Warning! S Detected On Your Computer.............help!!!

blueduke

Junior Member

18. June 2008 @ 23:05

Link to this message

Ran an Adaware scan and then ran Hijack This again and here is the latest logfile:

Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:34 PM, on 6/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeIEToolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BrowsingEnhancer - {5ABBD91B-0215-2FE1-7A7E-753F05B40CB8} - C:\Program Files\BrowsingEnhancer\BrowsingEnhancer-2.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeIEToolbar.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeIEToolbar.dll
O4 - HKLM\..\Run: [Support audio cool poll] C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\dvd rect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/d...llerControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1176600440109
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8793 bytes

Hope somebody can help me

AfterDawn Addict

19. June 2008 @ 01:24

Link to this message

Hi blueduke,

Click on start >>control panel>>add remove programs
click on the following programs

BrowsingEnhancer

and click on remove

Fix these entries using HiJackThis
Launch HiJackThis
Click the Do a system scan only button
Put a check next to the entries listed below (if they still exist):

O2 - BHO: BrowsingEnhancer - {5ABBD91B-0215-2FE1-7A7E-753F05B40CB8} - C:\Program Files\BrowsingEnhancer\BrowsingEnhancer-2.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Click the Fix checked button..

Close HijackThis and reboot.

Please download => ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.

Please download and install => SUPERAntiSpyware Free
? Double-click SUPERAntiSypware.exe and use the default settings for installation.
? An icon will be created on your desktop. Double-click that icon to launch the program.
? If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)[/i]
? Under the "Configuration and Preferences", click the Preferences... button.
? Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
? Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
? Click the "Close" button to leave the control center screen and exit the program.
? Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
? Under Main "Select Files to Delete" choose: Select All.
? Click the Empty Selected button.
? If you use Firefox browser click Firefox at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? If you use Opera browser click Opera at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
? Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
? On the left, make sure you check C:\Fixed Drive.
? On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
? After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
? Make sure everything has a checkmark next to it and click "Next".
? A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
? If asked if you want to reboot, click "Yes" and reboot normally.
? To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
? Click Close to exit the program.

Reboot to Normal Mode

Please post a fresh HijackThis log and the SuperAntispyware Log in your next reply and tell us if you still have problems.

2OG

There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...

edmund085

Suspended permanently

19. June 2008 @ 07:45

Link to this message

hello

I think you have a vundo. But thanks. I have copied your hujackthis log. You help me a lot in my research thanks again.

blueduke

Junior Member

20. June 2008 @ 01:12

Link to this message

2oldGeek.............It's still there. Here are the logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/20/2008 at 00:53 AM

Application Version : 4.15.1000

Core Rules Database Version : 3486
Trace Rules Database Version: 1477

Scan type : Complete Scan
Total Scan Time : 01:44:21

Memory items scanned : 151
Memory threats detected : 0
Registry items scanned : 6316
Registry threats detected : 10
File items scanned : 68333
File threats detected : 1

Trojan.Unclassified/SmartEnhancer-J
HKLM\Software\Classes\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}#AppID
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\InprocServer32
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\InprocServer32#ThreadingModel
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\ProgID
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\Programmable
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\TypeLib
HKCR\CLSID\{5ABBD91B-0215-2FE1-7A7E-753F05B40CB8}\VersionIndependentProgID
C:\PROGRAM FILES\BROWSINGENHANCER\BROWSINGENHANCER-2.DLL

HiJack This log:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:36 AM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeIEToolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeIEToolbar.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeIEToolbar.dll
O4 - HKLM\..\Run: [Support audio cool poll] C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\dvd rect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/d...llerControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1176600440109
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8543 bytes

Something interesting: on the desktop there is a shortcut for a program called"Ad-Watch". It has a shield for a logo and whnever I sut down XP the box where you choose Shutdown or Restart the same shield is over the Shutdown option. I went into control panel to remove this program and it isn't there. I started to delete the shortcut and was notified it would only delete the shortcut but not the program and was instructed to go into Add\Remove programs in control panel to remove it but as I said it isn't there

AfterDawn Addict

20. June 2008 @ 05:12

Link to this message

Hi blueduke,

Yeah, you got a Trojan.

I am at work and limited on what I can do on this computer?.

Download and run SDFix.exe (google it)

Then post a log from sdfix.. Your HJT log really doesn?t show this Trojan.

The Ad-Watch is part of the Newer AdAware.. I never use it myself.

Give SDFix a go and see what it does..

2OG

There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...

AfterDawn Addict

20. June 2008 @ 08:48

Link to this message

Hey blueduke,

Now that I?m home I?ll repost?

Download SDFix and save it to your Desktop.
? Run the SDFix.exe by double clicking on it.
? Allow it to install into the default location which is normally c:\SDFix

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

? When you have booted into safe mode, open the C:\SDFix folder and double click RunThis.bat to start the script.
? Type Y to begin the cleanup process.
? It will remove any Trojan Services or Registry entries found and then prompt you to press any key to Reboot.
? Press any Key and it will restart the PC.
? When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
? Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
? Attach the Report.txt file to your next message.

Rerun SuperAntiSpyware in the Safe Mode and post the log along with Report.txt.

2OG

There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...

This message has been edited since posting. Last time this message was edited on 20. June 2008 @ 08:49

blueduke

Junior Member

20. June 2008 @ 19:32

Link to this message

2oldGeek...........still have that darn thing. here are the logs you requested:

Quote:
SDFix: Version 1.195
Run by Administrator on Fri 06/20/2008 at 04:23 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 16:32:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

Files with Hidden Attributes :

Mon 15 Jan 2007 262,144 A..H. --- "C:\Documents and Settings\LocalService\NTUSER.BAK"
Thu 1 Feb 2007 222,060 A..H. --- "C:\RECYCLER\S-1-5-18\Dc228.tmp"
Thu 1 Feb 2007 896,240 A..H. --- "C:\RECYCLER\S-1-5-18\Dc229.tmp"
Thu 1 Feb 2007 1,577,695 A..H. --- "C:\RECYCLER\S-1-5-18\Dc230.tmp"
Thu 1 Feb 2007 637,490 A..H. --- "C:\RECYCLER\S-1-5-18\Dc231.tmp"
Thu 1 Feb 2007 2,552,144 A..H. --- "C:\RECYCLER\S-1-5-18\Dc232.tmp"
Fri 19 Jan 2007 5,629,208 A..H. --- "C:\RECYCLER\S-1-5-18\Dc233.tmp"
Thu 1 Feb 2007 4,964,776 A..H. --- "C:\RECYCLER\S-1-5-18\Dc234.tmp"
Thu 1 Feb 2007 1,053,663 A..H. --- "C:\RECYCLER\S-1-5-18\Dc235.tmp"
Thu 1 Feb 2007 1,141,499 A..H. --- "C:\RECYCLER\S-1-5-18\Dc236.tmp"
Thu 1 Feb 2007 1,827,400 A..H. --- "C:\RECYCLER\S-1-5-18\Dc237.tmp"
Thu 1 Feb 2007 2,388,288 A..H. --- "C:\RECYCLER\S-1-5-18\Dc238.tmp"
Mon 3 Oct 2005 8 A..H. --- "C:\RECYCLER\S-1-5-18\Dc243.tmp"
Mon 3 Oct 2005 8 A..H. --- "C:\RECYCLER\S-1-5-18\Dc244.tmp"
Mon 3 Oct 2005 8 A..H. --- "C:\RECYCLER\S-1-5-18\Dc245.tmp"
Sun 8 Jun 2008 56 ..SHR --- "C:\WINDOWS\system32\58AFD8518D.sys"
Sun 8 Jun 2008 1,682 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sat 13 Jan 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 30 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 18 Jan 2008 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Fri 18 Jan 2008 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Fri 4 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4844df1d57a292079101da42a26d7d72\BIT10.tmp"
Wed 16 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\78670cbd6a90baaa408a8a72f52fdce2\BIT1.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT11.tmp"
Sat 13 Jan 2007 4,348 ...H. --- "C:\Documents and Settings\owner\My Documents\My Music\Copia de seguridad de la licencia\drmv1key.bak"
Wed 26 Mar 2008 20 A..H. --- "C:\Documents and Settings\owner\My Documents\My Music\Copia de seguridad de la licencia\drmv1lic.bak"
Fri 12 Jan 2007 312 A.SH. --- "C:\Documents and Settings\owner\My Documents\My Music\Copia de seguridad de la licencia\drmv2key.bak"
Tue 13 Mar 2007 5,702,560 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b4248c4c189bf5460d6eb98122ea18be\BIT1E.tmp"
Mon 3 Oct 2005 262,144 A..H. --- "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.BAK"
Mon 3 Oct 2005 262,144 A..H. --- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.BAK"
Sat 13 Jan 2007 4,348 ...H. --- "C:\Documents and Settings\owner\Application Data\Real\Rhapsody\wmlicbackup\drmv1key.bak"
Sat 13 Jan 2007 20 A..H. --- "C:\Documents and Settings\owner\Application Data\Real\Rhapsody\wmlicbackup\drmv1lic.bak"
Fri 12 Jan 2007 312 A.SH. --- "C:\Documents and Settings\owner\Application Data\Real\Rhapsody\wmlicbackup\drmv2key.bak"
Mon 15 Jan 2007 262,144 A..H. --- "C:\Documents and Settings\owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.BAK"
Sun 8 Apr 2007 8 A..H. --- "C:\Documents and Settings\owner\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\owner\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Mon 16 Apr 2007 8 A..H. --- "C:\Documents and Settings\owner\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Mon 16 Apr 2007 8 A..H. --- "C:\Documents and Settings\owner\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Tue 22 Jan 2008 8 A..H. --- "C:\Documents and Settings\owner\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"

Finished!

Quote:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/20/2008 at 06:45 PM

Application Version : 4.15.1000

Core Rules Database Version : 3486
Trace Rules Database Version: 1477

Scan type : Complete Scan
Total Scan Time : 01:44:49

Memory items scanned : 152
Memory threats detected : 0
Registry items scanned : 6315
Registry threats detected : 0
File items scanned : 69018
File threats detected : 11

Adware.Tracking Cookie
C:\Documents and Settings\owner\Cookies\owner@ads4.blastro[1].txt
C:\Documents and Settings\owner\Cookies\owner@bluestreak[2].txt
C:\Documents and Settings\owner\Cookies\owner@ads3.blastro[2].txt
C:\Documents and Settings\owner\Cookies\owner@2o7[1].txt
C:\Documents and Settings\owner\Cookies\owner@eas.apm.emediate[2].txt
C:\Documents and Settings\owner\Cookies\owner@ads2.blastro[1].txt
C:\Documents and Settings\owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\owner\Cookies\owner@adopt.euroclick[2].txt
C:\Documents and Settings\owner\Cookies\owner@casalemedia[1].txt
C:\Documents and Settings\owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\owner\Cookies\owner@ad.yieldmanager[2].txt
ad.yieldmanager.com [ C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt ]
.dynamic.media.adrevolver.com [ C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt ]

Any more suggestions? Thanks so much for your help thus far. I really appreciate it

blueduke

Junior Member

20. June 2008 @ 19:58

Link to this message

Forgot to post the latest Hijack This log file:

Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:36 PM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Kiwee Toolbar2\1.3.118\kwtbaim.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeIEToolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeIEToolbar.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeIEToolbar.dll
O4 - HKLM\..\Run: [Support audio cool poll] C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\dvd rect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/d...llerControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1176600440109
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8635 bytes

Senior Member

21. June 2008 @ 06:38

Link to this message

Hey 2oldgeek, just wanted to post some ideas and advice. Hope that's not interrupting anything :)

Hi blueduke. It seems that you have one of those newer rogue antimalware program. This might render some older removal tools useless, but it's worth a try anyways.

It will seem that you will not be able to boot into safe mode. Try it anyways. If it works, proceed with all of the scans mentioned below in safe mode. If not, normal mode will be just fine.

First, download Smitfraudfix and run it. Post a log here.

Secondly, follow Ltangel's instructions on downloading and running Combofix in this thread: http://forums.afterdawn.com/thread_view.cfm/639221 Post the log here.

Third, download A-squared Free. Update it, and scan your computer with it. Do not remove anything, only post the scan log here.

Best Regards :D

This message has been edited since posting. Last time this message was edited on 21. June 2008 @ 06:39

AfterDawn Addict

21. June 2008 @ 09:10

Link to this message

Hey cdavfrew, normally when I get advice, it Costs me. LOL
The ideas run in the same channel as mine..

blueduke, please do what cdavfrew suggested and describe your symptoms a little more so we may be able to pin it down.. Thanks

Hang in there, blueduke? This too shall pass.

2OG

There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...

blueduke

Junior Member

21. June 2008 @ 17:04

Link to this message

Performed the scans you guys suggested and here are the reports:

Quote:
SmitFraud report:

SmitFraudFix v2.328

Scan done at 15:07:22.25, Sat 06/21/2008
Run from C:\Documents and Settings\owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A49377CB-BC9B-4FD4-B1C0-B2B55FDA6C79}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A49377CB-BC9B-4FD4-B1C0-B2B55FDA6C79}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A49377CB-BC9B-4FD4-B1C0-B2B55FDA6C79}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Quote:
Combo-Fix Report:

ComboFix 08-06-20.4 - owner 2008-06-21 15:13:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.259 [GMT -4:00]
Running from: C:\Documents and Settings\owner\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\owner\Application Data\macromedia\Flash Player\#SharedObjects\ZGCDFSEY\www.broadcaster.com
C:\Documents and Settings\owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\owner\first.main
C:\Documents and Settings\owner\wef.log
C:\Program Files\installer\.lock
C:\WINDOWS\system32\pc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRV

((((((((((((((((((((((((( Files Created from 2008-05-21 to 2008-06-21 )))))))))))))))))))))))))))))))
.

2008-06-21 14:51 . 2008-06-21 15:07 1,038 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-20 23:14 . 2008-06-20 23:14 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-06-20 22:30 . 2008-06-21 05:00 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-20 16:42 . 2008-06-20 16:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-20 16:18 . 2008-06-20 16:18 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-20 16:08 . 2008-06-20 11:55 <DIR> d-------- C:\SDFix
2008-06-19 22:48 . 2008-06-19 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-19 22:47 . 2008-06-19 22:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-19 22:47 . 2008-06-19 22:47 <DIR> d-------- C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com
2008-06-18 21:25 . 2008-06-18 21:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-18 18:32 . 2008-06-18 18:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-18 18:32 . 2008-06-18 18:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-18 18:30 . 2008-06-19 22:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-18 18:05 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-18 18:05 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 14:45 . 2008-06-13 14:45 579,464 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-06-13 14:45 . 2008-06-13 14:45 207,240 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-06-13 14:14 . 2008-06-13 14:14 31,280 --a------ C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 14:14 . 2008-06-13 14:14 13,093 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 14:14 . 2008-06-13 14:14 1,611 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 14:13 . 2008-06-13 14:13 184,240 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 14:13 . 2008-06-13 14:13 96,432 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 14:13 . 2008-06-13 14:13 41,008 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 14:13 . 2008-06-13 14:13 38,576 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 14:13 . 2008-06-13 14:13 37,424 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 14:13 . 2008-06-13 14:13 22,320 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 14:13 . 2008-06-13 14:13 13,616 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2008-06-08 16:47 . 2008-06-08 16:47 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-08 16:47 . 2008-06-08 16:52 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-06-08 16:46 . 2008-06-20 19:21 <DIR> d-------- C:\Program Files\Symantec
2008-06-08 16:46 . 2008-06-20 19:21 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-08 16:46 . 2008-06-20 19:21 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-08 16:46 . 2008-06-20 19:21 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-08 16:46 . 2008-06-20 19:21 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-08 15:41 . 2008-06-08 15:41 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-08 11:38 . 2008-06-08 11:38 <DIR> d-------- C:\Documents and Settings\owner\Application Data\shcjrej0ep6p
2008-06-08 11:37 . 2008-06-08 15:45 90,838 --a------ C:\WINDOWS\system32\phclrej0ep6p.bmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-21 19:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-21 19:13 --------- d-----w C:\Program Files\installer
2008-06-18 23:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kiwee Toolbar2
2008-06-08 21:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-08 21:12 --------- d-----w C:\Documents and Settings\owner\Application Data\Flapgreat
2008-06-08 19:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO
2008-05-25 23:29 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-22 00:44 --------- d-----w C:\Program Files\LimeWire
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-02 02:13 --------- d-----w C:\Program Files\SP2 Connection Patcher
2008-05-02 01:48 --------- d-----w C:\Program Files\LimeWire Download Accelerator
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}]
2008-02-18 15:01 248976 --a------ C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeIEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-06-08 16:50 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeIEToolbar.dll" [2008-02-18 15:01 248976]

[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeIEToolbar.dll [2008-02-18 15:01 248976]

[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Support audio cool poll"="C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\dvd rect.exe" [2008-06-21 15:20 4794880]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 17:47 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2008-02-06 22:49 718704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor.lnk
backup=C:\WINDOWS\pss\Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiSpyware]
C:\Program Files\AntiSpywareApp\Antispyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-03-29 22:05 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-01-25 17:47 51048 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-10 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2007-11-15 10:23 202544 C:\Program Files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 10:24 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 13:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorSmart]
C:\Program Files\ErrorSmart\ErrorSmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-08-16 22:03 1838592 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 21:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiweeHook]
--a------ 2008-02-18 15:01 48264 C:\Program Files\Kiwee Toolbar2\1.3.118\kwtbaim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2008-02-06 22:49 718704 C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RULEREMOTE]
C:\DOCUME~1\owner\APPLIC~1\FLAPGR~1\creative open.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-03-23 01:20 339968 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SP2 Connection Patcher]
C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 05:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Support audio cool poll]
C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\Dumb way.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a--c--- 2004-08-10 06:00 143360 C:\WINDOWS\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"sprtsvc_dellsupportcenter"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"LiveUpdate Notice"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"dvpapi"=2 (0x2)
"DSBrokerService"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2004-11-02 16:12]
S4 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 21:39:48 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-21 19:03:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-06-02 18:25:09 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1172085817.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-06-08 20:59:23 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
"2008-03-30 05:14:05 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-21 15:18:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-06-21 15:22:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-21 19:22:28

Pre-Run: 50,032,349,184 bytes free
Post-Run: 49,983,827,968 bytes free

254 --- E O F --- 2008-06-20 19:50:58

Quote:
A2scan Report (as adivised I haven't deleted or quarantined these yet):

a-squared Free - Version 3.5
Last update: 6/21/2008 3:32:37 PM

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 6/21/2008 3:34:03 PM

Key: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\software\kazaa detected: Trace.Registry.KaZaA
c:\program files\the weather channel fw detected: Trace.Directory.Desktop Weather
c:\program files\the weather channel fw\desktop weather detected: Trace.Directory.Desktop Weather
c:\program files\the weather channel fw\desktop weather\desktopweather.exe detected: Trace.File.Desktop Weather
c:\program files\the weather channel fw\desktop weather\eula.html detected: Trace.File.Desktop Weather
c:\program files\the weather channel fw\desktop weather\install.log detected: Trace.File.Desktop Weather
c:\program files\the weather channel fw\desktop weather\theweatherchannelcustomuninstall.exe detected: Trace.File.Desktop Weather
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\The Weather Channel Desktop --> DisplayName detected: Trace.Registry.Desktop Weather
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\The Weather Channel Desktop --> UninstallString detected: Trace.Registry.Desktop Weather
Value: HKEY_CLASSES_ROOT\Media Type\Extensions\.avi --> Source Filter detected: Trace.Registry.DivoCodec
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Media Type\Extensions\.avi --> Source Filter detected: Trace.Registry.DivoCodec
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\372450BD3522B904AA8D4923C8DCEBF0 --> 97886266C512B5D41B79D1898633B9DA detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\473D1B29F95B96241830B6A6ADE19368 --> 97886266C512B5D41B79D1898633B9DA detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5A144BD76064D1645B6E74C0734EE406 --> 97886266C512B5D41B79D1898633B9DA detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\965DCC82BC551DF439B28676F8AB79E0 --> 97886266C512B5D41B79D1898633B9DA detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCF26265A8C1F104A88C5E4B28BEAED2 --> 97886266C512B5D41B79D1898633B9DA detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\Features --> OptimizerApplication detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> AuthorizedCDFPrefix detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Comments detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Contact detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> DisplayName detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> DisplayVersion detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> EstimatedSize detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> HelpLink detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> HelpTelephone detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> InstallDate detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> InstallLocation detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> InstallSource detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Language detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> LocalPackage detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> ModifyPath detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> NoModify detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Publisher detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Readme detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Size detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> UninstallString detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> URLInfoAbout detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> URLUpdateInfo detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Version detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> VersionMajor detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> VersionMinor detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> WindowsInstaller detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\Patches --> AllPatches detected: Trace.Registry.ErrorSmart
c:\documents and settings\owner\application data\registrysmart detected: Trace.Directory.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckAppPaths detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckComReg detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckDrivers detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckFileAss detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckFonts detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckHelpDiles detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckHistory detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckServices detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckSharedFiles detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckShortcuts detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckSounds detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckStartup detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckUninstall detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckUser detected: Trace.Registry.RegistrySmart
C:\Documents and Settings\owner\Cookies\owner@2o7[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Cookies\owner@doubleclick[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Cookies\owner@fastclick[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Cookies\owner@media.adrevolver[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Cookies\owner@media.adrevolver[3].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Cookies\owner@questionmarket[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt:15 detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt:16 detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt:17 detected: Trace.TrackingCookie
C:\Config.Msi\c031b.rbf detected: Riskware.FraudTool.Win32.AntiSpywareBot.bd
C:\Config.Msi\c031c.rbf detected: Riskware.FraudTool.Win32.AntiSpywareBot.ac
C:\Documents and Settings\owner\Application Data\Yahoo!\Mail\attach\SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\owner\Desktop\SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\owner\Desktop\SmitfraudFix\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\owner\Desktop\SmitfraudFix\Reboot.exe detected: Riskware.RiskTool.Win32.Reboot.f
C:\Program Files\DIGStream\digstream.exe detected: Riskware.Downloader.Win32.DigStream
C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeContentHost.dll detected: Trojan-Downloader.Win32.Zlob.meq
C:\SDFix\apps\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\SDFix\SDFix\apps\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0011070.exe detected: Trojan.Win32.Obfuscated.lr
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0011076.exe detected: Trojan.Win32.Obfuscated.en
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0011077.exe detected: Trojan.Win32.Obfuscated.en
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0011078.exe detected: Trojan.Win32.Obfuscated.en
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0011083.exe detected: Trojan.Win32.Obfuscated.en
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0013729.exe detected: Trojan.Win32.Obfuscated.en
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP22\A0018003.dll detected: Riskware.FraudTool.Win32.SpywareStop.b
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP22\A0018004.dll detected: Riskware.FraudTool.Win32.AntiSpywareBot.bk
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP22\A0018005.dll detected: Riskware.FraudTool.Win32.AntiSpywareBot.ai
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP22\A0018044.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP22\A0020060.dll detected: Adware.Win32.Agent.atx
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP24\A0026239.exe detected: Riskware.RiskTool.Win32.Processor.20

Scanned

Files: 205451
Traces: 411085
Cookies: 144
Processes: 28

Found

Files: 22
Traces: 58
Cookies: 9
Processes: 0
Registry keys: 0

Scan end: 6/21/2008 4:49:00 PM
Scan time: 1:14:57

Some scary stuff here. What should I do next?

blueduke

Junior Member

21. June 2008 @ 18:40

Link to this message

Quick update:

The "Warning! Spyware Detected On Your Computer....." box is off my desktop.

Went ahead and quarantined the items found in the asquareed scan. Haven't deleted them yet. Just waiting on further instructions. 2oldGeek and cdavfrew. I thank you so much for your patience as well as your suggestions

AfterDawn Addict

21. June 2008 @ 18:56

Link to this message

Hey blueduke,

Just saw your post as I was about to head out for work. Probably won?t get a chance to look at it until Sunday. Maybe cdavfrew will be by later?

I think maybe you?ve made a dent in it,, hehe

Later,
2OG

There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...

Senior Member

22. June 2008 @ 06:39

Link to this message

Hey blueduke.

I only managed a very quick look over your logs. It seems that we have indeed put a dent in your malware, but A-squared also detected a whole lot of legitimate stuff on your computer, which was why I recommended not removing anything for fear of it being legitimate and safe. Please look over the log, and restore anything you know is safe. Post what you have restored here. I do not have the time to look over it carefully, so you have to do that yourself.

I will also recommend posting the contents of C:\Windows\system32\tmp.reg. Open it in Notepad, and paste the contents here. Also, what is C:\Windows\system32\phclrej0ep6p.bmp? Is a picture you know about? If not, delete it.

Best Regards :D

Edit: Now I'm back. Let's have a look at that a2 log of yours. Please note not to remove anything, only restore what I tell you to and leave the rest in quarantine. Also, if I tell you to check it on www.virustotal.com, please post the results here first before taking the action necessary.

This is Kazaa, which is generally known as one of the more "bad" p2p clients, and is a program definitely needed to be removed. Please uninstall Kazaa from your computer if it is there. Also leave this entry in the quarantine.
Key: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\software\kazaa detected: Trace.Registry.KaZaA

This is The Weather Channel FW. If you know and use this program, ignore these entries.
c:\program files\the weather channel fw detected: Trace.Directory.Desktop Weather
c:\program files\the weather channel fw\desktop weather detected: Trace.Directory.Desktop Weather
c:\program files\the weather channel fw\desktop weather\desktopweather.exe detected: Trace.File.Desktop Weather
c:\program files\the weather channel fw\desktop weather\eula.html detected: Trace.File.Desktop Weather
c:\program files\the weather channel fw\desktop weather\install.log detected: Trace.File.Desktop Weather
c:\program files\the weather channel fw\desktop weather\theweatherchannelcustomuninstall.exe detected: Trace.File.Desktop Weather
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\The Weather Channel Desktop --> DisplayName detected: Trace.Registry.Desktop Weather
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\The Weather Channel Desktop --> UninstallString detected: Trace.Registry.Desktop Weather

DivoCodec is known as malware posing as a video codec. Please leave these entries in the quarantine, and restore them only if you experience any problems with video files. Also, uninstall DivoCodec from your computer.
Value: HKEY_CLASSES_ROOT\Media Type\Extensions\.avi --> Source Filter detected: Trace.Registry.DivoCodec
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Media Type\Extensions\.avi --> Source Filter detected: Trace.Registry.DivoCodec

While researching both ErrorSmart and RegistrySmart, I receive very conflicting results. It is advisable to leave these entries in the quarantine unless you know and use ErrorSmart and RegistrySmart. Please check on www.virustotal.com on whether or not it is detected as malware, and uninstall both these programs if it is. Also, it is not recommended to run registry cleaners, which both of these programs are, because it has no noticeable benefit on the system and has a great possibility of even crashing the system when used wrongly.
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\372450BD3522B904AA8D4923C8DCEBF0 --> 97886266C512B5D41B79D1898633B9DA detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\473D1B29F95B96241830B6A6ADE19368 --> 97886266C512B5D41B79D1898633B9DA detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5A144BD76064D1645B6E74C0734EE406 --> 97886266C512B5D41B79D1898633B9DA detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\965DCC82BC551DF439B28676F8AB79E0 --> 97886266C512B5D41B79D1898633B9DA detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCF26265A8C1F104A88C5E4B28BEAED2 --> 97886266C512B5D41B79D1898633B9DA detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\Features --> OptimizerApplication detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> AuthorizedCDFPrefix detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Comments detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Contact detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> DisplayName detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> DisplayVersion detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> EstimatedSize detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> HelpLink detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> HelpTelephone detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> InstallDate detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> InstallLocation detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> InstallSource detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Language detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> LocalPackage detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> ModifyPath detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> NoModify detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Publisher detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Readme detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Size detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> UninstallString detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> URLInfoAbout detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> URLUpdateInfo detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> Version detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> VersionMajor detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> VersionMinor detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\InstallProperties --> WindowsInstaller detected: Trace.Registry.ErrorSmart
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\97886266C512B5D41B79D1898633B9DA\Patches --> AllPatches detected: Trace.Registry.ErrorSmart
c:\documents and settings\owner\application data\registrysmart detected: Trace.Directory.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckAppPaths detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckComReg detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckDrivers detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckFileAss detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckFonts detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckHelpDiles detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckHistory detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckServices detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckSharedFiles detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckShortcuts detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckSounds detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckStartup detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckUninstall detected: Trace.Registry.RegistrySmart
Value: HKEY_USERS\S-1-5-21-2085937159-2599583352-3907660362-1005\Software\RegistrySmart\RegistrySmart\SectionToScan --> CheckUser detected: Trace.Registry.RegistrySmart

You may leave all these entries in the quarantine.
C:\Documents and Settings\owner\Cookies\owner@2o7[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Cookies\owner@doubleclick[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Cookies\owner@fastclick[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Cookies\owner@media.adrevolver[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Cookies\owner@media.adrevolver[3].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Cookies\owner@questionmarket[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt:15 detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt:16 detected: Trace.TrackingCookie
C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\69i58uds.default\cookies.txt:17 detected: Trace.TrackingCookie
C:\Config.Msi\c031b.rbf detected: Riskware.FraudTool.Win32.AntiSpywareBot.bd
C:\Config.Msi\c031c.rbf detected: Riskware.FraudTool.Win32.AntiSpywareBot.ac

Restore these entries, as these are part of SDFix and Smitfraudfix, and the commands within both programs may be detected by some antimalware.
C:\Documents and Settings\owner\Application Data\Yahoo!\Mail\attach\SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\owner\Desktop\SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\owner\Desktop\SmitfraudFix\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\owner\Desktop\SmitfraudFix\Reboot.exe detected: Riskware.RiskTool.Win32.Reboot.f

Please restore both entries, and upload these files to www.virustotal.com to check if they are malware. If they are, uninstall both programs immediately.
C:\Program Files\DIGStream\digstream.exe detected: Riskware.Downloader.Win32.DigStream
C:\Program Files\Kiwee Toolbar2\1.3.118\KiweeContentHost.dll detected: Trojan-Downloader.Win32.Zlob.meq

Restore these.
C:\SDFix\apps\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\SDFix\SDFix\apps\Process.exe detected: Riskware.RiskTool.Win32.Processor.20

You might want to flush your system restore points, as it seems that they are already infected. It is recommended to do so. Also, leave these files in the quarantine, if they have indeed quarantined sucessfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0011070.exe detected: Trojan.Win32.Obfuscated.lr
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0011076.exe detected: Trojan.Win32.Obfuscated.en
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0011077.exe detected: Trojan.Win32.Obfuscated.en
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0011078.exe detected: Trojan.Win32.Obfuscated.en
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0011083.exe detected: Trojan.Win32.Obfuscated.en
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP18\A0013729.exe detected: Trojan.Win32.Obfuscated.en
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP22\A0018003.dll detected: Riskware.FraudTool.Win32.SpywareStop.b
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP22\A0018004.dll detected: Riskware.FraudTool.Win32.AntiSpywareBot.bk
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP22\A0018005.dll detected: Riskware.FraudTool.Win32.AntiSpywareBot.ai
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP22\A0018044.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP22\A0020060.dll detected: Adware.Win32.Agent.atx
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP24\A0026239.exe detected: Riskware.RiskTool.Win32.Processor.20

This message has been edited since posting. Last time this message was edited on 22. June 2008 @ 10:51

Senior Member

22. June 2008 @ 11:08

Link to this message

Also, please remove the registry entry [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiSpyware] using regedit.

AfterDawn Addict

22. June 2008 @ 14:13

Link to this message

Hey blueduke,

Well looks like cdavfrew got to you first.. I?m fairly new to A-Squared so it?s taking me longer?. Lol
Just do what he says and I think you?ll see a difference??.

Cdavfrew, I?ll send you a copy of my A-Squared report for your analysis? I think I have one line detected and it?s a game from e-machine he he

2OG

There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...

blueduke

Junior Member

22. June 2008 @ 18:50

Link to this message

cdavfrew............did all you suggested but have some questions:

1. I do I uninstall Divocodec? Can't find it in add\remove programs (I'm not very computer savvy which by now you and 2oldgeek know is obvious)

2. Did a search for the file C:\Windows32\phclrej0cp6p.bmp and can't find it. I have no clue what this picture would be

3. Tried removing the file through regedit you suggested (HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiSpyware) but keep getting this error:
application failed to initialize properly (0xc0000005) click ok to terminate application. Have I messed up my registry?

4. How do I get the time and date in lower right of screen to display time normally? It's currently in military time and tried to change it back via control panel but when I click "Apply" after changes it still will not change.

Thanks again for all the time you two guys have spent helping me

This message has been edited since posting. Last time this message was edited on 22. June 2008 @ 21:30

blueduke

Junior Member

22. June 2008 @ 18:55

Link to this message

Almost forgot:

Here's the contents of the file you wanted me to copy in notepad (C:\Windows\system32\tmp.reg):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Support audio cool poll"="C:\\Documents and Settings\\All Users\\Application Data\\INTERNET SPAM SUPPORT AUDIO\\dvd rect.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""

blueduke

Junior Member

22. June 2008 @ 19:03

Link to this message

Forgot something else...........when you say "flush system restore", how is this process preformed?

AfterDawn Addict

23. June 2008 @ 05:12

Link to this message

"flush system restore"
This should be one of the Last things you do, after your Computer is Clean?

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

? Go to Start > Programs > Accessories > System Tools and click "System Restore".
? Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
? Then go to Start > Run and type: Cleanmgr
? Click "OK".
? Click the "More Options" Tab.
? Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

2OG

There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...

Senior Member

23. June 2008 @ 07:28

Link to this message

Hey blueduke.

I have done some very interesting research, and I believe that I know what we are dealing with. The picture which I told you to find is the picture which posed as the message: Warning!.... Clean your Computer. I am led to believe that this malware is not as easy as we thought, and comes off a variant of virtumundo. As for your clock problem, we'll have to deal with it after the cleanup, like your system restore flush, which you should do after your system is clean, just like 2oldgeek said.

Please do all the following steps in safe mode if possible, and also do them in order.

1. Please download Virtumundobegone, run it, and post the log here.

2. Go to C:\Windows\Temp, and post a list of all the files there. If there are too many files, take a screenshot.

3. Search in regedit for "Antispyware". List the results.

4. Download Spybot, update it, and run it. Remove all results, while making sure that it is backed up. On instructions on how to post a log, see here: http://forums.spybot.info/showthread.php?t=2973

5. Download Deckard's System Scanner, and post a log here.

6. In other cases, I have noted that when you rightclick on your desktop (in nomral mode) to show Display Properties, the Desktop tab isn't there. If this is the case for you, download the reg file here ( http://www.kellys-korner-xp.com/regs_edits/desktoptab.reg ) and run it.. Please do this in normal mode.

Best Regards :D

PS: How about the virustotal.com scans I told you to do?

This message has been edited since posting. Last time this message was edited on 23. June 2008 @ 07:53

AfterDawn Addict

23. June 2008 @ 12:02

Link to this message

Hey blueduke,

If you can?t find it,
Here is the download link for VirtumundoBeGone >>> HERE

There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...

blueduke

Junior Member

23. June 2008 @ 21:27

Link to this message

Here's what i have for you guys so far.............

Virtumundobegone log file:

Quote:
[06/23/2008, 21:15:33] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\owner\Desktop\VirtumundoBeGone.exe" )
[06/23/2008, 21:15:49] - Detected System Information:
[06/23/2008, 21:15:49] - Windows Version: 5.1.2600, Service Pack 2
[06/23/2008, 21:15:49] - Current Username: owner (Admin)
[06/23/2008, 21:15:49] - Windows is in NORMAL mode.
[06/23/2008, 21:15:50] - Searching for Browser Helper Objects:
[06/23/2008, 21:15:50] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (&Yahoo! Toolbar Helper)
[06/23/2008, 21:15:50] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[06/23/2008, 21:15:50] - BHO 3: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[06/23/2008, 21:15:50] - BHO 4: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} (Symantec Intrusion Prevention)
[06/23/2008, 21:15:50] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/23/2008, 21:15:50] - BHO 6: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/23/2008, 21:15:50] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} ()
[06/23/2008, 21:15:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/23/2008, 21:15:50] - No filename found. Continuing.
[06/23/2008, 21:15:50] - BHO 8: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
[06/23/2008, 21:15:50] - Finished Searching Browser Helper Objects
[06/23/2008, 21:15:50] - Finishing up...
[06/23/2008, 21:15:50] - Nothing found! Exiting...

Searched regedit files abd this is what I've found (tried saving this to desktop, wordpad, notepad, etc and couldn't. I'm not very computer savvy). I don't know how to make a screen shot. if you can walk me through it I'll do it

Quote:
Name Type Data
Default Reg Sz (value not set)
000 Reg Sz antispyware
001 Reg Sz c:\windows\system32\phclrej0cp6p.bmp
002 Reg Sz c:\windows\system32\phclrej0cp6p.bmp
003 Reg Sz phclrej0cp6p.bmp
004 Reg Sz divicodec
005 Reg Sz ad watch

going to download Spybot now

Incidentally, couldn't do this in safe mode. For some reason I can't connect to the internet in safe mode

EDIT: started to installed spybot and it told me to unistall Adaware 2008 which I did. i have an important question that I need an answer for ASAP: while running the setup for S&D, a box can up that says "S&D has detected an important registry entry tht has been changed "Category: Session Manager Changed: Value Changed Entry:BootExecute Old Data: Isdelete\ New Data: (this is blank). then it asks if I want to allow the change. Should I??? I'm not doing anything else until I know this as I'm afraid I'll mess something up

EDIT: Figured out how to take a screenshot. saved them in My Pictures but don't know how to post them in this message

[img]<a href="http://s307.photobucket.com/albums/nn289/blueduke1959/?action=view¤t=2.jpg" target="_blank"><img src="http://i307.photobucket.com/albums/nn289/blueduke1959/2.jpg" border="0" alt="Photobucket"></a>[/img]

now I do!!! Learn something everyday I guess

This message has been edited since posting. Last time this message was edited on 23. June 2008 @ 22:56

blueduke

Junior Member

23. June 2008 @ 23:05

Link to this message

Thus far I've downloaded Virtumundobegone and posted the log. Now here's the c:\windows\temp files you wanted:

Repost the search of the Registry Editor:

Haven't fully installed Spybot as I got this message and am nit sure I should advance until I get confirmation it's okay:

Now going to download Deckard's Scanner and will post a log but it might be futile considering Spybot isn't fully installed

Log from Deckard's System Scanner:

Quote:
Deckard's System Scanner v20071014.68
Run by owner on 2008-06-23 23:22:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

-- Last 5 Restore Point(s) --
28: 2008-06-24 03:13:34 UTC - RP28 - Deckard's System Scanner Restore Point
27: 2008-06-24 01:42:29 UTC - RP27 - Removed Ad-Aware
26: 2008-06-22 21:33:25 UTC - RP26 - Removed Kiwee Toolbar
25: 2008-06-21 19:13:26 UTC - RP25 - ComboFix created restore point
24: 2008-06-20 19:49:51 UTC - RP24 - Software Distribution Service 3.0

-- First Restore Point --
1: 2008-04-12 05:41:18 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 78% (more than 75%).
Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:23:35, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Support audio cool poll] C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\dvd rect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/d...llerControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1176600440109
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7498 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080619-224128-713 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
backup-20080619-224128-796 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft(R) ASPI Shell>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 NAL (Nal Service ) - c:\windows\system32\drivers\iqvw32.sys <Not Verified; Intel Corporation; Intel(R) iQVW32.SYS>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S4 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
S4 dvpapi - "c:\program files\common files\command software\dvpapi.exe" <Not Verified; Command Software Systems, Inc.; Command AntiVirus for Windows>
S4 sprtsvc_dellsupportcenter (SupportSoft Sprocket Service (dellsupportcenter)) - c:\program files\dell support center\bin\sprtsvc.exe /service /p dellsupportcenter

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-06-23 23:03:03 254 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-06-21 18:12:47 556 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - owner.job
2008-04-19 17:39:48 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-03-30 01:14:05 426 --a------ C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job
2007-06-02 14:25:09 342 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1172085817.job

-- Files created between 2008-05-23 and 2008-06-23 -----------------------------

2008-06-23 21:32:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-21 15:31:08 0 d-------- C:\Program Files\a-squared Free
2008-06-21 15:13:00 68096 --a------ C:\WINDOWS\zip.exe
2008-06-21 15:13:00 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-21 15:13:00 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-21 15:13:00 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-21 15:13:00 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-21 15:13:00 98816 --a------ C:\WINDOWS\sed.exe
2008-06-21 15:13:00 80412 --a------ C:\WINDOWS\grep.exe
2008-06-21 15:13:00 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-21 14:51:59 1038 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-20 23:14:52 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-20 23:14:25 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-06-20 23:14:19 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-06-20 22:30:28 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-20 16:42:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-20 16:18:26 0 d-------- C:\WINDOWS\ERUNT
2008-06-19 22:48:00 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-19 22:47:37 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-19 22:47:37 0 d-------- C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com
2008-06-18 21:25:03 0 d-------- C:\Program Files\Trend Micro
2008-06-18 18:32:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-18 18:30:58 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-08 17:03:34 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-06-08 16:47:41 0 d-------- C:\Program Files\Windows Sidebar
2008-06-08 16:47:40 0 d-------- C:\Program Files\Norton AntiVirus
2008-06-08 16:46:19 0 d-------- C:\Program Files\Symantec
2008-06-08 15:41:38 0 d-------- C:\Program Files\MSXML 6.0
2008-06-08 13:10:50 4468736 --a------ C:\Documents and Settings\owner\ntuser.dat
2008-06-08 11:38:04 0 d-------- C:\Documents and Settings\owner\Application Data\shcjrej0ep6p

-- Find3M Report ---------------------------------------------------------------

2008-06-22 19:21:02 0 d-------- C:\Documents and Settings\owner\Application Data\Mozilla
2008-06-22 18:09:16 0 d-------- C:\Program Files\RGB
2008-06-21 15:39:35 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-21 15:13:49 0 d-------- C:\Program Files\installer
2008-06-18 18:30:58 0 d-------- C:\Program Files\Common Files
2008-06-08 17:12:40 0 d-------- C:\Documents and Settings\owner\Application Data\Flapgreat
2008-06-08 11:43:58 1682 --ahs--c- C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-08 11:43:58 56 -r-hs--c- C:\WINDOWS\system32\58AFD8518D.sys
2008-05-25 19:29:44 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-21 20:44:51 0 d-------- C:\Program Files\LimeWire
2008-05-01 22:13:22 0 d-------- C:\Program Files\SP2 Connection Patcher
2008-05-01 21:48:03 0 d-------- C:\Program Files\LimeWire Download Accelerator
2008-03-25 21:24:14 4 --a------ C:\WINDOWS\system32\6ECB49

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
06/08/2008 16:50 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Support audio cool poll"="C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\dvd rect.exe" [06/23/2008 23:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/25/2008 17:47]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [02/06/2008 22:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 06:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 17:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor.lnk
backup=C:\WINDOWS\pss\Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiSpyware]
C:\Program Files\AntiSpywareApp\Antispyware.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\DellSupport\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
"C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
"C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorSmart]
C:\Program Files\ErrorSmart\ErrorSmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiweeHook]
"C:\Program Files\Kiwee Toolbar2\1.3.118\kwtbaim.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton AntiVirus\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RULEREMOTE]
C:\DOCUME~1\owner\APPLIC~1\FLAPGR~1\creative open.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SP2 Connection Patcher]
"C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Support audio cool poll]
C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\Dumb way.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
%SystemRoot%\system32\mobsync.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"sprtsvc_dellsupportcenter"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"LiveUpdate Notice"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"dvpapi"=2 (0x2)
"DSBrokerService"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

-- End of Deckard's System Scanner: finished at 2008-06-23 23:24:21 ------------

What next, fellas?