# help I to have a worm.win32.netboost



## squiggs (Jun 23, 2008)

it happend this weekend i ran a program called combofix and it is currently running i have to keep going back and forth it is on my laptop


----------



## squiggs (Jun 23, 2008)

*also*

on my main account on my laptop it has removed all the things from the start menu like 

control panel
my computer
help and support
programs where it pops up all your programs

I still can get to all of it but i have to press the windows key +r and then browse to find any programs or applications


----------



## Akosarz (Jun 23, 2008)

check out this previous thread:

http://www.computerforum.com/119782-i-got-virus-how-do-i-get-rid-worm-win32-netboost.html

someone else had the same problem.


----------



## squiggs (Jun 23, 2008)

i have and im running a hijackthis log at the current momment


----------



## Akosarz (Jun 23, 2008)

K, I guess just wait until the log gets done and then you can post your log


----------



## squiggs (Jun 23, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:47 AM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8l.hpwis.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O3 - Toolbar: vrmdtneg - {266F6829-949E-4645-AAEA-1323B59E826C} - C:\WINDOWS\vrmdtneg.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1332000860-4290386537-2851852715-1011\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Karah\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O21 - SSODL: xvorfwbd - {3A33E915-BB8D-44CD-9951-059622B33D48} - C:\WINDOWS\xvorfwbd.dll (file missing)
O21 - SSODL: wpvmqosg - {C309CF8C-5771-4F0E-B6A6-2C441F0A3A92} - C:\WINDOWS\wpvmqosg.dll (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5924 bytes


----------



## Punk (Jun 23, 2008)

Can you please post the Combofix log?


----------



## squiggs (Jun 23, 2008)

yes i can i was actually waiting for you punk


----------



## squiggs (Jun 23, 2008)

ComboFix 08-06-20.4 - blah 2008-06-23 11:10:09.1 - NTFSx86

Running from: C:\Documents and Settings\blah\Desktop\ComboFix.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\BurstWriting
C:\Program Files\BurstWriting\BurstWriting.dll
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\egra.exe
C:\WINDOWS\ksendlbtqrs.dll
C:\WINDOWS\satmat.exe
C:\WINDOWS\vrmdtneg.dll
C:\WINDOWS\xvorfwbd.dll

.
(((((((((((((((((((((((((   Files Created from 2008-05-23 to 2008-06-23  )))))))))))))))))))))))))))))))
.

2008-06-23 10:44 . 2008-06-23 10:45	<DIR>	d--------	C:\Program Files\Spyware Doctor
2008-06-23 10:44 . 2008-06-23 10:44	<DIR>	d--------	C:\Documents and Settings\blah\Application Data\PC Tools
2008-06-23 10:44 . 2008-06-10 21:22	81,288	--a------	C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-23 10:44 . 2008-06-02 15:19	66,952	--a------	C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-23 10:44 . 2008-06-02 15:19	42,376	--a------	C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-23 10:44 . 2008-06-02 15:19	29,576	--a------	C:\WINDOWS\system32\drivers\kcom.sys
2008-06-23 10:42 . 2008-06-23 10:53	<DIR>	d--------	C:\Documents and Settings\blah\Application Data\U3
2008-06-23 10:24 . 2003-11-12 20:03	<DIR>	d--------	C:\Documents and Settings\blah\Application Data\Symantec
2008-06-23 10:24 . 2008-06-23 10:24	<DIR>	d--------	C:\Documents and Settings\blah
2008-06-22 21:24 . 2008-06-22 21:24	86	--a------	C:\WINDOWS\wininit.ini
2008-06-22 19:18 . 2008-06-22 19:18	<DIR>	d--------	C:\WINDOWS\privacy_danger
2008-06-22 19:08 . 2008-06-22 19:07	691,545	--a------	C:\WINDOWS\unins002.exe
2008-06-22 19:08 . 2008-06-22 19:08	2,541	--a------	C:\WINDOWS\unins002.dat
2008-06-22 03:07 . 2008-06-22 03:07	<DIR>	d--------	C:\Program Files\MSXML 4.0
2008-06-21 21:56 . 2008-06-21 21:56	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-06-21 21:56 . 2008-06-21 16:49	81,920	--a------	C:\WINDOWS\neltabxw.exe
2008-06-21 00:47 . 2008-06-21 00:47	<DIR>	d--------	C:\bios
2008-06-20 22:24 . 2008-06-20 22:24	94,208	--a------	C:\WINDOWS\DIIUnin.exe
2008-06-20 22:24 . 2008-06-20 22:33	18,340	--a------	C:\WINDOWS\DIIUnin.dat
2008-06-20 22:24 . 2008-06-20 22:24	2,829	--a------	C:\WINDOWS\DIIUnin.pif
2008-06-20 19:08 . 2008-06-20 22:26	21,840	--a----t-	C:\WINDOWS\system32\SIntfNT.dll
2008-06-20 19:08 . 2008-06-20 22:26	17,212	--a----t-	C:\WINDOWS\system32\SIntf32.dll
2008-06-20 19:08 . 2008-06-20 22:26	12,067	--a----t-	C:\WINDOWS\system32\SIntf16.dll
2008-06-20 18:47 . 2008-06-22 19:10	<DIR>	d--------	C:\Program Files\Diablo II
2008-06-11 18:55 . 2008-06-11 18:55	41,296	--a------	C:\WINDOWS\system32\xfcodec.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 16:21	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-23 00:27	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-23 00:17	---------	d-----w	C:\Program Files\Spybot - Search & Destroy
2008-06-21 05:10	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-06-21 01:00	---------	d-----w	C:\Program Files\CallWave
2008-06-13 13:10	272,128	------w	C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 09:12	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 12:28	202,752	----a-w	C:\WINDOWS\system32\drivers\rmcast.sys
2005-01-21 16:45	56	-csh--r	C:\WINDOWS\system32\E7D092101B.sys
2005-01-21 16:45	1,682	-csha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
2008-06-12 18:29	237056	--a------	c:\program files\peoplepc\toolbar\ppctoolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= "c:\program files\peoplepc\toolbar\ppctoolbar.dll" [2008-06-12 18:29 237056]
"{266F6829-949E-4645-AAEA-1323B59E826C}"= "C:\WINDOWS\vrmdtneg.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar]

[HKEY_CLASSES_ROOT\clsid\{266f6829-949e-4645-aaea-1323b59e826c}]
[HKEY_CLASSES_ROOT\vrmdtneg.1]
[HKEY_CLASSES_ROOT\TypeLib\{76339EAC-B2F2-4B5C-BC18-47901DCCFD8F}]
[HKEY_CLASSES_ROOT\vrmdtneg]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56 158208]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-06-10 21:22 1163656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"xvorfwbd"= {3A33E915-BB8D-44CD-9951-059622B33D48} - C:\WINDOWS\xvorfwbd.dll [ ]
"wpvmqosg"= {C309CF8C-5771-4F0E-B6A6-2C441F0A3A92} - C:\WINDOWS\wpvmqosg.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CallWave.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CallWave.lnk
backup=C:\WINDOWS\pss\CallWave.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Karah^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=C:\Documents and Settings\Karah\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Karah^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Karah\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-09-30 13:31 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2003-10-07 22:40 159744 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2001-09-04 14:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-03-25 22:00 335872 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station]
--------- 2005-07-25 14:14 20480 C:\Program Files\PeoplePC\ISP6200\BIN\PPCOLink.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a--c--- 2002-09-10 21:26 368706 C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-10-07 03:23 90112 C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2005-07-01 13:11 71280 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2003-07-17 13:50 184412 C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2003-09-26 12:04 237568 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1128531912\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2006-11-21 20:09 842584 C:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdcamon]
--a------ 2007-03-05 15:40 20480 C:\Program Files\Lexmark 1300 Series\lxdcamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdcmon.exe]
C:\Program Files\Lexmark 1300 Series\lxdcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCLaunch]
--a------ 2007-03-17 14:25 40960 C:\WINDOWS\NCLAUNCH.EXe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooqauywssv]
--a--c--- 2004-12-23 18:57 38400 C:\WINDOWS\System32\lqaadj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-10-05 12:07 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a--c--- 2003-07-18 20:23 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a--c--- 2003-05-01 21:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
C:\WINDOWS\Downloaded Program Files\bridge.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2007-02-07 01:24 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0]
C:\Program Files\Web_Rebates\WebRebates0.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"Spooler"=2 (0x2)
"PlugPlay"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"lxdc_device"=2 (0x2)
"lxdcCATSCustConnectService"=2 (0x2)
"iPod Service"=3 (0x3)
"YPCService"=3 (0x3)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WMDM PMSP Service"=2 (0x2)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"UMWdf"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SymWSC"=2 (0x2)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"SNDSrvc"=3 (0x3)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SBService"=2 (0x2)
"SAVScan"=2 (0x2)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"navapsvc"=2 (0x2)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=3 (0x3)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"= C:\\Program Files\\Yahoo!\\Messenger\\YPAGER.EXE
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\system32\\lxdccoms.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdctime.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcwbgw.exe"=
"C:\\Program Files\\CallWave\\IAM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"1863:TCP"= 1863:TCP:MSN Messenger
"6891:TCP"= 6891:TCP:Open Port 1
"6892:TCP"= 6892:TCP:Open Port 2
"6893:TCP"= 6893:TCP:Open Port 3
"6894:TCP"= 6894:TCP:Open Port 4
"6895:TCP"= 6895:TCP:Open Port 5


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\SWSETUP\APPINSTL\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-05 19:32:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-23 00:42:06 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 11:21:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
.
**************************************************************************
.
Completion time: 2008-06-23 11:28:18 - machine was rebooted [blah]
ComboFix-quarantined-files.txt  2008-06-23 16:28:11

Pre-Run: 14,211,854,336 bytes free
Post-Run: 14,330,761,216 bytes free

324	--- E O F ---	2008-06-22 08:07:48


----------



## Punk (Jun 23, 2008)

Are you experiencing any symptoms?

I found a few files, I want to see if their bad.


----------



## squiggs (Jun 23, 2008)

when i log into the main adminstrator user it doesnt have
control panel
my computer
help and support
programs where it pops up all your programs

I still can get to all of it but i have to press the windows key +r and then browse to find any programs or applications

and it changed by background to an imagelink to a website


----------



## Punk (Jun 23, 2008)

*Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).*

Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account.


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*.
Click *Format*, and ensure *Word Wrap* is unchecked.
Copy and Paste the text in the box below into *Notepad*.
Now save the file as *RemoveFiles.txt* in a location where you can find it.



> Folders to delete:
> C:\WINDOWS\privacy_danger



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system.

Start *Avenger* by double clicking on *Avenger.exe*.

Check *Load script from file:*
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*.
Double click it to enter it into Avenger.
Click the *green traffic light symbol*.
You will be asked if you want to execute the script, answer *Yes*.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer *Yes*, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created *C:\avenger.txt*.
*Copy and Paste it into your next post please.*


I'm still searching for info on those four drivers;
C:\WINDOWS\system32\drivers\iksyssec.sys
C:\WINDOWS\system32\drivers\iksysflt.sys
C:\WINDOWS\system32\drivers\ikfilesec.sys
C:\WINDOWS\system32\drivers\kcom.sys

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.
 Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## squiggs (Jun 23, 2008)

when will be the next time your on and what time difference is it between central usa time with france time

or you could tell me what time you have and i can compare it to my time


----------



## squiggs (Jun 23, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23: VIRUS ALERT!, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O3 - Toolbar: vrmdtneg - {266F6829-949E-4645-AAEA-1323B59E826C} - C:\WINDOWS\vrmdtneg.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1332000860-4290386537-2851852715-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Karah\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O21 - SSODL: xvorfwbd - {3A33E915-BB8D-44CD-9951-059622B33D48} - C:\WINDOWS\xvorfwbd.dll (file missing)
O21 - SSODL: wpvmqosg - {C309CF8C-5771-4F0E-B6A6-2C441F0A3A92} - C:\WINDOWS\wpvmqosg.dll (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 6937 bytes




this is for the main account that is used and first noticed the problem


----------



## squiggs (Jun 23, 2008)

ComboFix 08-06-20.4 - Karah 2008-06-23 12:27:40.3 - NTFSx86

Running from: C:\Documents and Settings\All Users\Desktop\ComboFix.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm

.
(((((((((((((((((((((((((   Files Created from 2008-05-23 to 2008-06-23  )))))))))))))))))))))))))))))))
.

2008-06-23 11:42 . 2008-06-23 11:42	<DIR>	d--------	C:\Program Files\Trend Micro
2008-06-23 10:44 . 2008-06-23 10:45	<DIR>	d--------	C:\Program Files\Spyware Doctor
2008-06-23 10:44 . 2008-06-23 10:44	<DIR>	d--------	C:\Documents and Settings\blah\Application Data\PC Tools
2008-06-23 10:44 . 2008-06-10 21:22	81,288	--a------	C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-23 10:44 . 2008-06-02 15:19	66,952	--a------	C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-23 10:44 . 2008-06-02 15:19	42,376	--a------	C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-23 10:44 . 2008-06-02 15:19	29,576	--a------	C:\WINDOWS\system32\drivers\kcom.sys
2008-06-23 10:42 . 2008-06-23 11:34	<DIR>	d--------	C:\Documents and Settings\blah\Application Data\U3
2008-06-23 10:24 . 2003-11-12 20:03	<DIR>	d--------	C:\Documents and Settings\blah\Application Data\Symantec
2008-06-23 10:24 . 2008-06-23 10:24	<DIR>	d--------	C:\Documents and Settings\blah
2008-06-22 21:24 . 2008-06-22 21:24	86	--a------	C:\WINDOWS\wininit.ini
2008-06-22 19:08 . 2008-06-22 19:07	691,545	--a------	C:\WINDOWS\unins002.exe
2008-06-22 19:08 . 2008-06-22 19:08	2,541	--a------	C:\WINDOWS\unins002.dat
2008-06-22 03:07 . 2008-06-22 03:07	<DIR>	d--------	C:\Program Files\MSXML 4.0
2008-06-21 21:56 . 2008-06-21 21:56	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-06-21 21:56 . 2008-06-21 16:49	81,920	--a------	C:\WINDOWS\neltabxw.exe
2008-06-21 00:47 . 2008-06-21 00:47	<DIR>	d--------	C:\bios
2008-06-20 22:24 . 2008-06-20 22:24	94,208	--a------	C:\WINDOWS\DIIUnin.exe
2008-06-20 22:24 . 2008-06-20 22:33	18,340	--a------	C:\WINDOWS\DIIUnin.dat
2008-06-20 22:24 . 2008-06-20 22:24	2,829	--a------	C:\WINDOWS\DIIUnin.pif
2008-06-20 19:08 . 2008-06-20 22:26	21,840	--a----t-	C:\WINDOWS\system32\SIntfNT.dll
2008-06-20 19:08 . 2008-06-20 22:26	17,212	--a----t-	C:\WINDOWS\system32\SIntf32.dll
2008-06-20 19:08 . 2008-06-20 22:26	12,067	--a----t-	C:\WINDOWS\system32\SIntf16.dll
2008-06-20 18:47 . 2008-06-22 19:10	<DIR>	d--------	C:\Program Files\Diablo II
2008-06-11 18:55 . 2008-06-11 18:55	41,296	--a------	C:\WINDOWS\system32\xfcodec.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 17:18	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-23 00:27	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-23 00:17	---------	d-----w	C:\Program Files\Spybot - Search & Destroy
2008-06-21 05:10	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-06-21 01:00	---------	d-----w	C:\Program Files\CallWave
2008-06-13 13:10	272,128	----a-w	C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 13:10	272,128	------w	C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 09:12	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 12:28	202,752	----a-w	C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28	202,752	----a-w	C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18	1,287,680	------w	C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-21 07:04	659,456	----a-w	C:\WINDOWS\system32\wininet.dll
2008-04-21 07:04	659,456	------w	C:\WINDOWS\system32\dllcache\wininet.dll
2008-04-21 07:04	615,936	------w	C:\WINDOWS\system32\dllcache\urlmon.dll
2008-04-21 07:04	474,112	------w	C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 07:04	1,494,528	------w	C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-04-17 10:52	18,432	----a-w	C:\WINDOWS\system32\dllcache\iedw.exe
2008-03-27 08:12	151,583	----a-w	C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12	151,583	----a-w	C:\WINDOWS\system32\dllcache\msjint40.dll
2005-01-21 16:45	56	-csh--r	C:\WINDOWS\system32\E7D092101B.sys
2005-01-21 16:45	1,682	-csha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
2008-06-12 18:29	237056	--a------	c:\program files\peoplepc\toolbar\ppctoolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= "c:\program files\peoplepc\toolbar\ppctoolbar.dll" [2008-06-12 18:29 237056]
"{266F6829-949E-4645-AAEA-1323B59E826C}"= "C:\WINDOWS\vrmdtneg.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar]

[HKEY_CLASSES_ROOT\clsid\{266f6829-949e-4645-aaea-1323b59e826c}]
[HKEY_CLASSES_ROOT\vrmdtneg.1]
[HKEY_CLASSES_ROOT\TypeLib\{76339EAC-B2F2-4B5C-BC18-47901DCCFD8F}]
[HKEY_CLASSES_ROOT\vrmdtneg]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= c:\program files\peoplepc\toolbar\ppctoolbar.dll [2008-06-12 18:29 237056]

[HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56 158208]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-06-10 21:22 1163656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"xvorfwbd"= {3A33E915-BB8D-44CD-9951-059622B33D48} - C:\WINDOWS\xvorfwbd.dll [ ]
"wpvmqosg"= {C309CF8C-5771-4F0E-B6A6-2C441F0A3A92} - C:\WINDOWS\wpvmqosg.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CallWave.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CallWave.lnk
backup=C:\WINDOWS\pss\CallWave.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Karah^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=C:\Documents and Settings\Karah\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Karah^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Karah\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2003-09-30 13:31 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2003-10-07 22:40 159744 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2001-09-04 14:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-03-25 22:00 335872 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station]
--------- 2005-07-25 14:14 20480 C:\Program Files\PeoplePC\ISP6200\BIN\PPCOLink.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a--c--- 2002-09-10 21:26 368706 C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-10-07 03:23 90112 C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2005-07-01 13:11 71280 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2003-07-17 13:50 184412 C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
--a------ 2003-09-26 12:04 237568 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1128531912\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2006-11-21 20:09 842584 C:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdcamon]
--a------ 2007-03-05 15:40 20480 C:\Program Files\Lexmark 1300 Series\lxdcamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdcmon.exe]
C:\Program Files\Lexmark 1300 Series\lxdcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCLaunch]
--a------ 2007-03-17 14:25 40960 C:\WINDOWS\NCLAUNCH.EXe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooqauywssv]
--a--c--- 2004-12-23 18:57 38400 C:\WINDOWS\System32\lqaadj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-10-05 12:07 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a--c--- 2003-07-18 20:23 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a--c--- 2003-05-01 21:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
C:\WINDOWS\Downloaded Program Files\bridge.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2007-02-07 01:24 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0]
C:\Program Files\Web_Rebates\WebRebates0.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"Spooler"=2 (0x2)
"PlugPlay"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"lxdc_device"=2 (0x2)
"lxdcCATSCustConnectService"=2 (0x2)
"iPod Service"=3 (0x3)
"YPCService"=3 (0x3)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WMDM PMSP Service"=2 (0x2)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"UMWdf"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SymWSC"=2 (0x2)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"SNDSrvc"=3 (0x3)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SBService"=2 (0x2)
"SAVScan"=2 (0x2)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"navapsvc"=2 (0x2)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=3 (0x3)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"= C:\\Program Files\\Yahoo!\\Messenger\\YPAGER.EXE
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\system32\\lxdccoms.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdctime.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcwbgw.exe"=
"C:\\Program Files\\CallWave\\IAM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"1863:TCP"= 1863:TCP:MSN Messenger
"6891:TCP"= 6891:TCP:Open Port 1
"6892:TCP"= 6892:TCP:Open Port 2
"6893:TCP"= 6893:TCP:Open Port 3
"6894:TCP"= 6894:TCP:Open Port 4
"6895:TCP"= 6895:TCP:Open Port 5


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a841e248-9851-11dc-aed3-c724e8a54708}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-05 19:32:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-23 00:42:06 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 12:33:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-06-23 12:37:21
ComboFix-quarantined-files.txt  2008-06-23 17:37:16
ComboFix2.txt  2008-06-23 16:28:19

Pre-Run: 14,337,216,512 bytes free
Post-Run: 14,494,019,584 bytes free

333	--- E O F ---	2008-06-22 08:07:48


and the same for this it is also from the main account


----------



## squiggs (Jun 23, 2008)

well i have to go it is 12:45 pm central usa time and i will be back on about 7 central i hope i can get this resolved asap thank you for your help with yet another 
worm.win32.netboost


----------



## Punk (Jun 23, 2008)

No problem, I'm sure we can work during our time span.

The last Combofix log has deleted some files I wanted deleted, which is good.

When you get back please post a DSS log:



*: Download and Run DSS :*

Download *Deckard's System Scanner (DSS)* to your *Desktop*. You must be logged onto an account with administrator privileges.

*Close* all applications and windows.
*Double-click* on *dss.exe* to run it, and follow the prompts.
When the scan is complete, two text files will open - *main.txt* <- this one will be maximized and *extra.txt*<- this one will be minimized.
Copy *(Ctrl+A then Ctrl+C)* and paste *(Ctrl+V)* the contents of *main.txt* and the *extra.txt* in your reply.


----------



## squiggs (Jun 24, 2008)

Deckard's System Scanner v20071014.68
Run by Karah on 2008-06-23 20:05:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 383 MiB (512 MiB recommended).


-- HijackThis (run as Karah.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:07, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\svchost.exe
E:\Documents\Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Karah.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://axiaecampus.phoenix.edu/secure/courseList.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O3 - Toolbar: vrmdtneg - {266F6829-949E-4645-AAEA-1323B59E826C} - C:\WINDOWS\vrmdtneg.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1332000860-4290386537-2851852715-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Karah\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O21 - SSODL: xvorfwbd - {3A33E915-BB8D-44CD-9951-059622B33D48} - C:\WINDOWS\xvorfwbd.dll (file missing)
O21 - SSODL: wpvmqosg - {C309CF8C-5771-4F0E-B6A6-2C441F0A3A92} - C:\WINDOWS\wpvmqosg.dll (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6368 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 catchme - c:\combofix\catchme.sys (file missing)
3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ913>
3 naecd - c:\docume~1\karah\locals~1\temp\naecd.sys (file missing)
3 PhDebug32 - c:\bios\hr60\debug32.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

4 lxdc_device - c:\windows\system32\lxdccoms.exe
4 Microsoft Office Groove Audit Service - c:\program files\microsoft office\office12\grooveauditservice.exe
4 YPCService - c:\windows\system32\ypcservice.exe <Not Verified; Yahoo! Inc.; YPCService Module>


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Scheduled Tasks -------------------------------------------------------------

2008-06-22 19:42:06       364 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-02-05 14:32:18       282 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-23 and 2008-06-23 -----------------------------

2008-06-23 11:42:24         0 d-------- C:\Program Files\Trend Micro
2008-06-23 10:55:01     68096 --a------ C:\WINDOWS\zip.exe
2008-06-23 10:55:01    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-23 10:55:01     98816 --a------ C:\WINDOWS\sed.exe
2008-06-23 10:55:01     80412 --a------ C:\WINDOWS\grep.exe
2008-06-23 10:55:01     89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-23 10:55:00     49152 --a------ C:\WINDOWS\VFind.exe
2008-06-23 10:55:00    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-23 10:55:00    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-23 10:44:21         0 d-------- C:\Program Files\Spyware Doctor
2008-06-23 10:44:21         0 d-------- C:\Documents and Settings\blah\Application Data\PC Tools
2008-06-23 10:42:20         0 d-------- C:\Documents and Settings\blah\Application Data\U3
2008-06-23 10:24:44         0 d--h----- C:\Documents and Settings\blah\Templates
2008-06-23 10:24:44         0 dr------- C:\Documents and Settings\blah\Start Menu
2008-06-23 10:24:44         0 dr-h----- C:\Documents and Settings\blah\SendTo
2008-06-23 10:24:44         0 dr-h----- C:\Documents and Settings\blah\Recent
2008-06-23 10:24:44         0 d--h----- C:\Documents and Settings\blah\PrintHood
2008-06-23 10:24:44   1048576 --ah----- C:\Documents and Settings\blah\NTUSER.DAT
2008-06-23 10:24:44         0 d--h----- C:\Documents and Settings\blah\NetHood
2008-06-23 10:24:44         0 dr------- C:\Documents and Settings\blah\My Documents
2008-06-23 10:24:44         0 d--h----- C:\Documents and Settings\blah\Local Settings
2008-06-23 10:24:44         0 dr------- C:\Documents and Settings\blah\Favorites
2008-06-23 10:24:44         0 d-------- C:\Documents and Settings\blah\Desktop
2008-06-23 10:24:44         0 d---s---- C:\Documents and Settings\blah\Cookies
2008-06-23 10:24:44         0 dr-h----- C:\Documents and Settings\blah\Application Data
2008-06-23 10:24:44         0 d-------- C:\Documents and Settings\blah\Application Data\Symantec
2008-06-23 10:24:44         0 d-------- C:\Documents and Settings\blah\Application Data\Sun
2008-06-23 10:24:44         0 d---s---- C:\Documents and Settings\blah\Application Data\Microsoft
2008-06-23 10:24:44         0 d-------- C:\Documents and Settings\blah\Application Data\Identities
2008-06-22 19:08:57    691545 --a------ C:\WINDOWS\unins002.exe
2008-06-22 19:08:57      2541 --a------ C:\WINDOWS\unins002.dat
2008-06-22 03:07:44         0 d-------- C:\Program Files\MSXML 4.0
2008-06-21 21:56:28     81920 --a------ C:\WINDOWS\neltabxw.exe
2008-06-21 21:56:23         0 d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-06-21 00:47:24         0 d-------- C:\bios
2008-06-20 22:24:22     18340 --a------ C:\WINDOWS\DIIUnin.dat
2008-06-20 22:24:11      2829 --a------ C:\WINDOWS\DIIUnin.pif
2008-06-20 22:24:11     94208 --a------ C:\WINDOWS\DIIUnin.exe <Not Verified; Blizzard Entertainment; Diablo II Uninstaller>
2008-06-20 19:08:46     21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll
2008-06-20 19:08:46     17212 --a-----t C:\WINDOWS\system32\SIntf32.dll
2008-06-20 19:08:45     12067 --a-----t C:\WINDOWS\system32\SIntf16.dll
2008-06-20 18:47:46         0 d-------- C:\Program Files\Diablo II
2008-06-13 21:37:57         0 d-------- C:\Documents and Settings\Karah\Application Data\Xfire


-- Find3M Report ---------------------------------------------------------------

2008-06-21 00:10:19         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-20 20:00:06         0 d-------- C:\Program Files\CallWave
2008-06-20 19:58:43         0 d-------- C:\Program Files\Common Files
2008-06-13 21:37:56      3472 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-13 21:33:52         0 d-------- C:\Documents and Settings\Karah\Application Data\U3
2008-06-13 19:27:17         0 d-------- C:\Documents and Settings\Karah\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
06/12/2008 18:29	237056	--a------	c:\program files\peoplepc\toolbar\ppctoolbar.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= c:\program files\peoplepc\toolbar\ppctoolbar.dll [06/12/2008 18:29 237056]

[-HKEY_CLASSES_ROOT\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 02:56]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [06/10/2008 21:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"xvorfwbd"= {3A33E915-BB8D-44CD-9951-059622B33D48} - C:\WINDOWS\xvorfwbd.dll [ ]
"wpvmqosg"= {C309CF8C-5771-4F0E-B6A6-2C441F0A3A92} - C:\WINDOWS\wpvmqosg.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CallWave.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CallWave.lnk
backup=C:\WINDOWS\pss\CallWave.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Karah^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=C:\Documents and Settings\Karah\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Karah^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Karah\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station]
C:\Program Files\PeoplePC\ISP6200\BIN\PPCOLink.exe -STATION

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
"C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1128531912\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdcamon]
"C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdcmon.exe]
"C:\Program Files\Lexmark 1300 Series\lxdcmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCLaunch]
C:\WINDOWS\NCLAUNCH.EXe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooqauywssv]
C:\WINDOWS\System32\lqaadj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0]
C:\Program Files\Web_Rebates\WebRebates0.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"Spooler"=2 (0x2)
"PlugPlay"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"lxdc_device"=2 (0x2)
"lxdcCATSCustConnectService"=2 (0x2)
"iPod Service"=3 (0x3)
"YPCService"=3 (0x3)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WMDM PMSP Service"=2 (0x2)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"UMWdf"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SymWSC"=2 (0x2)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"SNDSrvc"=3 (0x3)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SBService"=2 (0x2)
"SAVScan"=2 (0x2)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"navapsvc"=2 (0x2)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=3 (0x3)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a841e248-9851-11dc-aed3-c724e8a54708}]
AutoRun\command- F:\LaunchU3.exe -a

*Newly Created Service* - SCARDSVR



-- End of Deckard's System Scanner: finished at 2008-06-23 20:10:19 ------------


----------



## squiggs (Jun 24, 2008)

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 66%
Physical Memory (total/avail): 382.98 MiB / 127.83 MiB
Pagefile Memory (total/avail): 919.25 MiB / 693.36 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1952.81 MiB

C: is Fixed (NTFS) - 37.25 GiB total, 13.48 GiB free. 
D: is CDROM (No Media)
E: is Removable (FAT32)
F: is CDROM (CDFS)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Karah\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
CLIENTNAME=Console
COLLECTIONID=COL8143
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PONCHO
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HMSERVER=https://h30083.www3.hp.com/wuss/servlet/WUSSServlet
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Karah
ITEMID=dj-22741-6
LANG=1033
LOGONSERVER=\\PONCHO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
OSVER=winXPH
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 3 Disc Creator Trial;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
SESSIONID=1096274927663wuws05-ld55986:ff6f7fa468:-7a77
SESSIONNAME=Console
SWUTVER=1.0.3.1
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Karah\LOCALS~1\Temp
TIMEOUT=0
TMP=C:\DOCUME~1\Karah\LOCALS~1\Temp
TOOLPATH=/C:\Program%20Files\Hewlett-Packard\HP%20Software%20Update\install.htm
USERDOMAIN=PONCHO
USERNAME=Karah
USERPROFILE=C:\Documents and Settings\Karah
VERSION=3.0.2.97
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Karah _(admin)_
tony _(admin)_
blah _(admin)_
Administrator _(admin)_
Guest _(new local, guest)_


-- Add/Remove Programs ---------------------------------------------------------

 --> C:\PROGRA~1\SBCSEL~1\CustomUninstall.exe  SBC
 --> C:\PROGRA~1\Yahoo!\Common\unybase.exe
 --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
 --> C:\PROGRA~1\Yahoo!\PARENT~1\unypc.exe /S
 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
 --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
 --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {926CC8AE-8414-43DF-8EB4-CF26D9C3C663}
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2 for 2 --> C:\PROGRA~1\eGames\2FOR2~1\UNWISE.EXE C:\PROGRA~1\eGames\2FOR2~1\INSTALL.LOG
3 castles --> C:\PROGRA~1\eGames\3CASTL~1\UNWISE.EXE C:\PROGRA~1\eGames\3CASTL~1\INSTALL.LOG
Ad-aware 6 Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Album 2.0 Starter Edition --> MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Photoshop Elements 2.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.dll"
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Agere Systems AC'97 Modem --> agrsmdel
Amazing Windows XP Screen Saver 1.2 --> C:\WINDOWS\unins001.exe
Ambush Pack 1.00 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks\Pocket Tanks Deluxe\unins001.exe"
America Online (Choose which version to remove) --> C:\Program Files\Common Files\aolshare\aolunins_us.exe
Anark Client 1.0 --> C:\Program Files\Anark\Client\AMInstal.exe -uninstall
AOL Toolbar --> "C:\Program Files\AOL Toolbar\UNWISE.EXE" /u "C:\Program Files\AOL Toolbar\INSTALL.LOG"
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
ArcSoft Software Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F57D8342-E2E4-46F4-915A-F50817CBCB45}\setup.exe" -l0x9 
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe" 
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_classISPLAY -clean
Backyardigans Screen Saver --> C:\WINDOWS\NCUNINST.EXe REMOVE Backyardigans
BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
CallWave --> C:\Program Files\CallWave\IAM.exe -remove
CC_ccStart --> MsiExec.exe /I{D6414CC7-F215-467F-88B1-546ED863F35B}
ccCommon --> MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
CEP - Color Enable Package --> "C:\PROGRA~1\EAGAME~1\zCEP_Uninstaller\unins000.exe"
Chaos Pack 1.00 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks\Pocket Tanks Deluxe\unins002.exe"
Charmed --> C:\PROGRA~1\eGames\Charmed\UNWISE.EXE C:\PROGRA~1\eGames\Charmed\INSTALL.LOG
Checkers --> C:\PROGRA~1\eGames\Checkers\UNWISE.EXE C:\PROGRA~1\eGames\Checkers\INSTALL.LOG
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Pro Trial --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Driver Detective --> C:\Program Files\InstallShield Installation Information\{621C02EA-AAFF-4026-A903-165D59529A16}\setup.exe -runfromtemp -l0x0409
Easy CD & DVD Creator 6 --> MsiExec.exe /I{46DDF76F-ACD4-42BC-B48F-B89C4EE2E1A9}
easy Internet sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{0613467F-A45E-4CB1-9ECE-1F3DD79FB927} /l1033 
EAX Unified --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\EAX Unified\Uninst.isu"
eGames Master's Edition 151 --> C:\PROGRA~1\eGames\EGAMES~1\UNWISE.EXE C:\PROGRA~1\eGames\EGAMES~1\INSTALL.LOG
Eleven --> C:\PROGRA~1\eGames\Eleven\UNWISE.EXE C:\PROGRA~1\eGames\Eleven\INSTALL.LOG
Final Fantasy XI Theme Installer --> MsiExec.exe /X{6A6E8061-E1E6-4556-9780-29C85C794E02}
Fireworks Pack v1.0 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks\Pocket Tanks Deluxe\unins003.exe"
Flamethrower Pack 1.00 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\unins000.exe"
Gems 3D --> C:\PROGRA~1\eGames\GEMS3D~1\UNWISE.EXE C:\PROGRA~1\eGames\GEMS3D~1\INSTALL.LOG
Gold Pack v1.0 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks\Pocket Tanks Deluxe\Pocket Tanks Deluxe\unins000.exe"
Gravity Pack v1.0 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks\Pocket Tanks Deluxe\unins004.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Holiday Snowflakes Screen Saver 1.2 --> C:\WINDOWS\unins000.exe
HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Photo and Imaging 2.0 - Photosmart Cameras --> MsiExec.exe /X{5D7F0A0E-369E-46C0-9F99-FAB21A064781}
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iPod for Windows 2005-01-11 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3476E8FA-00F1-48AF-8771-236C84FC7CB8} /l1033 
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Java 2 Runtime Environment Standard Edition v1.3.1_02 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1_02\Uninst.isu"
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Lexmark 1300 Series --> C:\Program Files\Lexmark 1300 Series\Install\x86\Uninst.exe
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Living Frisky Screen Saver --> C:\WINDOWS\Living Frisky.scr /u
Mahjongg Master 3 Special Edition --> C:\PROGRA~1\eGames\MAHJON~1\UNWISE.EXE C:\PROGRA~1\eGames\MAHJON~1\INSTALL.LOG
Max Solitaire --> C:\PROGRA~1\eGames\MAXSOL~1\UNWISE.EXE C:\PROGRA~1\eGames\MAXSOL~1\INSTALL.LOG
Meteor Pack 1.00 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\unins001.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
MSRedist --> MsiExec.exe /I{FC37ABD0-2108-4beb-B010-1254E0662B5A}
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
Network Play System (Patching) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Electronic Arts\Network Play System\NPSPatch.isu"
Norton AntiVirus 2004 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton AntiVirus 2004 (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\SymSetup\{C6F5B6CF-609C-428E-876F-CA83176C021B}.exe /X
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
Nuke Pack 1.00 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks Deluxe\unins002.exe"
PCI 1620 Cardbus Controller and Software --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{97355297-21C8-40CD-96D3-48E58037A9B8} /l1033 
PeoplePC Online --> C:\WINDOWS\system32\PPCOUNIN.EXE
PeoplePC: PeoplePal Toolbar 6.2 --> C:\WINDOWS\system32\ppaluninst.exe
Pocket Tanks Deluxe 1.00a --> "C:\Program Files\Pocket Tanks\Pocket Tanks Deluxe\unins000.exe"
Pocket Tanks v1.1 --> "C:\Program Files\Pocket Tanks\unins000.exe"
Puzzle Master 2 Special Edition --> C:\PROGRA~1\eGames\PUZZLE~1\UNWISE.EXE C:\PROGRA~1\eGames\PUZZLE~1\INSTALL.LOG
Quick Launch Buttons 4.20 A5 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\HPQ\Quick Launch Buttons\Uninst.isu" -c"C:\Program Files\HPQ\Quick Launch Buttons\EABINST.DLL"
Quicken 2004 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8} anything
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB934062) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
SHOUTcast Source DSP 1.8.2 (remove only) --> C:\Program Files\Winamp\uninst-dsp.exe
Snowball Pack v1.0 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks\unins001.exe"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe" 
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins002.exe"
Spyware Doctor 6.0 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Super Pack v1.1 for Pocket Tanks Deluxe --> "C:\Program Files\Pocket Tanks\unins002.exe"
Symantec Script Blocking Installer --> MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
SymNet --> MsiExec.exe /I{E47EE8FB-ACC0-4608-859C-4E2851B18A6A}
The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims 2 Nightlife --> C:\Program Files\EA GAMES\The Sims 2 Nightlife\EAUninstall.exe
The Sims 2 Pets --> C:\Program Files\EA GAMES\The Sims 2 Pets\EAUninstall.exe
Themexp.org File --> C:\PROGRA~1\themexp\THEMEX~1.ORG\UNWISE.EXE C:\PROGRA~1\themexp\THEMEX~1.ORG\INSTALL.LOG
Update for Office 2007 (KB932080) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows XP Winter Fun Pack Screensavers --> MsiExec.exe /I{27D0C7AB-59F1-4D4D-A0BB-05A31AC919EA}
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- Application Event Log -------------------------------------------------------

No Errors/Warnings found.


-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

No Errors/Warnings found.


-- End of Deckard's System Scanner: finished at 2008-06-23 20:10:19 ------------


----------



## Punk (Jun 24, 2008)

*Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).*

Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account.


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*.
Click *Format*, and ensure *Word Wrap* is unchecked.
Copy and Paste the text in the box below into *Notepad*.
Now save the file as *RemoveFiles.txt* in a location where you can find it.



> Files to delete:
> C:\WINDOWS\fdsv.exe



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system.

Start *Avenger* by double clicking on *Avenger.exe*.

Check *Load script from file:*
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*.
Double click it to enter it into Avenger.
Click the *green traffic light symbol*.
You will be asked if you want to execute the script, answer *Yes*.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer *Yes*, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created *C:\avenger.txt*.
*Copy and Paste it into your next post please.*


Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.
 Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.


----------



## squiggs (Jun 26, 2008)

well it wasnt till today and it keeps saying that the pages i go to have malicious possablilys i will post new logs


----------



## squiggs (Jun 26, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:46, on 2008-06-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdcserv.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\CallWave\IAM.exe
C:\WINDOWS\system32\cmd.exe
C:\DOCUME~1\Karah\LOCALS~1\Temp\dssec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://axiaecampus.phoenix.edu/secure/courseList.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O3 - Toolbar: (no name) - {266F6829-949E-4645-AAEA-1323B59E826C} - (no file)
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [4a8733d9] rundll32.exe "C:\WINDOWS\system32\wsvgasij.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Startup: Microsoft Office Groove.lnk = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Karah\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O21 - SSODL: xvorfwbd - {3A33E915-BB8D-44CD-9951-059622B33D48} - (no file)
O21 - SSODL: wpvmqosg - {C309CF8C-5771-4F0E-B6A6-2C441F0A3A92} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe
O23 - Service: lxdc_device -   - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8511 bytes


----------



## Briguy (Jun 26, 2008)

squiggs said:


> well it wasnt till today and it keeps saying that the pages i go to have malicious possablilys i will post new logs



This is what I found on that. I would do this:

You have unwittingly launched a very nasty Smitfraud program that is falsely reporting "worm.win32.netbooster" as the infection. Smitfraud applications are programs that are used to download rogue security products and change the user's desktop to display false warnings that the computer is infected with spyware.

If your computer has become infected with one of these "spyware removal programs," you probably downloaded an infected codec program when you tried to watch a video online (usually purporting to be an x-rated celebrity video) or you may have been hit by a "drive-by" installation of Smitfraud.

Smitfraud attacks show fake antispyware programs popups on your screen and/or a balloon popup from the windows system tray displaying a warning message that your computer is infected with spyware (here it is falsely calling it worm.win32.netbooster) and telling you to purchase, download & install their program to remove it. Often, it will hijack your desktop and publish a warning message in big letters (with their weblink) on your desktop wallpaper. The infection will usually alter the settings of your current virus protection software (including Norton and McAfee) and render it powerless to delete the infection. The Smitfraud application will also typically disable your ability to launch the task manager with the alt-ctrl-del keys, too.

DO NOT BUY THE ANTISPYWARE PROGRAM THAT IS BEING ADVERTISED ON YOUR WALLPAPER AND IN THE POPUPS. The creator of the bogus popups is an affiliate of the particular antispyware program they are promoting, so each time an unsuspecting user purchases the advertised program in hopes of removing the trojan the person behind the attack gets paid. Not a very ethical way of selling an antispyware, antivirus, or other computer pest removal product.

Here is the 100% FREE solution I found on http://www.bleepingcomputer.com that worked for me:

1. Download and install the Smitfraudfix tool in the link below.
http://siri.urz.free.fr/Fix/SmitfraudFix...

2. Download and install Super Antispyware. Update definitions.
http://www.superantispyware.com/

3. Run both programs (Smitfraudfix first) after you start your operating system is in safe mode. Follow the instructions carefully for Smitfraudfix. Allow Super Antispyware to quarantine whatever it finds.

To learn how to run your operating system in safe mode:
http://www.bleepingcomputer.com/tutorial...

3. Reboot in normal mode. Run the Bit Defender online scan (no download necessary). Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

4. Download and run RogueRemover. Select "Scan" and follow the steps indicated. 
http://www.malwarebytes.org/rogueremover...

You can continue to follow-up with Spybot and AdAware ----I would get these) if you desire. Of course, you should also keep your regular anti-virus software up-to-date and scan regularly; hopefully it will be working well again after the infection is removed. Be sure to restore the settings which the Smitfraud program altered. Smitfraud apps are quite nasty, and it may take a while to remove all traces.


----------



## Punk (Jun 26, 2008)

Lol at above...

Ok still a few files, I want to see if combofix will get rid of them. If so, good, if not I'll do it manually.

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.


By the way, if you want to get rid of the infection please follow my instructions, that includes the SDFix instruction.


----------



## squiggs (Jun 27, 2008)

ComboFix 08-06-20.4 - Karah 2008-06-27  3:21:49.9 - NTFSx86
Running from: C:\Documents and Settings\All Users\Desktop\ComboFix.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\Antivirus 2008 PRO
C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe
C:\Program Files\Antivirus 2008 PRO\vscan.tsi
C:\Program Files\Antivirus 2008 PRO\zlib.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\enlx.exe
C:\WINDOWS\system32\awtuuvWm.dll
C:\WINDOWS\system32\baHklUvw.ini
C:\WINDOWS\system32\baHklUvw.ini2
C:\WINDOWS\system32\CIPWFfii.ini
C:\WINDOWS\system32\CIPWFfii.ini2
C:\WINDOWS\system32\iapmehrp.ini
C:\WINDOWS\system32\iifFWPIC.dll
C:\WINDOWS\system32\jisagvsw.ini
C:\WINDOWS\system32\kjjklnmp.ini
C:\WINDOWS\system32\kjjklnmp.ini2
C:\WINDOWS\system32\mWvuutwa.ini
C:\WINDOWS\system32\mWvuutwa.ini2
C:\WINDOWS\system32\ooxpdkrv.ini
C:\WINDOWS\system32\pmnlkjjk.dll
C:\WINDOWS\system32\vpjactsw.ini
C:\WINDOWS\system32\wvUlkHab.dll

.
(((((((((((((((((((((((((   Files Created from 2008-05-27 to 2008-06-27  )))))))))))))))))))))))))))))))
.

2008-06-27 02:52 . 2008-06-27 02:52	294	---hs----	C:\WINDOWS\system32\ooxpdkrv.ini
2008-06-27 02:01 . 2008-06-27 02:01	92,032	--a------	C:\WINDOWS\system32\vrkdpxoo.dll
2008-06-26 01:41 . 2008-06-26 01:41	92,544	--a------	C:\WINDOWS\system32\lxmyjpdt.dll
2008-06-26 01:41 . 2008-06-26 01:40	354	--ahs----	C:\WINDOWS\system32\tdpjymxl.ini
2008-06-26 01:30 . 2008-06-26 01:40	354	--ahs----	C:\WINDOWS\system32\vpjactsw.ini
2008-06-25 23:01 . 2008-06-25 23:01	28,800	--a------	C:\WINDOWS\system32\cbXrOGAS.dll
2008-06-25 22:57 . 2008-06-25 18:00	245,760	--a------	C:\WINDOWS\gfetqaxsqsb.dll
2008-06-25 22:57 . 2008-06-25 18:00	229,376	--a------	C:\WINDOWS\pntqkflv.dll
2008-06-25 22:57 . 2008-06-25 18:00	180,224	--a------	C:\WINDOWS\qegbdmwf.dll
2008-06-25 22:57 . 2008-06-25 18:00	151,552	--a------	C:\WINDOWS\gxvpsafm.dll
2008-06-25 22:57 . 2008-06-25 18:00	81,920	--a------	C:\WINDOWS\tovafrnm.exe
2008-06-23 22:06 . 2008-06-27 01:04	<DIR>	d--------	C:\Program Files\Windows Live Safety Center
2008-06-23 20:05 . 2008-06-23 20:05	<DIR>	d--------	C:\Deckard
2008-06-23 11:42 . 2008-06-23 11:42	<DIR>	d--------	C:\Program Files\Trend Micro
2008-06-23 10:44 . 2008-06-25 10:48	<DIR>	d--------	C:\Program Files\Spyware Doctor
2008-06-23 10:44 . 2008-06-23 10:44	<DIR>	d--------	C:\Documents and Settings\blah\Application Data\PC Tools
2008-06-23 10:44 . 2008-06-10 21:22	81,288	--a------	C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-23 10:44 . 2008-06-02 15:19	66,952	--a------	C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-23 10:44 . 2008-06-02 15:19	42,376	--a------	C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-23 10:44 . 2008-06-02 15:19	29,576	--a------	C:\WINDOWS\system32\drivers\kcom.sys
2008-06-23 10:42 . 2008-06-23 11:34	<DIR>	d--------	C:\Documents and Settings\blah\Application Data\U3
2008-06-23 10:24 . 2003-11-12 20:03	<DIR>	d--------	C:\Documents and Settings\blah\Application Data\Symantec
2008-06-23 10:24 . 2008-06-23 10:24	<DIR>	d--------	C:\Documents and Settings\blah
2008-06-22 21:24 . 2008-06-22 21:24	86	--a------	C:\WINDOWS\wininit.ini
2008-06-22 19:08 . 2008-06-22 19:07	691,545	--a------	C:\WINDOWS\unins002.exe
2008-06-22 19:08 . 2008-06-22 19:08	2,541	--a------	C:\WINDOWS\unins002.dat
2008-06-22 03:07 . 2008-06-22 03:07	<DIR>	d--------	C:\Program Files\MSXML 4.0
2008-06-21 21:56 . 2008-06-21 21:56	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-06-21 00:47 . 2008-06-21 00:47	<DIR>	d--------	C:\bios
2008-06-20 22:24 . 2008-06-20 22:24	94,208	--a------	C:\WINDOWS\DIIUnin.exe
2008-06-20 22:24 . 2008-06-20 22:33	18,340	--a------	C:\WINDOWS\DIIUnin.dat
2008-06-20 22:24 . 2008-06-20 22:24	2,829	--a------	C:\WINDOWS\DIIUnin.pif
2008-06-20 19:08 . 2008-06-20 22:26	21,840	--a----t-	C:\WINDOWS\system32\SIntfNT.dll
2008-06-20 19:08 . 2008-06-20 22:26	17,212	--a----t-	C:\WINDOWS\system32\SIntf32.dll
2008-06-20 19:08 . 2008-06-20 22:26	12,067	--a----t-	C:\WINDOWS\system32\SIntf16.dll
2008-06-20 18:47 . 2008-06-26 19:39	<DIR>	d--------	C:\Program Files\Diablo II
2008-06-11 18:55 . 2008-06-11 18:55	41,296	--a------	C:\WINDOWS\system32\xfcodec.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 06:40	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-26 06:13	---------	d-----w	C:\Program Files\CallWave
2008-06-24 05:58	---------	d-sh--w	C:\Program Files\WGV
2008-06-23 00:27	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-23 00:17	---------	d-----w	C:\Program Files\Spybot - Search & Destroy
2008-06-21 05:10	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-06-13 13:10	272,128	----a-w	C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10	272,128	----a-w	C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 09:12	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 12:28	202,752	----a-w	C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28	202,752	----a-w	C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18	1,287,680	----a-w	C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-21 07:04	659,456	----a-w	C:\WINDOWS\system32\wininet.dll
2008-04-21 07:04	659,456	----a-w	C:\WINDOWS\system32\dllcache\wininet.dll
2008-04-21 07:04	615,936	----a-w	C:\WINDOWS\system32\dllcache\urlmon.dll
2008-04-21 07:04	474,112	----a-w	C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 07:04	1,494,528	----a-w	C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-04-17 10:52	18,432	----a-w	C:\WINDOWS\system32\dllcache\iedw.exe
2008-03-27 08:12	151,583	----a-w	C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12	151,583	----a-w	C:\WINDOWS\system32\dllcache\msjint40.dll
2005-01-21 16:45	56	-csh--r	C:\WINDOWS\system32\E7D092101B.sys
2005-01-21 16:45	1,682	-csha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((   snapshot@2008-06-23_11.27.21.37   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-23 16:17:30	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2008-06-27 08:17:08	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2008-04-29 13:49:06	456,768	----a-w	C:\WINDOWS\Downloaded Program Files\wlscBase.dll
+ 2005-10-21 01:02:28	163,328	----a-w	C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-06-21 04:42:34	63,386	----a-w	C:\WINDOWS\system32\perfc009.dat
+ 2008-06-24 02:59:09	63,386	----a-w	C:\WINDOWS\system32\perfc009.dat
- 2008-06-21 04:42:34	404,206	----a-w	C:\WINDOWS\system32\perfh009.dat
+ 2008-06-24 02:59:09	404,206	----a-w	C:\WINDOWS\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39D67F39-6F48-438A-80A2-F86FE363C215}]
2008-06-25 23:01	28800	--a------	C:\WINDOWS\system32\cbXrOGAS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63EE8DD1-D0EB-4A34-B133-E38B41307B27}]
2008-06-25 18:00	245760	--a------	C:\WINDOWS\gfetqaxsqsb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
2008-06-12 18:29	237056	--a------	c:\program files\peoplepc\toolbar\ppctoolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= "c:\program files\peoplepc\toolbar\ppctoolbar.dll" [2008-06-12 18:29 237056]

[HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= c:\program files\peoplepc\toolbar\ppctoolbar.dll [2008-06-12 18:29 237056]

[HKEY_CLASSES_ROOT\clsid\{a8fb8eb3-183b-4598-924d-86f0e5e37085}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2007-03-17 14:25 40960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-02-07 01:24 100056]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 02:56 158208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-01 11:58:00 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{39D67F39-6F48-438A-80A2-F86FE363C215}"= C:\WINDOWS\system32\cbXrOGAS.dll [2008-06-25 23:01 28800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXrOGAS]
cbXrOGAS.dll 2008-06-25 23:01 28800 C:\WINDOWS\system32\cbXrOGAS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CallWave.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CallWave.lnk
backup=C:\WINDOWS\pss\CallWave.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Karah^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=C:\Documents and Settings\Karah\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4a8733d9]
--a------ 2008-06-27 02:01 92032 C:\WINDOWS\system32\vrkdpxoo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-06-10 21:22 1163656 C:\Program Files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"SBService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"= C:\\Program Files\\Yahoo!\\Messenger\\YPAGER.EXE
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\system32\\lxdccoms.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdctime.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcwbgw.exe"=
"C:\\Program Files\\CallWave\\IAM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"1863:TCP"= 1863:TCP:MSN Messenger
"6891:TCP"= 6891:TCP:Open Port 1
"6892:TCP"= 6892:TCP:Open Port 2
"6893:TCP"= 6893:TCP:Open Port 3
"6894:TCP"= 6894:TCP:Open Port 4
"6895:TCP"= 6895:TCP:Open Port 5

R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdccoms.exe [2007-04-30 15:03]
R2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe [2007-04-30 15:04]
S3 naecd;naecd;C:\DOCUME~1\Karah\LOCALS~1\Temp\naecd.sys []
S3 PhDebug32;PhDebug32;c:\bios\hr60\debug32.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a841e248-9851-11dc-aed3-c724e8a54708}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-05 19:32:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-27 05:09:46 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 03:32:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

C:\WINDOWS\explorer.exe [132] 0x82DE8020

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
-> C:\WINDOWS\system32\cbXrOGAS.dll
.
Completion time: 2008-06-27  4:02:53
ComboFix-quarantined-files.txt  2008-06-27 09:02:35
ComboFix2.txt  2008-06-23 17:37:22
ComboFix3.txt  2008-06-23 16:28:19

Pre-Run: 14,287,036,416 bytes free
Post-Run: 14,270,816,256 bytes free

243	--- E O F ---	2008-06-22 08:07:48


----------



## squiggs (Jun 27, 2008)

just to let you know it took three hours to finally get the log my computer was bogging down and a nortan script blocker came up and my computer was just flat out acting dumb


----------



## Punk (Jun 27, 2008)

*Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).*

Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account.


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*.
Click *Format*, and ensure *Word Wrap* is unchecked.
Copy and Paste the text in the box below into *Notepad*.
Now save the file as *RemoveFiles.txt* in a location where you can find it.



> Files to delete:
> C:\WINDOWS\system32\ooxpdkrv.ini
> C:\WINDOWS\system32\vrkdpxoo.dll
> C:\WINDOWS\system32\lxmyjpdt.dll
> ...



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system.

Start *Avenger* by double clicking on *Avenger.exe*.

Check *Load script from file:*
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*.
Double click it to enter it into Avenger.
Click the *green traffic light symbol*.
You will be asked if you want to execute the script, answer *Yes*.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer *Yes*, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created *C:\avenger.txt*.
*Copy and Paste it into your next post please.*


Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.
 Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log



*Please do both, it is important that I see the two logs*


----------



## squiggs (Jun 28, 2008)

//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Fri Jun 27 19:39:07 2008

19:39:07: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\ooxpdkrv.ini" deleted successfully.
File "C:\WINDOWS\system32\vrkdpxoo.dll" deleted successfully.
File "C:\WINDOWS\system32\lxmyjpdt.dll" deleted successfully.
File "C:\WINDOWS\system32\tdpjymxl.ini" deleted successfully.
File "C:\WINDOWS\system32\vpjactsw.ini" deleted successfully.
File "C:\WINDOWS\system32\cbXrOGAS.dll" deleted successfully.

Error:  could not open file "2C:\WINDOWS\gfetqaxsqsb.dll"
Deletion of file "2C:\WINDOWS\gfetqaxsqsb.dll" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  --> bad path / the parent directory does not exist

File "C:\WINDOWS\pntqkflv.dll" deleted successfully.
File "C:\WINDOWS\qegbdmwf.dll" deleted successfully.
File "C:\WINDOWS\gxvpsafm.dll" deleted successfully.

Error:  file "C:\WINDOWS\tovafrnm.exe e" not found!
Deletion of file "C:\WINDOWS\tovafrnm.exe e" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.


----------



## squiggs (Jun 28, 2008)

*SDFix: Version 1.197 *
Run by Karah on Fri 06/27/2008 at 20:04

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

*Checking Services *:


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


*Checking Files *: 

Trojan Files Found:

C:\Documents and Settings\Karah\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Karah\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Karah\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\gfetqaxsqsb.dll - Deleted
C:\WINDOWS\tovafrnm.exe  - Deleted





Removing Temp Files

*ADS Check *:



*Final Check *:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 20:25:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


*Remaining Services *:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPAGER.EXE:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\system32\\mshta.exe"="C:\\WINDOWS\\system32\\mshta.exe:*:Enabled:Microsoft (R) HTML Application host"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\WINDOWS\\system32\\lxdccoms.exe"="C:\\WINDOWS\\system32\\lxdccoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"="C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\\Program Files\\Lexmark 1300 Series\\App4R.exe"="C:\\Program Files\\Lexmark 1300 Series\\App4R.exe:*:Enabled:Lexmark Imaging Studio"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe:*:Enabled: "
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe:*:Enabled: "
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdctime.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdctime.exe:*:Enabled: "
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcwbgw.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcwbgw.exe:*:Enabled: "
"C:\\Program Files\\CallWave\\IAM.exe"="C:\\Program Files\\CallWave\\IAM.exe:*:Enabled:CallWave"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Lexmark 1300 Series\\app4r.exe"="C:\\Program Files\\Lexmark 1300 Series\\app4r.exe:*:Enabled:Lexmark Imaging Studio"

*Remaining Files *:


File Backups: - C:\SDFix\backups\backups.zip

*Files with Hidden Attributes *:

Mon 28 Jan 2008     1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008     5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008     2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 21 Jan 2005            56 ..SHR --- "C:\WINDOWS\system32\E7D092101B.sys"
Fri 21 Jan 2005         1,682 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sat 20 Nov 2004         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 20 Nov 2004           401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Thu 13 Dec 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT7.tmp"
Thu 13 Dec 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT5.tmp"
Thu 13 Dec 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT9.tmp"
Wed 30 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT7.tmp"
Thu 13 Dec 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT8.tmp"
Thu 13 Dec 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BITA.tmp"
Thu 13 Dec 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT6.tmp"
Thu  7 Dec 2006     3,096,576 A..H. --- "C:\Documents and Settings\blah\Application Data\U3\temp\Launchpad Removal.exe"
Thu  7 Dec 2006     3,096,576 A..H. --- "C:\Documents and Settings\Karah\Application Data\U3\temp\Launchpad Removal.exe"

*Finished!*


----------



## squiggs (Jun 28, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:37, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdcserv.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O3 - Toolbar: (no name) - {266F6829-949E-4645-AAEA-1323B59E826C} - (no file)
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [4a8733d9] rundll32.exe "C:\WINDOWS\system32\ahejxcbc.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Karah\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe
O23 - Service: lxdc_device -   - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 6765 bytes


----------



## Buzz1927 (Jun 28, 2008)

Punk said:


> Lol at above...


How strange, I Lol at your reply!


----------

