to your desktop

Alternate link

Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

---------------------------------------------------------------------------------------------

 

[eddiedenise]

I tried to run combofix, but the power turn off in the middle if rigt now i Can not star windows, the screen show complete black. can you help me. Thanks

 

[tetonbob]

The power to the machine was lost during the process? Or the machine restarted as part of running ComboFix?

Were you able to install the Recovery Console first?

Can you access the Windows Advanced Options menu by pressing F8 while the machine is starting up?

 

[eddiedenise]

Can you access the Windows Advanced Options menu by pressing F8 while the machine is starting up?


Yes i Can.

I am not sure if the recovery console was installed. Thank you

(estoy desesperado) (I am Desperate) Thanks

 

[tetonbob]

You're communicating from another machine, I take it?

I'd still like answers to these questions, please. I need to know more precisely what happened and when.

The power to the machine was lost during the process? Or the machine restarted as part of running ComboFix?

Did you see this while ComboFix was running?

Did you ever see this screen?

If Recovery Console was successfully installed, you will see an additional item in the initial bootup screen, under the main OS.

Please let me know, so I can devise a strategy.

 

[eddiedenise]

The combo Fix was running, but I didnt turn it off The Spyseewper program, so spyseewper ask me if allow install something, I said yes and after that nothing happend, so I turn it Off Manually the computer and when windos try to star show me this messages " STOP: C0000218 (rEGISTRY fILE fAILURE) tHE REGISTRY CANNOT LOAD THE HIVE (FILE):\SYSTEMROOT\SYSTEM32\CONFIG\DEFAULT OR ITS LOG OR ALTERNATE.
iT IS CORRUP, ABSENT ON NOT WRITABLE.

On top of it, I am trying to do recovery console but ask me for administrative password and noboday know the administartive password. Thank you so much for you help.

 

[tetonbob]

So, you do have the Recovery Console menu item?

Try just pressing Enter when it asks for the password. Let me know if you can access the Windows installation from Recovery Console then.

 

[eddiedenise]

Not I can not. ask me 3 times for the password

 

[tetonbob]

Without knowing what the admin password is, our options are limited. See if anyone can remember the password once more, before trying this next step.

We can try Last Known Good Configuration from the Windows Advanced Options menu.

Restart the computer, tapping the F8 key repeatedly until a menu shows up, and choose Last Known Good Configuration from the list.

When the Windows Advanced Options menu appears, use the ARROW keys to select Last Known Good Configuration (your most recent settings that worked), and then press ENTER.

Let me know if you can access Windows again.