# Virus problem



## bison8125

It looks like this virus may have been posted before, but I'm not sure what fix will work properly for me, so I'm asking for help (seewi1, I'm pretty sure you've dealt with this already).

I've got a virus, here is what's been happening:
    I've got a new icon (down by the clock) that I've never had before (yellow triangle with a black exclamation mark).  I can't find the process (in windows task manager) that will get rid of it.  The icon also pops up with these "error" messages:
        "*Windows Security System: Zlob.PornAdvertiser.ba*
Adaware Zlob.PornAdvertiser.ba detected. This program advertises sites with explicit content.  Please be attentive bcause advertised content could be illegal"
    Since the icon appeared, I've also gotten these other pop ups:
        "Windows Security System has detected spyware infection!  
Spyware may compromise your privacy or damage your computer.  It is 
recommended to use antispyware tool to prevent data loss and privacy 
information exposure.  Click OK to proceed."
        "Windows Alert Critical System Warning!  Your system is probably infected with version of Spyware.IEMonster.b.  Spyware.IEMonster.b is spyware that attempts to steal paswords from Internet Explorer, Mozilla Firefox, Outlook and other programs, including logins and passwords from online banking sessions, eBay, PayPal.  It may also create special tracking files to log your activity and compromise your Internet privacy.  Spyware.IEMonster then sends stolen passwords and other sensitive information to a php script at a pre-specified website where the stolen details are logged.  Click here to protect your computer (recommended)"
    Since the icon appeared, I've also gotten 2 files put on my desktop (which I certaintly didn't put there).  Both files are internet pages called "BDSM galleries" and "Uncensored porn".

    Since I've been reading the other posts, I think you might need some more information, so I've included the log file from HiJackThis (see next post), and a log file from Combofix (see third post).


----------



## bison8125

*HJT Log File*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:04 AM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://hcmail1.co.hennepin.mn.us/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181780980500
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6602 bytes


----------



## bison8125

*Combofix Log File*

ComboFix 08-02-19.2 - Dylan 2008-02-19  0:51:52.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.480 [GMT -6:00]
Running from: C:\Documents and Settings\Dylan\Desktop\ComboFix.exe
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\winupdates
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\nsprs.dll
C:\WINDOWS\system32\serauth1.dll
C:\WINDOWS\system32\serauth2.dll
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\trayicons.exe
C:\WINDOWS\windisk.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NTLOAD
-------\nm
-------\ntload


(((((((((((((((((((((((((   Files Created from 2008-01-19 to 2008-02-19  )))))))))))))))))))))))))))))))
.

2008-02-18 23:04 . 2007-06-05 10:56	44,928	--a------	C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-18 23:03 . 2007-06-08 09:44	8,576	--a------	C:\WINDOWS\system32\drivers\qbphsfchiqga.sys
2008-02-18 22:53 . 2008-02-19 00:12	<DIR>	d--------	C:\WINDOWS\system32\ActiveScan
2008-02-18 22:53 . 2008-02-18 22:53	30,590	--a------	C:\WINDOWS\system32\pavas.ico
2008-02-18 22:53 . 2008-02-18 22:53	2,550	--a------	C:\WINDOWS\system32\Uninstall.ico
2008-02-18 22:53 . 2008-02-18 22:53	1,406	--a------	C:\WINDOWS\system32\Help.ico
2008-02-18 19:20 . 2008-02-18 19:20	0	--a------	C:\WINDOWS\system32\wscmp.dll.tmp
2008-02-18 19:19 . 2008-02-18 19:19	0	--a------	C:\WINDOWS\system32\update32.exe.tmp
2008-02-18 19:16 . 2008-02-18 19:16	0	--a------	C:\WINDOWS\system32\sex2.ico.tmp
2008-02-18 19:15 . 2008-02-18 19:15	0	--a------	C:\WINDOWS\system32\sex1.ico.tmp
2008-02-18 19:11 . 2008-02-18 19:11	87,040	--a------	C:\WINDOWS\e01.exe
2008-02-18 19:11 . 2008-02-18 19:11	23,040	--a------	C:\info.exe
2008-02-16 10:01 . 2008-02-18 02:11	<DIR>	d--------	C:\Westwood
2008-02-14 14:44 . 2008-02-14 14:44	15,042	--a------	C:\AirlineHistory.zip
2008-02-13 22:27 . 2008-02-13 22:27	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-02-13 22:25 . 2008-02-13 22:25	<DIR>	d--------	C:\Documents and Settings\Dylan\Application Data\NCH Software
2008-02-13 22:25 . 2008-02-13 22:25	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\NCH Software
2008-01-26 18:24 . 2008-01-26 18:24	<DIR>	d--------	C:\Program Files\CCleaner
2008-01-24 15:01 . 2008-02-15 19:42	<DIR>	d--------	C:\AirlineStudentHistory
2008-01-24 15:01 . 2008-02-15 19:41	<DIR>	d--------	C:\AirlineHistory
2008-01-20 11:20 . 2008-01-20 11:20	552	--a------	C:\WINDOWS\system32\d3d8caps.dat
2008-01-19 08:52 . 2008-01-19 08:52	<DIR>	d--------	C:\Program Files\EA GAMES

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 05:52	---------	d-----w	C:\Program Files\MSN Messenger
2008-02-19 05:40	---------	d-----w	C:\Program Files\AIM6
2008-02-19 01:30	---------	d-----w	C:\Documents and Settings\Dylan\Application Data\AVG7
2008-02-19 01:17	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-02-19 00:58	---------	d-----w	C:\Program Files\Maxis
2008-02-17 18:13	---------	d-----w	C:\Program Files\Viewpoint
2008-02-17 18:13	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-17 18:12	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL
2008-02-16 15:09	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-15 07:25	---------	d-----w	C:\Documents and Settings\Dylan\Application Data\U3
2008-02-15 04:29	---------	d-----w	C:\Documents and Settings\Dylan\Application Data\BitTorrent
2008-02-14 04:25	---------	d-----w	C:\Program Files\NCH Software
2008-02-12 19:00	---------	d-----w	C:\Program Files\Diablo II
2008-01-31 05:54	---------	d-----w	C:\Documents and Settings\Dylan\Application Data\WeatherBug
2008-01-22 06:03	---------	d-----w	C:\Program Files\Hero Editor
2008-01-22 06:02	73,216	----a-w	C:\WINDOWS\ST6UNST.EXE
2008-01-22 06:02	249,856	------w	C:\WINDOWS\Setup1.exe
2008-01-19 14:48	---------	d-----w	C:\Program Files\Common Files\InstallShield
2007-12-21 19:44	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-21 19:11	---------	d-----w	C:\Program Files\WON
2007-12-21 18:53	94,208	----a-w	C:\WINDOWS\ScUnin.exe
2007-12-21 18:53	---------	d-----w	C:\Program Files\Starcraft
2007-12-21 06:22	---------	d-----w	C:\Program Files\Common Files\Nero
2007-12-21 06:22	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Nero
2007-12-21 05:59	---------	d-----w	C:\Documents and Settings\Dylan\Application Data\Nero
2006-11-11 12:16	1,740	----a-w	C:\Documents and Settings\Dylan\HISCORES.DAT
1997-05-13 23:26	3,206,344	----a-w	C:\Documents and Settings\Dylan\HOSPPAT.EXE
1994-06-01 03:00	265,396	----a-w	C:\Documents and Settings\Dylan\DOS4GW.EXE
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 10:15 50528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Freebie Notes"="C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe" [2006-05-23 22:05 982016]
"SVCHOST.EXE"="C:\WINDOWS\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 13:51 774233]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-17 21:21 185784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-29 14:31 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-06-23 21:39 145920]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dylan^Start Menu^Programs^Startup^Qwest QuickNetworking.lnk]
path=C:\Documents and Settings\Dylan\Start Menu\Programs\Startup\Qwest QuickNetworking.lnk
backup=C:\WINDOWS\pss\Qwest QuickNetworking.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-06-28 20:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2007-06-23 21:39 416256 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-11-15 18:14 588080 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CircleVirtualCD]
--a------ 2003-07-14 11:15 61440 C:\Program Files\Circle\VirtualCD\HvcdUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0630 STISvc]
-ra------ 2005-06-05 11:01 36864 C:\WINDOWS\system32\P0630Pin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
C:\WINDOWS\system32\PRISMSVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartUp]
C:\WINDOWS\trayicons.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
C:\Program Files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2006-05-19 13:52 86105 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2007-01-04 15:38 112336 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a------ 2006-04-07 14:02 1343488 C:\Program Files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
--a------ 2003-08-01 18:28 474624 C:\Program Files\TightVNC\WinVNC.exe

R1 HekkoVirtualCD;Hekko Virtual CD Driver;C:\WINDOWS\system32\Drivers\hvcd.sys [2003-07-14 10:46]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R2 X4HSX32;X4HSX32;C:\Program Files\EXEtender\X4HSX32.Sys [2005-05-31 18:26]
S3 cisaspi0;Cistone ASPI Driver;C:\WINDOWS\system32\Drivers\cisaspi0.sys []
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-05 19:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8da80ab2-afd1-11db-a9b4-000ae4f3f14f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1f21ac5-9354-11da-a8f4-00032532c61c}]
\Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A5CDF7EC-751B-46aa-AD69-4005FE080DE8}]
C:\WINDOWS\system32\sinmax.exe s
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 00:57:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-02-19  1:03:59 - machine was rebooted
ComboFix-quarantined-files.txt  2008-02-19 07:03:55
.
2008-02-14 21:54:11	--- E O F ---


----------



## Vizy

i don't see combofix but if even if you did post it, i wouldn't be able to help...ceewi or gamemaster are good at this. for the time being, there aint any need to look at inappropriate websites...if you are...if you're not...thats good.


EDIT: lol i just saw the combofix right now.


----------



## ceewi1

Please download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to *C:\SDFix*

You may wish to print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site.

Please then reboot your computer in *Safe Mode* (tap F8 just before Windows starts to load and select Safe Mode from the list).
 Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## bison8125

*SDFix Log*

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

*Checking Services*:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


*Checking Files*: 

Trojan Files Found:

C:\WINDOWS\system32\update32.exe.tmp  - Deleted
C:\WINDOWS\system32\wscmp.dll.tmp  - Deleted





Removing Temp Files...

*ADS Check*:



*Final Check*:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 11:45:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:f38c5b09
"s2"=dword:ed259484
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:30,62,1b,16,eb,c0,79,66,0e,64,74,5d,4c,39,b3,8d,40,4f,45,b1,83,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6F80AA49-7202-4FE8-99AA-07F3A8F133C7}]
"LeaseObtainedTime"=dword:47bb158d
"T1"=dword:47bb1c95
"T2"=dword:47bb21db
"LeaseTerminatesTime"=dword:47bb239d
"DhcpRetryTime"=dword:00000706
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{6F80AA49-7202-4FE8-99AA-07F3A8F133C7}\Parameters\Tcpip]
"LeaseObtainedTime"=dword:47bb158d
"T1"=dword:47bb1c95
"T2"=dword:47bb21db
"LeaseTerminatesTime"=dword:47bb239d
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NetBT\Parameters\Interfaces\Tcpip_{D17E4E7A-E488-48D5-B635-3F329F975E84}]
"DhcpNameServerList"=str(7):"134.129.111.178\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Epoch]
"Epoch"=dword:00002cd5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:30,62,1b,16,eb,c0,79,66,0e,64,74,5d,4c,39,b3,8d,40,4f,45,b1,83,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]
"DhcpDomain"="nodak.edu"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{6F80AA49-7202-4FE8-99AA-07F3A8F133C7}]
"NTEContextList"=str(7):""
"DhcpServer"="255.255.255.255"
"LeaseObtainedTime"=dword:47b5f28e
"T1"=dword:47b5f996
"T2"=dword:47b5fedc
"LeaseTerminatesTime"=dword:47b6009e
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="255.0.0.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{D17E4E7A-E488-48D5-B635-3F329F975E84}]
"NTEContextList"=str(7):"0x00000002\0"
"LeaseObtainedTime"=dword:47ba7dc6
"T1"=dword:47ba84ce
"T2"=dword:47ba8a14
"LeaseTerminatesTime"=dword:47ba8bd6
"DhcpRetryTime"=dword:00000705
"DhcpRetryStatus"=dword:00000000
"DhcpNameServer"="134.129.111.111 134.129.201.29"
"DhcpDefaultGateway"=str(7):"134.129.60.100\0"
"DhcpDomain"="nodak.edu"
"DhcpSubnetMaskOpt"=str(7):"255.255.254.0\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\{6F80AA49-7202-4FE8-99AA-07F3A8F133C7}\Parameters\Tcpip]
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="255.0.0.0"
"DhcpServer"="255.255.255.255"
"LeaseObtainedTime"=dword:47b5f28e
"T1"=dword:47b5f996
"T2"=dword:47b5fedc
"LeaseTerminatesTime"=dword:47b6009e
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\{D17E4E7A-E488-48D5-B635-3F329F975E84}\Parameters\Tcpip]
"LeaseObtainedTime"=dword:47ba7dc6
"T1"=dword:47ba84ce
"T2"=dword:47ba8a14
"LeaseTerminatesTime"=dword:47ba8bd6
"DhcpDefaultGateway"=str(7):"134.129.60.100\0"
"DhcpSubnetMaskOpt"=str(7):"255.255.254.0\0"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\24\xe1\21]
"DisplayName"="\xd008\x36c\xd008\x36c\1"
"DeviceDesc"="\xd008\x36c\xd008\x36c\1"
"ProviderName"="\xfed4\21\xee18\x7c90\xff44\21\b"
"MFG"="\x588"
"ReinstallString"="C:\WINDOWS\System32\ReinstallBackups\\xe114\21\x80\xc010\DriverFiles\.INF"
"DeviceInstanceIds"=str(7):"c:\cabs\9533116\smbus\smbusati.inf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19]
"RefCount"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


*Remaining Services*:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

*Remaining Files*:


File Backups: - C:\SDFix\backups\backups.zip

*Files with Hidden Attributes*:

Wed  4 Aug 2004        93,184 A.SH. --- "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
Wed  4 Aug 2004        60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Thu 21 Sep 2006         4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 20 Dec 2006             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 20 Dec 2006             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 30 Sep 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Thu  3 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\12bb35ec2265dce083ec92c86f1e1ffc\BITEC.tmp"
Wed 19 Sep 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1db9e52f9e862450a2af87f2f5a16dbc\BIT6.tmp"
Thu  3 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BITEE.tmp"
Thu  3 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BITED.tmp"

*Finished!*


----------



## bison8125

*Hijack This Log*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:03 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://hcmail1.co.hennepin.mn.us/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181780980500
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6530 bytes


----------



## ceewi1

Excellent, we're making progress.

Your logfile shows signs of *Viewpoint Manager.*
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything bad. It is known to be intrusive, but there is some possibility that it is now being used by those companies to give them info about your habits. It is not considered spyware since this is not clear, but I would not tolerate it on my machine if I didn't install it.

Your logfile also shows signs of *Weatherbug*
Weatherbug is often installed as a secondary application along with other popular programs. It gives you information about local weather conditions, however also displays ads. If you're looking for a free alternative that doesn't display ads, you may want to try WeatherPulse.

I suggest you remove both.  To do so, click on *Start* -> *Control Panel* -> *Add or Remove Programs*. 
To remove Viewpoint Manager, Click on *Viewpoint Manager* and click *Remove*.
To remove Weatherbug, click on *Weatherbug* in the list and click *Remove*


Open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:



		Code:
	

File::
C:\WINDOWS\system32\sex2.ico.tmp
C:\WINDOWS\system32\sex1.ico.tmp
C:\WINDOWS\e01.exe
C:\info.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A5CDF7EC-751B-46aa-AD69-4005FE080DE8}]


Save this as *CFScript.txt* and change the *Save as type* to *All Files* and place it on your *desktop*.









Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe*.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
*CAUTION*:
Do *NOT* mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do *NOT* adjust your time format while ComboFix is running.

Please run HijackThis and choose *Do a system scan only*.

Place a check next to the following entries:
*R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)*
*O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab*

If you chose to remove Viewpoint Manager, place a check next to the following entry (if still present):

*O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe*

If you chose to remove Weatherbug, place a check next to the following entry:
*O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/mini...ansporter.cab?*
Please close all open windows except for HijackThis and choose *Fix checked*

Please reboot and post a new HijackThis log.  How is your system running now?


----------



## bison8125

*Combofix Log*

"DhcpNameServerList"=str(7):"134.129.111.178\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Epoch]
"Epoch"=dword:00002cd5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:30,62,1b,16,eb,c0,79,66,0e,64,74,5d,4c,39,b3,8d,40,4f,45,b1,83,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]
"DhcpDomain"="nodak.edu"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{6F80AA49-7202-4FE8-99AA-07F3A8F133C7}]
"NTEContextList"=str(7):""
"DhcpServer"="255.255.255.255"
"LeaseObtainedTime"=dword:47b5f28e
"T1"=dword:47b5f996
"T2"=dword:47b5fedc
"LeaseTerminatesTime"=dword:47b6009e
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="255.0.0.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{D17E4E7A-E488-48D5-B635-3F329F975E84}]
"NTEContextList"=str(7):"0x00000002\0"
"LeaseObtainedTime"=dword:47ba7dc6
"T1"=dword:47ba84ce
"T2"=dword:47ba8a14
"LeaseTerminatesTime"=dword:47ba8bd6
"DhcpRetryTime"=dword:00000705
"DhcpRetryStatus"=dword:00000000
"DhcpNameServer"="134.129.111.111 134.129.201.29"
"DhcpDefaultGateway"=str(7):"134.129.60.100\0"
"DhcpDomain"="nodak.edu"
"DhcpSubnetMaskOpt"=str(7):"255.255.254.0\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\{6F80AA49-7202-4FE8-99AA-07F3A8F133C7}\Parameters\Tcpip]
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="255.0.0.0"
"DhcpServer"="255.255.255.255"
"LeaseObtainedTime"=dword:47b5f28e
"T1"=dword:47b5f996
"T2"=dword:47b5fedc
"LeaseTerminatesTime"=dword:47b6009e
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\{D17E4E7A-E488-48D5-B635-3F329F975E84}\Parameters\Tcpip]
"LeaseObtainedTime"=dword:47ba7dc6
"T1"=dword:47ba84ce
"T2"=dword:47ba8a14
"LeaseTerminatesTime"=dword:47ba8bd6
"DhcpDefaultGateway"=str(7):"134.129.60.100\0"
"DhcpSubnetMaskOpt"=str(7):"255.255.254.0\0"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\24\xe1\21]
"DisplayName"="\xd008\x36c\xd008\x36c\1"
"DeviceDesc"="\xd008\x36c\xd008\x36c\1"
"ProviderName"="\xfed4\21\xee18\x7c90\xff44\21\b"
"MFG"="\x588"
"ReinstallString"="C:\WINDOWS\System32\ReinstallBackups\\xe114\21\x80\xc010\DriverFiles\.INF"
"DeviceInstanceIds"=str(7):"c:\cabs\9533116\smbus\smbusati.inf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19]
"RefCount"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


*Remaining Services*:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

*Remaining Files*:


File Backups: - C:\SDFix\backups\backups.zip

*Files with Hidden Attributes*:

Wed  4 Aug 2004        93,184 A.SH. --- "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
Wed  4 Aug 2004        60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Thu 21 Sep 2006         4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 20 Dec 2006             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 20 Dec 2006             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 30 Sep 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Thu  3 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\12bb35ec2265dce083ec92c86f1e1ffc\BITEC.tmp"
Wed 19 Sep 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1db9e52f9e862450a2af87f2f5a16dbc\BIT6.tmp"
Thu  3 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BITEE.tmp"
Thu  3 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BITED.tmp"

*Finished!*


----------



## bison8125

*Hijack This Log*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:25 AM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://hcmail1.co.hennepin.mn.us/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181780980500
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5682 bytes


----------



## bison8125

*Update*

Ok, well we have a couple of issues.  First off, I went into the control panel, then to add/remove programs to remove Viewpoint Manager.  In the add/remove programs window, the list is severely limited, and I have no option to remove any programs listed (the list is about 1/4 as long as it is normally and Viewpoint Manager is not listed at all).  I want to remove Viewpoint, but not remove Weatherbug (I know it comes with other ad software, but I've monitored it, to keep it in check).  Is there another program I can run to scan for general viruses (I have Ad-Aware, AVG, and McAfee at my disposal, but on another post you told someone not to run another virus scanner because it screws you up).  What should I do?


----------



## ceewi1

It's not a good idea to run two anti-virus scanners in resident mode.  You can have two installed, but the real-time scanning feature of one should be turned off.  Alternatively, there are a number of online antivirus scanners available, but I suggest we work through the process of cleaning the system first, and you can run those afterwards to find anything leftover.

The log in your previous post appears to be from SDFix rather than ComboFix.  Please ensure that you are dragging CFScript into ComboFix and not SDFix.

With regards to the uninstall problem, I'd like to an export of your Uninstall key, to see if there are any problems there that could be causing this.

Please run Notepad and copy the contents of the codebox below into a new Notepad document. Please do not include the word Code:


		Code:
	

regedit.exe /e uninstall.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Save the file as *C:\uninstall.bat* and make sure the *Save as type* field says *All files*. Navigate to your C:\ drive and double click on uninstall.bat. This should create a file C:\*uninstall.txt* (you may need to refresh your screen to see it - press F5 to do so).

Please post the contents of C:\*uninstall.txt*


----------



## bison8125

*ComboFix Log*

ComboFix 08-02-19.2 - Dylan 2008-02-20  2:11:13.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.550 [GMT -6:00]
Running from: C:\Documents and Settings\Dylan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dylan\Desktop\CFScript.txt
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE ::
C:\info.exe
C:\WINDOWS\e01.exe
C:\WINDOWS\system32\sex1.ico.tmp
C:\WINDOWS\system32\sex2.ico.tmp
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\info.exe
C:\WINDOWS\e01.exe
C:\WINDOWS\system32\sex1.ico.tmp
C:\WINDOWS\system32\sex2.ico.tmp

.
(((((((((((((((((((((((((   Files Created from 2008-01-20 to 2008-02-20  )))))))))))))))))))))))))))))))
.

2008-02-19 10:44 . 2008-02-19 10:45	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-02-19 10:37 . 2008-02-19 11:57	<DIR>	d--------	C:\SDFix
2008-02-19 01:10 . 2008-02-19 01:10	<DIR>	d--------	C:\Program Files\Trend Micro
2008-02-18 23:04 . 2007-06-05 10:56	44,928	--a------	C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-18 23:03 . 2007-06-08 09:44	8,576	--a------	C:\WINDOWS\system32\drivers\qbphsfchiqga.sys
2008-02-18 22:53 . 2008-02-19 00:12	<DIR>	d--------	C:\WINDOWS\system32\ActiveScan
2008-02-18 22:53 . 2008-02-18 22:53	30,590	--a------	C:\WINDOWS\system32\pavas.ico
2008-02-18 22:53 . 2008-02-18 22:53	2,550	--a------	C:\WINDOWS\system32\Uninstall.ico
2008-02-18 22:53 . 2008-02-18 22:53	1,406	--a------	C:\WINDOWS\system32\Help.ico
2008-02-16 10:01 . 2008-02-18 02:11	<DIR>	d--------	C:\Westwood
2008-02-14 14:44 . 2008-02-14 14:44	15,042	--a------	C:\AirlineHistory.zip
2008-02-13 22:27 . 2008-02-13 22:27	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-02-13 22:25 . 2008-02-13 22:25	<DIR>	d--------	C:\Documents and Settings\Dylan\Application Data\NCH Software
2008-02-13 22:25 . 2008-02-13 22:25	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\NCH Software
2008-01-26 18:24 . 2008-01-26 18:24	<DIR>	d--------	C:\Program Files\CCleaner
2008-01-24 15:01 . 2008-02-20 01:59	<DIR>	d--------	C:\AirlineStudentHistory
2008-01-24 15:01 . 2008-02-20 01:58	<DIR>	d--------	C:\AirlineHistory
2008-01-20 11:20 . 2008-01-20 11:20	552	--a------	C:\WINDOWS\system32\d3d8caps.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 05:52	---------	d-----w	C:\Program Files\MSN Messenger
2008-02-19 05:40	---------	d-----w	C:\Program Files\AIM6
2008-02-19 01:30	---------	d-----w	C:\Documents and Settings\Dylan\Application Data\AVG7
2008-02-19 01:17	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-02-19 00:58	---------	d-----w	C:\Program Files\Maxis
2008-02-17 18:13	---------	d-----w	C:\Program Files\Viewpoint
2008-02-17 18:13	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-17 18:12	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL
2008-02-16 15:09	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-15 07:25	---------	d-----w	C:\Documents and Settings\Dylan\Application Data\U3
2008-02-15 04:29	---------	d-----w	C:\Documents and Settings\Dylan\Application Data\BitTorrent
2008-02-14 04:25	---------	d-----w	C:\Program Files\NCH Software
2008-02-12 19:58	43,520	----a-w	C:\WINDOWS\system32\CmdLineExt03.dll
2008-02-12 19:00	---------	d-----w	C:\Program Files\Diablo II
2008-01-31 05:54	---------	d-----w	C:\Documents and Settings\Dylan\Application Data\WeatherBug
2008-01-22 06:03	---------	d-----w	C:\Program Files\Hero Editor
2008-01-22 06:02	73,216	----a-w	C:\WINDOWS\ST6UNST.EXE
2008-01-22 06:02	249,856	------w	C:\WINDOWS\Setup1.exe
2008-01-19 14:52	---------	d-----w	C:\Program Files\EA GAMES
2008-01-19 14:48	---------	d-----w	C:\Program Files\Common Files\InstallShield
2007-12-21 19:44	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-21 19:11	---------	d-----w	C:\Program Files\WON
2007-12-21 18:53	94,208	----a-w	C:\WINDOWS\ScUnin.exe
2007-12-21 18:53	---------	d-----w	C:\Program Files\Starcraft
2007-12-21 06:22	---------	d-----w	C:\Program Files\Common Files\Nero
2007-12-21 06:22	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Nero
2007-12-21 05:59	---------	d-----w	C:\Documents and Settings\Dylan\Application Data\Nero
2007-12-07 00:44	666,112	----a-w	C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38	550,912	----a-w	C:\WINDOWS\system32\oleaut32.dll
2007-12-02 04:57	52,338	----a-w	C:\WINDOWS\system32\RadLightOggUninstall.exe
2007-11-24 05:19	57,344	----a-w	C:\WINDOWS\system32\COMMTB32.DLL
2007-11-24 05:19	28,672	----a-w	C:\WINDOWS\system32\HLP95EN.DLL
2007-11-24 05:19	169,984	----a-w	C:\WINDOWS\system32\P2D.DLL
2007-11-24 05:19	161,552	----a-w	C:\WINDOWS\system32\ASYCPICT.DLL
2006-11-11 12:16	1,740	----a-w	C:\Documents and Settings\Dylan\HISCORES.DAT
1997-05-13 23:26	3,206,344	----a-w	C:\Documents and Settings\Dylan\HOSPPAT.EXE
1994-06-01 03:00	265,396	----a-w	C:\Documents and Settings\Dylan\DOS4GW.EXE
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 10:15 50528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 13:51 774233]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-06-23 21:39 145920]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dylan^Start Menu^Programs^Startup^Qwest QuickNetworking.lnk]
path=C:\Documents and Settings\Dylan\Start Menu\Programs\Startup\Qwest QuickNetworking.lnk
backup=C:\WINDOWS\pss\Qwest QuickNetworking.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-06-28 20:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2007-06-23 21:39 416256 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-11-15 18:14 588080 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CircleVirtualCD]
--a------ 2003-07-14 11:15 61440 C:\Program Files\Circle\VirtualCD\HvcdUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0630 STISvc]
-ra------ 2005-06-05 11:01 36864 C:\WINDOWS\system32\P0630Pin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
C:\WINDOWS\system32\PRISMSVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartUp]
C:\WINDOWS\trayicons.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
C:\Program Files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2006-05-19 13:52 86105 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2007-01-04 15:38 112336 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a------ 2006-04-07 14:02 1343488 C:\Program Files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
--a------ 2003-08-01 18:28 474624 C:\Program Files\TightVNC\WinVNC.exe

R1 HekkoVirtualCD;Hekko Virtual CD Driver;C:\WINDOWS\system32\Drivers\hvcd.sys [2003-07-14 10:46]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R2 X4HSX32;X4HSX32;C:\Program Files\EXEtender\X4HSX32.Sys [2005-05-31 18:26]
S3 cisaspi0;Cistone ASPI Driver;C:\WINDOWS\system32\Drivers\cisaspi0.sys []
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-05 19:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8da80ab2-afd1-11db-a9b4-000ae4f3f14f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1f21ac5-9354-11da-a8f4-00032532c61c}]
\Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 02:14:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2008-02-20  2:15:31
ComboFix-quarantined-files.txt  2008-02-20 08:15:11
ComboFix2.txt  2008-02-19 07:03:59
.
2008-02-14 21:54:11	--- E O F ---


----------



## bison8125

*Uninstall Registry*

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis]
"DisplayName"="HijackThis 2.0.2"
"UninstallString"="\"C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe\" /uninstall"
"DisplayIcon"="C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe"
"DisplayVersion"="2.0.2"
"Publisher"="TrendMicro"


----------



## ceewi1

That's unusual, there should be a lot more than that under that key.

Please download *Deckard's System Scanner (DSS)* and save it to your Desktop.
Close all other windows before proceeding.
Double-click on *dss.exe* and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads *main.txt* and *extra.txt* -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of *main.txt* and *extra.txt* in your next reply.


----------



## bison8125

*Main.txt*

Deckard's System Scanner v20071014.68
Run by Dylan on 2008-02-21 10:52:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
101: 2008-02-21 16:52:14 UTC - RP573 - Deckard's System Scanner Restore Point
100: 2008-02-21 08:27:26 UTC - RP572 - System Checkpoint
99: 2008-02-20 08:10:46 UTC - RP571 - ComboFix created restore point
98: 2008-02-20 07:16:10 UTC - RP570 - System Checkpoint
97: 2008-02-19 06:51:27 UTC - RP569 - ComboFix created restore point


-- First Restore Point -- 
1: 2007-11-24 02:32:56 UTC - RP473 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Dylan.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:04 AM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Documents and Settings\Dylan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Dylan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://hcmail1.co.hennepin.mn.us/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181780980500
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5722 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080220-022140-115 O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
backup-20080220-022140-197 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20080220-022140-883 O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 HekkoVirtualCD (Hekko Virtual CD Driver) - c:\windows\system32\drivers\hvcd.sys <Not Verified; Circle of One Software; Hekko Virtual CD>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R2 X4HSX32 - c:\program files\exetender\x4hsx32.sys <Not Verified; Exent Technologies Ltd.; Exent EXETender® for Win2K>

S3 catchme - c:\docume~1\dylan\locals~1\temp\catchme.sys (file missing)
S3 cisaspi0 (Cistone ASPI Driver) - c:\windows\system32\drivers\cisaspi0.sys (file missing)
S3 EMCFILT (Alcor Micro Corp for Emachine- 9361) - c:\windows\system32\drivers\emcfilt.sys <Not Verified; Alcor Micro Corp.; emcfilt>
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 winvnc (VNC Server) - "c:\program files\tightvnc\winvnc.exe" -service <Not Verified; Constantin Kaplinsky; TightVNC Win32 Server>

S3 IDriverT (InstallDriver Table Manager) - "c:\program files\common files\installshield\driver\11\intel 32\idrivert.exe" (file missing)
S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4351&SUBSYS_0506107B&REV_10\4&2EA2911C&0&0030
Manufacturer: Marvell
Name: Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4351&SUBSYS_0506107B&REV_10\4&2EA2911C&0&0030
Service: yukonwxp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\5000CE5F32521
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\5000CE5F32521
Service: NIC1394

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_0506107B&REV_02\3&13C0B0C5&0&A6
Manufacturer: 
Name: PCI Modem
PNP Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_0506107B&REV_02\3&13C0B0C5&0&A6
Service: 

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA


-- Files created between 2008-01-21 and 2008-02-21 -----------------------------

2008-02-20 10:11:49        99 --a------ C:\uninstall.bat
2008-02-19 10:44:57         0 d-------- C:\WINDOWS\ERUNT
2008-02-19 01:10:44         0 d-------- C:\Program Files\Trend Micro
2008-02-19 00:51:01     68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-19 00:51:01     98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-19 00:51:01     80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-19 00:51:01     73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-18 23:04:09     44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-02-18 23:03:37      8576 --a------ C:\WINDOWS\system32\drivers\qbphsfchiqga.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-02-18 22:53:01         0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-18 19:24:02         0 dr-h----- C:\Documents and Settings\Dylan\Recent
2008-02-16 10:01:14         0 d-------- C:\Westwood
2008-02-13 22:27:10         0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-02-13 22:25:49         0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-02-13 22:25:32         0 d-------- C:\Documents and Settings\Dylan\Application Data\NCH Software
2008-01-26 18:24:15         0 d-------- C:\Program Files\CCleaner
2008-01-24 15:01:29         0 d-------- C:\AirlineStudentHistory
2008-01-24 15:01:21         0 d-------- C:\AirlineHistory
2008-01-24 15:01:11         0 d-------- C:\Airline


-- Find3M Report ---------------------------------------------------------------

2008-02-18 23:52:59         0 d-------- C:\Program Files\MSN Messenger
2008-02-18 23:40:10         0 d-------- C:\Program Files\AIM6
2008-02-18 19:30:15         0 d-------- C:\Documents and Settings\Dylan\Application Data\AVG7
2008-02-18 19:19:47       984 --a------ C:\WINDOWS\eReg.dat
2008-02-18 19:17:22         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-18 18:58:11         0 d-------- C:\Program Files\Maxis
2008-02-17 12:13:31         0 d-------- C:\Program Files\Viewpoint
2008-02-15 01:25:20         0 d-------- C:\Documents and Settings\Dylan\Application Data\U3
2008-02-14 22:29:16         0 d-------- C:\Documents and Settings\Dylan\Application Data\BitTorrent
2008-02-13 22:25:32         0 d-------- C:\Program Files\NCH Software
2008-02-12 13:58:08     43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-02-12 13:00:42         0 d-------- C:\Program Files\Diablo II
2008-01-31 13:17:04         0 d-------- C:\Documents and Settings\Dylan\Application Data\Adobe
2008-01-30 23:54:15         0 d-------- C:\Documents and Settings\Dylan\Application Data\WeatherBug
2008-01-22 00:03:00         0 d-------- C:\Program Files\Hero Editor
2008-01-22 00:02:03     73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-01-21 23:51:12     37076 --a------ C:\WINDOWS\DIIUnin.dat
2008-01-20 11:20:12       552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-19 09:28:13       664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-19 08:52:23         0 d-------- C:\Program Files\EA GAMES
2008-01-19 08:48:21         0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-21 13:11:02         0 d-------- C:\Program Files\WON
2007-12-21 12:53:51     34410 --a------ C:\WINDOWS\scunin.dat
2007-12-21 12:53:51         0 d-------- C:\Program Files\Starcraft
2007-12-21 12:53:45       967 --a------ C:\WINDOWS\ScUnin.pif
2007-12-21 12:53:45     94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2007-12-21 00:22:34         0 d-------- C:\Program Files\Common Files\Nero
2007-12-01 22:57:31     52338 --a------ C:\WINDOWS\system32\RadLightOggUninstall.exe <Not Verified; RadLight, LLC.; RadLight Ogg Media DirectShow filters>
2007-11-27 19:18:03      1025 --a------ C:\WINDOWS\system32\sysprs7.dll
2007-11-27 13:44:49      1024 --a------ C:\WINDOWS\system32\clauth2.dll
2007-11-27 13:44:49      1024 --a------ C:\WINDOWS\system32\clauth1.dll
2007-11-23 23:19:57    169984 --a------ C:\WINDOWS\system32\P2D.DLL <Not Verified; Microsoft Corporation; Microsoft® HTML Layout Support Module>
2007-11-23 23:19:57     28672 --a------ C:\WINDOWS\system32\HLP95EN.DLL <Not Verified; Microsoft Corporation; Microsoft Office>
2007-11-23 23:19:57     57344 --a------ C:\WINDOWS\system32\COMMTB32.DLL <Not Verified; Microsoft Corporation; Microsoft Button Editor>
2007-11-23 23:19:57    161552 --a------ C:\WINDOWS\system32\ASYCPICT.DLL <Not Verified; Microsoft Corporation; Microsoft® Forms>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [05/19/2006 01:51 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [11/30/2006 09:49 PM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [01/03/2008 10:15 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dylan^Start Menu^Programs^Startup^Qwest QuickNetworking.lnk]
path=C:\Documents and Settings\Dylan\Start Menu\Programs\Startup\Qwest QuickNetworking.lnk
backup=C:\WINDOWS\pss\Qwest QuickNetworking.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CircleVirtualCD]
C:\Program Files\Circle\VirtualCD\HvcdUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0630 STISvc]
RunDLL32.exe P0630Pin.dll,RunDLL32EP 513

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
"C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartUp]
C:\WINDOWS\trayicons.exe /optimize speed

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
C:\Program Files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
"C:\Program Files\TightVNC\WinVNC.exe" -servicehelper


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09f90cc2-832b-11da-a8db-806d6172696f}]
AutoRun\command- D:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8da80ab2-afd1-11db-a9b4-000ae4f3f14f}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1f21ac5-9354-11da-a8f4-00032532c61c}]
AutoRun\command- E:\JDSecure\Windows\JDSecure31.exe

*Newly Created Service* - VSDATANT



-- End of Deckard's System Scanner: finished at 2008-02-21 10:53:42 ------------


----------



## bison8125

*Extra.txt*

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Mobile AMD Athlon(tm) 64 Processor 4000+
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 1022.11 MiB / 432.02 MiB
Pagefile Memory (total/avail): 2460.23 MiB / 2059.77 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.01 MiB

C: is Fixed (NTFS) - 93.15 GiB total, 22.05 GiB free. 
D: is CDROM (CDFS)
Z: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2100AT PL - 93.16 GiB - 1 partition
  \PARTITION0 (bootable) - Installable File System - 93.15 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntivirusOverride is set.
FirewallOverride is set.

AV: AVG 7.5.486 v7.5.486 (GRISOFT) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Dylan\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NDSU-BAEC1AE553
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Dylan
LOGONSERVER=\\NDSU-BAEC1AE553
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2402
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Dylan\LOCALS~1\Temp
TMP=C:\DOCUME~1\Dylan\LOCALS~1\Temp
USERDOMAIN=NDSU-BAEC1AE553
USERNAME=Dylan
USERPROFILE=C:\Documents and Settings\Dylan
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Dylan _(admin)_
Administrator _(admin)_


-- Add/Remove Programs ---------------------------------------------------------

BitTorrent 6.0 --> C:\Program Files\BitTorrent\uninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type18547 / Success
Event Submitted/Written: 02/20/2008 02:23:57 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type18530 / Success
Event Submitted/Written: 02/20/2008 02:05:39 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type18523 / Success
Event Submitted/Written: 02/20/2008 00:52:09 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type18509 / Success
Event Submitted/Written: 02/19/2008 00:07:54 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type18508 / Success
Event Submitted/Written: 02/19/2008 00:07:45 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type54961 / Warning
Event Submitted/Written: 02/21/2008 05:55:24 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type54957 / Error
Event Submitted/Written: 02/20/2008 06:45:29 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

Event Record #/Type54949 / Warning
Event Submitted/Written: 02/20/2008 04:10:14 PM
Event ID/Source: 2504 / Server
Event Description:
The server could not bind to the transport \Device\NetBT_Tcpip_{6F80AA49-7202-4FE8-99AA-07F3A8F133C7}.

Event Record #/Type54948 / Warning
Event Submitted/Written: 02/20/2008 04:10:05 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 0014A5423B40.  The IP address being used is 169.254.10.189.

Event Record #/Type54943 / Warning
Event Submitted/Written: 02/20/2008 04:10:02 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0014A5423B40.  The following
error occurred: 
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-02-21 10:53:42 ------------


----------



## bison8125

*Update*

Ok, I'm not sure if you need to know this information, but let me tell you a little more about my computer.  I live on a college campus (meaning I have to go through an existing network from ITS department).  I do not have any virus scanner/adaware scanner to constantly run (I run them about every week).  There is no real-time scanner etc...  If you want to know anything else about my computer, just ask (I'm assuming those reports told you my hardware etc...)


----------



## ceewi1

I notice you have AVG installed on your computer, is it possible to enable the real-time scanning feature of it?  Real-time antivirus protection is an important element of PC security.

With regards to the uninstall problem, it looks like that registry key has been damaged.  I suspect the damage predates the removal steps we've taken here, but I would like to confirm that.  Please download MiTeC Windows Registry File Viewer and extract *RFV.exe* to your Desktop.

Please run RFV.exe and choose *File* -> *Open*.  Open up *C:\Windows\erdnt\Hiv-backup\software*.

Click on *File* -> *Export to REGEDIT4 format*.  You will be asked to "Enter the key prefix or root key for export".  Enter the contents of the codebox below:


		Code:
	

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall


Tick the *Only selected key* box and click OK.  Save the file to your Desktop and attach or post the contents here.


----------



## bison8125

*Registry Error*

I run the program, open up the software file, when I try to export, it gives me the error "No key selected".  Do I need to select one of those files in the left column (I won't get an error if I select one).


----------



## ceewi1

My apologies, yes.  Before clicking on the Export button, please do the following:

Click on the + next to *Microsoft* to expand that key
Click on the + next to *Windows* to expand that key
Click on the + next to *CurrentVersion* to expand that key
Click on *Uninstall *to select that key.

Then proceed with *File -> Export* as before.


----------



## bison8125

*software_Unistall File*

This should be what you're looking for.  (I had to zip it in order to attach it on here, let me know if it doesn't work).


----------



## ceewi1

That's it, but unfortunately it just confirms what I suspected.  The key was corrupted before we started working on these fixes, which means that the backups that have been made through the repair process are no help.  The only other possibility is to recover the missing registry entries from an old System Restore point.  Do you remember when the list was last displaying correctly?


----------



## bison8125

*System Restore Point*

Not specifically (I would guess around a month), but I have they System Restore automatically create restore points every week I think, so I can just keep going back until I find one that works. Should I do that?


----------



## bison8125

*System Restore Point*

Ok, so I found a system restore point last week (before I started posting on this site), that I know was a time the Add/Remove Software was working (because I uninstalled a video game that day).  So I did a System Restore, and it worked, I can see the entire list of programs (in Add/Remove Software).  Since you mentioned that doing a system restore will wipe the stuff we did, I'm going to run ComboFix and HijackThis, and post the logs for you.


----------



## bison8125

*ComboFix Log*

ComboFix 08-02-25.3 - Dylan 2008-02-25 10:21:31.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.595 [GMT -6:00]
Running from: C:\Documents and Settings\Dylan\Desktop\ComboFix.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((   Files Created from 2008-01-25 to 2008-02-25  )))))))))))))))))))))))))))))))
.

2008-02-21 10:51 . 2008-02-21 10:51	<DIR>	d--------	C:\Deckard
2008-02-19 10:44 . 2008-02-19 10:45	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-02-19 10:37 . 2008-02-25 09:22	<DIR>	d--------	C:\SDFix
2008-02-19 01:10 . 2008-02-19 01:10	<DIR>	d--------	C:\Program Files\Trend Micro
2008-02-18 22:53 . 2008-02-25 09:22	<DIR>	d--------	C:\WINDOWS\system32\ActiveScan
2008-02-16 10:01 . 2008-02-18 02:11	<DIR>	d--------	C:\Westwood
2008-02-14 14:44 . 2008-02-21 15:15	10,691	--a------	C:\AirlineHistory.zip
2008-02-13 22:27 . 2008-02-13 22:27	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-02-13 22:25 . 2008-02-13 22:25	<DIR>	d--------	C:\Documents and Settings\Dylan\Application Data\NCH Software
2008-02-13 22:25 . 2008-02-13 22:25	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\NCH Software
2008-01-26 18:24 . 2008-01-26 18:24	<DIR>	d--------	C:\Program Files\CCleaner

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 16:19	---------	d-----w	C:\Program Files\Viewpoint
2008-02-25 16:19	---------	d-----w	C:\Documents and Settings\Dylan\Application Data\Viewpoint
2008-02-25 16:19	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-25 15:21	---------	d-----w	C:\Program Files\Outspark
2008-02-22 16:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Outspark
2008-02-19 05:52	---------	d-----w	C:\Program Files\MSN Messenger
2008-02-19 05:40	---------	d-----w	C:\Program Files\AIM6
2008-02-19 01:30	---------	d-----w	C:\Documents and Settings\Dylan\Application Data\AVG7
2008-02-19 01:17	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-02-19 00:58	---------	d-----w	C:\Program Files\Maxis
2008-02-17 18:12	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL
2008-02-16 15:09	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-15 07:25	---------	d-----w	C:\Documents and Settings\Dylan\Application Data\U3
2008-02-15 04:29	---------	d-----w	C:\Documents and Settings\Dylan\Application Data\BitTorrent
2008-02-14 04:25	---------	d-----w	C:\Program Files\NCH Software
2008-02-12 19:58	43,520	----a-w	C:\WINDOWS\system32\CmdLineExt03.dll
2008-02-12 19:00	---------	d-----w	C:\Program Files\Diablo II
2008-01-31 05:54	---------	d-----w	C:\Documents and Settings\Dylan\Application Data\WeatherBug
2008-01-22 06:03	---------	d-----w	C:\Program Files\Hero Editor
2008-01-22 06:02	73,216	----a-w	C:\WINDOWS\ST6UNST.EXE
2008-01-22 06:02	249,856	------w	C:\WINDOWS\Setup1.exe
2008-01-19 14:52	---------	d-----w	C:\Program Files\EA GAMES
2008-01-19 14:48	---------	d-----w	C:\Program Files\Common Files\InstallShield
2007-12-21 18:53	94,208	----a-w	C:\WINDOWS\ScUnin.exe
2007-12-07 00:44	666,112	----a-w	C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38	550,912	----a-w	C:\WINDOWS\system32\oleaut32.dll
2006-11-11 12:16	1,740	----a-w	C:\Documents and Settings\Dylan\HISCORES.DAT
1997-05-13 23:26	3,206,344	----a-w	C:\Documents and Settings\Dylan\HOSPPAT.EXE
1994-06-01 03:00	265,396	----a-w	C:\Documents and Settings\Dylan\DOS4GW.EXE
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 10:15 50528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Freebie Notes"="C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe" [2006-05-23 22:05 982016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 13:51 774233]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-17 21:21 185784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-06-23 21:39 145920]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dylan^Start Menu^Programs^Startup^Qwest QuickNetworking.lnk]
path=C:\Documents and Settings\Dylan\Start Menu\Programs\Startup\Qwest QuickNetworking.lnk
backup=C:\WINDOWS\pss\Qwest QuickNetworking.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-06-28 20:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2007-06-23 21:39 416256 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-11-15 18:14 588080 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CircleVirtualCD]
--a------ 2003-07-14 11:15 61440 C:\Program Files\Circle\VirtualCD\HvcdUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0630 STISvc]
-ra------ 2005-06-05 11:01 36864 C:\WINDOWS\system32\P0630Pin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
C:\WINDOWS\system32\PRISMSVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartUp]
C:\WINDOWS\trayicons.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
C:\Program Files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2006-05-19 13:52 86105 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a------ 2006-04-07 14:02 1343488 C:\Program Files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
--a------ 2003-08-01 18:28 474624 C:\Program Files\TightVNC\WinVNC.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*isabledxpsp2res.dll,-22009

R1 HekkoVirtualCD;Hekko Virtual CD Driver;C:\WINDOWS\system32\Drivers\hvcd.sys [2003-07-14 10:46]
R2 X4HSX32;X4HSX32;C:\Program Files\EXEtender\X4HSX32.Sys [2005-05-31 18:26]
S3 cisaspi0;Cistone ASPI Driver;C:\WINDOWS\system32\Drivers\cisaspi0.sys []
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-05 19:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8da80ab2-afd1-11db-a9b4-000ae4f3f14f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1f21ac5-9354-11da-a8f4-00032532c61c}]
\Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A5CDF7EC-751B-46aa-AD69-4005FE080DE8}]
C:\WINDOWS\system32\sinmax.exe s
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 10:22:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2008-02-25 10:23:01
ComboFix-quarantined-files.txt  2008-02-25 16:22:39
ComboFix2.txt  2008-02-25 16:18:17
ComboFix3.txt  2008-02-20 08:15:32
ComboFix4.txt  2008-02-19 07:03:59
.
2008-02-14 21:54:11	--- E O F ---


----------



## bison8125

*Hijack This Log*

Logfile of HijackThis v1.99.1
Scan saved at 10:24:11 AM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://hcmail1.co.hennepin.mn.us/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181780980500
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


----------



## ceewi1

OK, I was going to suggest we just get the valid entries from the known good restore point, but this will work as well.  A few final malware removal steps then:

Please run Notepad and paste the contents of the codebox into a new file.  Please do not include the word Code:


		Code:
	

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A5CDF7EC-751B-46aa-AD69-4005FE080DE8}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartUp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]


Save the file to the desktop as *fix.reg* and make sure the *Save as Type* field says *All Files*.  Then please go to the desktop and double-click on *fix.reg*, and click *Yes* to merge it with the registry.

Please run HijackThis and choose *Do a system scan only*.

Place a check next to the following entries:
*R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)*
*O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab*

Please close all open windows except for HijackThis and choose *Fix checked*

Please reboot and post a new HijackThis log.


----------



## bison8125

*Hijack This Log*

Logfile of HijackThis v1.99.1
Scan saved at 10:17:20 AM, on 2/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://hcmail1.co.hennepin.mn.us/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181780980500
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


----------



## ceewi1

That log looks clean, are there any remaining problems?  There's one last entry that can be removed for cleanup purposes even though it's not malicious:

Please run HijackThis and choose *Do a system scan only*.

Place a check next to the following entry:
*O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)*
Please close all open windows except for HijackThis and choose *Fix checked*


----------



## bison8125

Well, looks like the viruses are all gone.  Thank you for your help.  It is most appreciated.  I have a couple of small questions for you.  Do you know of a good firewall (freeware) that I can use?  I'm a high level user, and I don't want to have a firewall that blocks my own stuff.  My other question is: how do you read Hijack This logs?  Does it take experience, or just learning what to recognize?


----------



## ceewi1

You're welcome.

Some good free firewalls are ZoneAlarm, Kerio, or Outpost.  When a program attempts to connect to the Internet, you'll be prompted to permit or deny it access, but you can tell it to remember the setting so that you won't be prompted every time your programs try to access the Internet.

With regards to reading HijackThis logs, it takes a lot of experience and proper training to do so well.  If you're looking to learn more, there are a number of online training sites that can help.  I've listed some of the most popular ones at http://www.computerforum.com/853855-post10.html

Below I have included some ideas on how to prevent future infections.

Please consider using these ideas to help secure your computer.  While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection.  While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer. 

Please either enable *Automatic Updates* under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly.  They usually have security updates every month.  You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed.   *This is a crucial security measure.*

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here.  Please also remember to enable Spybot's 
Immunize and TeaTimer features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.  

Please *keep these programs up-to-date* and run them whenever you suspect a problem to prevent malware problems.  A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection.  However, it is important to run only one resident program of each type since they can conflict and become less effective.  That means only one antivirus, firewall and scanning anti-spyware program at a time.  Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.  

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs.  If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately.  It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information.  Ask in a security forum that you trust if you are not sure.  If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an *alternate browser*. Mozilla's Firefox browser is a very good alternative.  In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure.  Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here:  http://www.opera.com/download/

Hopefully these steps will help to keep you error free.  If you run into more difficulty, we will certainly do what we can to help.


----------

