Jump to content


Photo

cheater checker/limewire help?(Resolved)


  • This topic is locked This topic is locked
22 replies to this topic

#1 leftydrummrr

leftydrummrr

    Member

  • Members
  • 117 posts

Posted 13 February 2008 - 01:41 PM

Juliet suggested I post this HijackThis log if "Cheater Checker" showed up on my PC after opening LimeWire. This is the third time it has happened. I've been able to use System Restore to make Cheater checker go away each time,but I'm curious where it really comes from. thanks for your help,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:38 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Search - ?p=ZRxdm185YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_5.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...881/mcfscan.cab
O20 - Winlogon Notify: modget32 - C:\WINDOWS\SYSTEM32\modget32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 8940 bytes

#2 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,153 posts
  • Gender:Female


Posted 13 February 2008 - 01:58 PM

Hi and welcome

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com



NEXT

Please go to: VirusTotal
  • Posted Image

  • Click the Browse button and search for the following file: C:\WINDOWS\SYSTEM32\modget32.dll
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.



NEXT

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
[*]Close all applications and windows.
[*]Double-click on dss.exe to run it, and follow the prompts.
[*]When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note:A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.


In your next reply post:
File requested scanned
DSS log
New HJT log taken after the above scans have run

Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#3 leftydrummrr

leftydrummrr

    Member

  • Members
  • 117 posts

Posted 13 February 2008 - 03:49 PM

I hope I followed your instructions correctly. Here are the scans. thanks for your help,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:10 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Search - ?p=ZRxdm185YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_5.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...881/mcfscan.cab
O20 - Winlogon Notify: modget32 - C:\WINDOWS\SYSTEM32\modget32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 7766 bytes
Deckard's System Scanner v20071014.68
Run by Mark Gisi on 2008-02-13 14:20:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
44: 2008-02-13 20:20:26 UTC - RP868 - Deckard's System Scanner Restore Point
43: 2008-02-13 18:50:14 UTC - RP867 - Software Distribution Service 3.0
42: 2008-02-13 18:42:50 UTC - RP866 - Restore Operation
41: 2008-02-13 18:00:27 UTC - RP865 - Software Distribution Service 3.0
40: 2008-02-13 17:51:22 UTC - RP864 - Ad-Aware Restore Point 2008-02-13 11:51:06


-- First Restore Point --
1: 2008-01-28 19:57:27 UTC - RP825 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).
System Drive C: has 0.78 GiB (less than 15%) free.


-- HijackThis (run as Mark Gisi.exe) ------------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-13 14:23:20
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\cisvc.exe
C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\r_server.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\SYSTEM32\wuauclt.exe
C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
C:\Program Files\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Mark Gisi\Local Settings\Temporary Internet Files\Content.IE5\RLDF9YP3\dss[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Search - ?p=ZRxdm185YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_5.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yaho...rod/yregcfg.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} () - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yaho...alls/yab_af.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...881/mcfscan.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O20 - Winlogon Notify: modget32 - C:\WINDOWS\system32\modget32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\SYSTEM32\r_server.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPcservice.exe


--
End of file - 8758 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080213-140305-198 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
backup-20080213-140305-209 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
backup-20080213-140305-288 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
backup-20080213-140305-292 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
backup-20080213-140305-384 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
backup-20080213-140305-989 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R0 IFP800 (iriver Internet Audio Player IFP-800) - c:\windows\system32\drivers\ifp800.sys <Not Verified; iRiver, Inc.; IFP-100>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SbcpHid - c:\windows\system32\drivers\sbcphid.sys
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>

S3 DrvFltIp - c:\program files\bulletproofsoft.com\advancedpersonalfirewall\drvfltip.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 r_server (Remote Administrator Service) - "c:\windows\system32\r_server.exe" /service <Not Verified; ; Remote Administrator>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA


-- Scheduled Tasks -------------------------------------------------------------

2004-12-06 15:50:07 294 --a------ C:\WINDOWS\Tasks\XoftSpy.job


-- Files created between 2008-01-13 and 2008-02-13 -----------------------------

2008-02-13 12:55:34 0 d-------- C:\WINDOWS\LastGood
2008-02-13 12:43:00 1093632 --a------ C:\WINDOWS\system32\{C4263C4A-B015-3BD9-B5C3-D93BC0C6D33B}.dat
2008-02-13 12:40:33 1093632 --a------ C:\WINDOWS\system32\{5E1CD7C0-3FC4-A1E3-3F28-E3A14F2DE9A1}.dat
2008-02-13 12:33:52 0 d-------- C:\Program Files\Trend Micro
2008-02-13 11:35:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 20:43:34 2177024 --a------ C:\WINDOWS\system32\{78499390-6C64-87B6-6F6C-B6871B3CBC87}.dat
2008-02-10 20:43:33 1093632 --a------ C:\WINDOWS\system32\{E59EAB29-54DD-1A61-D654-611AA5046B1A}.dat
2008-02-10 20:43:33 8693760 --a------ C:\WINDOWS\system32\{DA3A1CD2-E326-25C5-2DE3-C52544B3CF25}.dat
2008-02-08 21:32:22 1093632 --a------ C:\WINDOWS\system32\{380CD53C-2AC3-C7F3-C32A-F3C7B44EF9C7}.dat
2008-02-07 21:58:30 9699328 --a------ C:\Documents and Settings\Mark Gisi\ntuser.dat
2008-01-28 11:30:08 106 ---hs---- C:\WINDOWS\WSYS049.SYS
2008-01-21 18:50:50 0 d-------- C:\Program Files\iTunes
2008-01-21 18:41:40 0 d-------- C:\Program Files\Bonjour


-- Find3M Report ---------------------------------------------------------------

2008-02-13 12:52:22 0 d-------- C:\Program Files\LimeWire
2008-02-13 11:35:23 0 d-------- C:\Program Files\Lavasoft
2008-02-13 11:34:29 0 d-------- C:\Program Files\Common Files
2008-02-13 11:07:01 0 d-------- C:\Documents and Settings\Mark Gisi\Application Data\Lavasoft
2008-02-12 18:33:26 43746 --a------ C:\Documents and Settings\Mark Gisi\Application Data\wklnhst.dat
2008-02-12 13:21:40 0 d-------- C:\Program Files\SpywareBlaster
2008-02-08 20:54:38 0 d-------- C:\Documents and Settings\Mark Gisi\Application Data\Move Networks
2008-01-28 18:18:44 0 d-------- C:\Documents and Settings\Mark Gisi\Application Data\Image Zone Express
2008-01-23 11:19:22 0 d-------- C:\Program Files\RegistryFix
2008-01-21 18:51:16 0 d-------- C:\Program Files\iPod
2008-01-21 18:41:18 0 d-------- C:\Program Files\QuickTime
2007-12-30 17:56:54 0 d-------- C:\Documents and Settings\Mark Gisi\Application Data\Adobe
2007-12-30 14:51:59 0 d-------- C:\Program Files\Apple Software Update
2007-12-30 14:51:09 0 d-------- C:\Program Files\Common Files\Apple
2007-12-30 12:58:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-06 20:21:46 267776 --a------ C:\WINDOWS\system32\iertutil(2).dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 07:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [10/26/2006 09:21 PM]

C:\Documents and Settings\Mark Gisi\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 8:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 8:00:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\modget32]
modget32.dll 04/16/2007 09:52 AM 519430 C:\WINDOWS\SYSTEM32\modget32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mark Gisi^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\Mark Gisi\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Security Console]
C:\Program Files\BulletProofSoft.com\BPS Security Console\SecCon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Spyware Remover]
C:\Program Files\BulletProofSoft.com\BPS Spyware Remover\SpyRem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPSF]
C:\Program Files\BulletProofSoft.com\AdvancedPersonalFirewall\BPS Firewall.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
"C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
"C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
"C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]
C:\Program Files\PCPitstop\Optimize\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc




-- End of Deckard's System Scanner: finished at 2008-02-13 14:24:23 ------------

| Slovenšcina | Dansk | ??????? | Româna | Türkçe | Nederlands | ???????? | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Cesky | Polski | Español
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File modget32.dll received on 02.13.2008 21:08:38 (CET)
Current status: finished

Result: 3/31 (9.68%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.2.14.10 2008.02.13 -
AntiVir 7.6.0.65 2008.02.13 -
Authentium 4.93.8 2008.02.13 -
Avast 4.7.1098.0 2008.02.13 -
AVG 7.5.0.516 2008.02.13 -
BitDefender 7.2 2008.02.13 -
CAT-QuickHeal None 2008.02.13 -
ClamAV 0.92 2008.02.13 -
DrWeb 4.44.0.09170 2008.02.13 -
eSafe 7.0.15.0 2008.02.13 -
eTrust-Vet 31.3.5533 2008.02.13 -
Ewido 4.0 2008.02.13 -
FileAdvisor 1 2008.02.13 -
Fortinet 3.14.0.0 2008.02.13 -
F-Prot 4.4.2.54 2008.02.12 W32/Heuristic-KPP!Eldorado
F-Secure 6.70.13260.0 2008.02.13 -
Ikarus T3.1.1.20 2008.02.13 -
Kaspersky 7.0.0.125 2008.02.13 -
McAfee 5229 2008.02.13 -
Microsoft 1.3204 2008.02.13 -
NOD32v2 2872 2008.02.13 -
Norman 5.80.02 2008.02.13 -
Panda 9.0.0.4 2008.02.13 Suspicious file
Prevx1 V2 2008.02.13 -
Rising 20.31.10.00 2008.02.13 -
Sophos 4.26.0 2008.02.13 Sus/Dropper-A
Sunbelt 2.2.907.0 2008.02.13 -
TheHacker 6.2.9.219 2008.02.13 -
VBA32 3.12.6.1 2008.02.13 -
VirusBuster 4.3.26:9 2008.02.13 -
Webwasher-Gateway 6.6.2 2008.02.13 -
Additional information
File size: 519430 bytes
MD5: 7f3d2d63f3965215bba75da07da605b7
SHA1: 7cae51e4b5104a42168bb6254621b888d566ef71
PEiD: -


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com

#4 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,153 posts
  • Gender:Female


Posted 13 February 2008 - 04:49 PM

Welcome back

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O8 - Extra context menu item: &Search - ?p=ZRxdm185YYUS
O20 - Winlogon Notify: modget32 - C:\WINDOWS\SYSTEM32\modget32.dll

Reboot





Go to My Computer->Tools->Folder Options->View tab:
[*]Under the Hidden files and folders heading:
[*]Select - Show hidden files and folders.
[*]Uncheck- Hide protected operating system files (recommended) option.
[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.
[*] Click OK. (Remember to Hide files and folders once done)

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to

Locate the below files, right click and and open with Notepad, tell me what these files are?


C:\WINDOWS\system32\{C4263C4A-B015-3BD9-B5C3-D93BC0C6D33B}.dat
C:\WINDOWS\system32\{5E1CD7C0-3FC4-A1E3-3F28-E3A14F2DE9A1}.dat
C:\WINDOWS\system32\{78499390-6C64-87B6-6F6C-B6871B3CBC87}.dat
C:\WINDOWS\system32\{E59EAB29-54DD-1A61-D654-611AA5046B1A}.dat
C:\WINDOWS\system32\{DA3A1CD2-E326-25C5-2DE3-C52544B3CF25}.dat
C:\WINDOWS\system32\{380CD53C-2AC3-C7F3-C32A-F3C7B44EF9C7}.dat


Also see if any of these files are present

C:\Program Files\Common Files\Cheater Checker
C:\WINDOWS\system32\Cheater Checker
C:\Documents and Settings\All Users\Application Data\Cheater Checker
C:\Documents and Settings\Owner\Application Data\Cheater Checker
C:\Program Files\Common Files\Cheater Checker



NEXT

Download Combofix from any of the links below, and save it to your desktop.<--Important

Link 1
Link 2
Link 3


Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.



Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.
Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.




Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including the quotes, and change the "Save as type" to "All Files" and place it on your desktop.

KILLALL::

File::
C:\WINDOWS\SYSTEM32\modget32.dll
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\modget32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please be patient while the scan runs, at times it may appear to stall.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
After rebooting ensure your Security applications have been re-enabled.





We need to close the security issue with your older version of Java


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 4
  • Scroll to Java Runtime Environment (JRE) 6 Update 4 and click on the download button
  • Click the "Download" button to the right.
  • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.

    Go to Start > Control Panel double-click on the Software icon > add/remove programs.
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have this icon next to it: Posted Image
    Select it and click Remove.
  • Close any programs you may have running - especially your web browser.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.




NEXT

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozil...efox/addon/1419
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image

Posted Image


To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
======================================================


In your next reply post:

Any inforamtion on the requested files
ComboFix.txt
Kaspersky log
New HJT log

Tell me how your computer is running now
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#5 leftydrummrr

leftydrummrr

    Member

  • Members
  • 117 posts

Posted 13 February 2008 - 10:37 PM

Here are the scans from ComboFix,Kaspersky,and the new HTL. Hope this helps,thanks.

ComboFix 08-02-14.1 - Mark Gisi 2008-02-13 18:02:42.1 - NTFSx86

Running from: C:\Documents and Settings\Mark Gisi\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark Gisi\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL
C:\WINDOWS\SYSTEM32\modget32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\Quarantine
C:\WINDOWS\SYSTEM32\modget32.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.

2008-02-13 17:42 . 2004-08-04 01:56 388,608 --a------ C:\kmd.exe
2008-02-13 14:19 . 2008-02-13 14:19 <DIR> d-------- C:\Deckard
2008-02-13 13:27 . 2008-02-13 13:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-13 13:27 . 2008-02-13 13:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-13 12:43 . 2008-02-13 12:43 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{C4263C4A-B015-3BD9-B5C3-D93BC0C6D33B}.dat
2008-02-13 12:40 . 2008-02-13 12:40 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{5E1CD7C0-3FC4-A1E3-3F28-E3A14F2DE9A1}.dat
2008-02-13 12:33 . 2008-02-13 12:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 11:35 . 2008-02-13 11:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 20:43 . 2008-02-13 12:38 8,693,760 --a------ C:\WINDOWS\SYSTEM32\{DA3A1CD2-E326-25C5-2DE3-C52544B3CF25}.dat
2008-02-10 20:43 . 2008-02-13 12:38 2,177,024 --a------ C:\WINDOWS\SYSTEM32\{78499390-6C64-87B6-6F6C-B6871B3CBC87}.dat
2008-02-10 20:43 . 2008-02-13 12:38 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{E59EAB29-54DD-1A61-D654-611AA5046B1A}.dat
2008-02-08 21:32 . 2008-02-13 12:38 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{380CD53C-2AC3-C7F3-C32A-F3C7B44EF9C7}.dat
2008-01-28 11:30 . 2002-07-31 19:55 106 ---hs---- C:\WINDOWS\WSYS049.SYS
2008-01-28 11:30 . 2001-09-05 12:28 41 ---h----- C:\WINDOWS\trfntw32.cfg
2008-01-21 18:50 . 2008-01-21 18:51 <DIR> d-------- C:\Program Files\iTunes
2008-01-21 18:41 . 2008-01-21 18:41 <DIR> d-------- C:\Program Files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 21:14 43,746 ----a-w C:\Documents and Settings\Mark Gisi\Application Data\wklnhst.dat
2008-02-13 18:52 --------- d-----w C:\Program Files\LimeWire
2008-02-13 17:35 --------- d-----w C:\Program Files\Lavasoft
2008-02-13 17:07 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Lavasoft
2008-02-12 19:21 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-09 02:54 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Move Networks
2008-01-29 00:18 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Image Zone Express
2008-01-23 17:19 --------- d-----w C:\Program Files\RegistryFix
2008-01-22 00:51 --------- d-----w C:\Program Files\iPod
2008-01-22 00:41 --------- d-----w C:\Program Files\QuickTime
2007-12-30 20:51 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-30 20:51 --------- d-----w C:\Program Files\Apple Software Update
2007-12-30 18:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2004-12-12 22:50 251,040 ----a-w C:\Documents and Settings\Mark Gisi\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Fatdll]
@={2574C284-194B-43B3-A057-E188849BA5CC}

[HKEY_CLASSES_ROOT\CLSID\{2574C284-194B-43B3-A057-E188849BA5CC}]
2007-04-16 09:52 1290347 --a------ C:\WINDOWS\system32\micwiz.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-26 21:21 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mark Gisi^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\Mark Gisi\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Security Console]
C:\Program Files\BulletProofSoft.com\BPS Security Console\SecCon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Spyware Remover]
C:\Program Files\BulletProofSoft.com\BPS Spyware Remover\SpyRem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPSF]
C:\Program Files\BulletProofSoft.com\AdvancedPersonalFirewall\BPS Firewall.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
C:\Program Files\ClamWin\bin\ClamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 20:52 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 08:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 08:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 19:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
--a------ 2003-07-14 13:30 98304 C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-07-01 15:20 212992 C:\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-03-04 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--------- 2003-12-05 21:08 50688 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
--a------ 2003-06-18 11:00 200704 C:\Program Files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 18:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]
C:\Program Files\PCPitstop\Optimize\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2005-06-03 07:16 81920 C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-10-26 21:21 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2005-04-22 19:49 397312 C:\PROGRA~1\Yahoo!\YOP\yop.exe

R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" [2005-06-21 14:16]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
S3 DrvFltIp;DrvFltIp;C:\Program Files\BulletProofSoft.com\AdvancedPersonalFirewall\DrvFltIp.sys []
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2004-03-30 10:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2004-12-06 21:50:07 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 18:09:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\micwiz.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-02-13 18:15:31 - machine was rebooted [Mark Gisi]
ComboFix-quarantined-files.txt 2008-02-14 00:15:27
.
2008-02-13 18:53:00 --- E O F ---
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 13, 2008 9:29:21 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/02/2008
Kaspersky Anti-Virus database records: 564373
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 112088
Number of viruses found: 4
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 01:37:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mark Gisi\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-549a9cbf.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Mark Gisi\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-549a9cbf.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Mark Gisi\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mark Gisi\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mark Gisi\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mark Gisi\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mark Gisi\Local Settings\History\History.IE5\MSHist012008021320080214\index.dat Object is locked skipped
C:\Documents and Settings\Mark Gisi\Local Settings\Temp\Perflib_Perfdata_e40.dat Object is locked skipped
C:\Documents and Settings\Mark Gisi\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mark Gisi\My Documents\radmin22\RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Documents and Settings\Mark Gisi\My Documents\radmin22\RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Documents and Settings\Mark Gisi\My Documents\radmin22\RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Documents and Settings\Mark Gisi\My Documents\radmin22\RADMIN22.EXE Gentee: infected - 3 skipped
C:\Documents and Settings\Mark Gisi\My Documents\radmin22.zip/RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Documents and Settings\Mark Gisi\My Documents\radmin22.zip/RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Documents and Settings\Mark Gisi\My Documents\radmin22.zip/RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Documents and Settings\Mark Gisi\My Documents\radmin22.zip/RADMIN22.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Documents and Settings\Mark Gisi\My Documents\radmin22.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Mark Gisi\ntuser.dat Object is locked skipped
C:\Documents and Settings\Mark Gisi\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\filesubmit\calhobbes.exe\atoolbar400134.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
C:\Program Files\filesubmit\calhobbes.exe\atoolbar400134.exe WiseSFX: infected - 1 skipped
C:\Program Files\filesubmit\calhobbes.exe\atoolbar400134.exe WiseSFXDropper: infected - 1 skipped
C:\Program Files\Radmin\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Program Files\Radmin\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Program Files\Remote Administrator Viewer\RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Program Files\Remote Administrator Viewer\RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Program Files\Remote Administrator Viewer\RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Program Files\Remote Administrator Viewer\RADMIN22.EXE Gentee: infected - 3 skipped
C:\Program Files\SELFHEAL\VPN-RA Combo 3.0\VPN-RA Combo 3.0.msi/Data1.cab/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Program Files\SELFHEAL\VPN-RA Combo 3.0\VPN-RA Combo 3.0.msi/Data1.cab/admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\SELFHEAL\VPN-RA Combo 3.0\VPN-RA Combo 3.0.msi/Data1.cab Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\SELFHEAL\VPN-RA Combo 3.0\VPN-RA Combo 3.0.msi Embedded: infected - 3 skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_Mark Gisi.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_Mark Gisi.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_Mark Gisi.log Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP872\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5ec.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:25 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_5.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...881/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 7480 bytes

#6 leftydrummrr

leftydrummrr

    Member

  • Members
  • 117 posts

Posted 14 February 2008 - 08:34 AM

Juliet,you also asked about six files,C426 etc. All six were titled... Solfs for Windows© Eldos Corporation,whatever that is. thanks,

Edited by leftydrummrr, 14 February 2008 - 08:38 AM.


#7 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,153 posts
  • Gender:Female


Posted 14 February 2008 - 11:42 AM

Welcome back

Did you find or see any of these files

Also see if any of these files are present

C:\Program Files\Common Files\Cheater Checker
C:\WINDOWS\system32\Cheater Checker
C:\Documents and Settings\All Users\Application Data\Cheater Checker
C:\Documents and Settings\Owner\Application Data\Cheater Checker
C:\Program Files\Common Files\Cheater Checker




Look in Add/Remove programs NewdotNet uninstall it if found.

If there is no entry to remove NewDotNet in the control panel there is also an uninstaller located in the folder C:\Program Files\NewDotNet called NDUninstall which can be used in case there is no uninstaller located in Add or Remove Programs.
If nothing is found, no problem.



Go to My Computer->Tools->Folder Options->View tab:
[*]Under the Hidden files and folders heading:
[*]Select - Show hidden files and folders.
[*]Uncheck- Hide protected operating system files (recommended) option.
[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.
[*] Click OK. (Remember to Hide files and folders once done)


Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold


C:\Documents and Settings\Mark Gisi\My Documents\radmin22.zip
C:\Program Files\filesubmit\calhobbes.exe\atoolbar400134.exe


NEXT

Next, launch Notepad, (Start > Run, type in: notepad)
copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards


Reboot your machine


While files/folders are still unhidden, do this next

Please go to: VirusTotal
  • Posted Image
  • Click the Browse button and search for the following file: C:\WINDOWS\system32\micwiz.dll
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.



We need to to close a security issue with your older version of Java

Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 4
  • Scroll to Java Runtime Environment (JRE) 6 Update 4 and click on the download button
  • Click the "Download" button to the right.
  • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.

    Go to Start > Control Panel double-click on the Software icon > add/remove programs.
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have this icon next to it: Posted Image
    Select it and click Remove.
  • Close any programs you may have running - especially your web browser.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
================================================================
Clearing Java Cache
Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)Posted Image
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are three options in the window to clear the cache - Leave all Checked
    • Applications
      Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.




Is Cheater Checker still popping up at boot up?

Download & extract this file to it's own folder - http://www.xs4all.nl...s/regsearch.zip

Launch Registry Search
In the search box, enter Cheater Checker & click "Ok".
Notepad will open with some text in it (the file will also be saved in the program's folder as well).
Post this text in your next reply


In your next reply post
File requested scanned
Registry Search log
New HJT log


Tell me whats happening on the computer at the moment
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#8 leftydrummrr

leftydrummrr

    Member

  • Members
  • 117 posts

Posted 14 February 2008 - 12:33 PM

Juliet, I didnt find any "Cheater Checker" files anywhere. The computer is faster after working through the tests.I have upgraded Java.Cheater Checker has not shown up,but I have deleted LimeWire. Reinstalling Limewire and using it might be a good way to test the changes that have been made so far. I'll work through these tests and report back,thanks.

Edited by leftydrummrr, 14 February 2008 - 12:35 PM.


#9 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,153 posts
  • Gender:Female


Posted 14 February 2008 - 12:45 PM

I didnt find any "Cheater Checker" files anywhere. The computer is faster after working through the tests.I have upgraded Java.Cheater Checker has not shown up,but I have deleted LimeWire. Reinstalling Limewire and using it might be a good way to test the changes that have been made so far. I'll work through these tests and report back,thanks.

Good to hear the computer runs better!


I've not heard of a program like that being installed with Limewire but I'm sure there could always be that first....
From what little info I could find stated it was a program that had to be manually installed, I didn't read anything that suggested it was installed in a bundle of others from one specific.

If it should show up again after reinstalling limewire.....I'd say let's stay away from Limewire.

Post back with the test you haven't completed.


Happy Valentines Day
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#10 leftydrummrr

leftydrummrr

    Member

  • Members
  • 117 posts

Posted 14 February 2008 - 06:00 PM

Juliet,Here are the scans. The computer is quicker,but we seem to get more junk email now. I'll watch the email over the next few days to see if it continues. I also have desktop.ini on the desktop.I dont know how that got there,can I delete it? After you look at these scan results,let me know if I could try the limewire test.
Hope you had a Happy Valentines Day!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:20 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_5.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...881/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 7863 bytes
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 2/14/2008 4:36:20 PM for strings:
; 'cheater checker'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="cheater checker"

; End Of The Log... | Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español


Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

File micwiz.dll received on 02.14.2008 21:51:02 (CET)
Current status: finished
Result: 3/32 (9.38%)
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.2.15.10 2008.02.14 -
AntiVir 7.6.0.65 2008.02.14 -
Authentium 4.93.8 2008.02.14 -
Avast 4.7.1098.0 2008.02.14 -
AVG 7.5.0.516 2008.02.14 -
BitDefender 7.2 2008.02.14 -
CAT-QuickHeal None 2008.02.14 -
ClamAV 0.92.1 2008.02.14 -
DrWeb 4.44.0.09170 2008.02.14 -
eSafe 7.0.15.0 2008.02.14 -
eTrust-Vet 31.3.5536 2008.02.14 -
Ewido 4.0 2008.02.14 -
FileAdvisor 1 2008.02.14 -
Fortinet 3.14.0.0 2008.02.14 -
F-Prot 4.4.2.54 2008.02.14 -
F-Secure 6.70.13260.0 2008.02.14 -
Ikarus T3.1.1.20 2008.02.14 -
Kaspersky 7.0.0.125 2008.02.14 -
McAfee 5230 2008.02.14 -
Microsoft 1.3204 2008.02.14 -
NOD32v2 2876 2008.02.14 -
Norman 5.80.02 2008.02.14 -
Panda 9.0.0.4 2008.02.14 -
Prevx1 V2 2008.02.14 Heuristic: Suspicious File With Mass Email Capabilities
Rising 20.31.30.00 2008.02.14 -
Sophos 4.26.0 2008.02.14 Sus/Dropper-A
Sunbelt 2.2.907.0 2008.02.14 -
Symantec 10 2008.02.14 Spyware.CheaterChecker
TheHacker 6.2.9.220 2008.02.14 -
VBA32 3.12.6.1 2008.02.14 -
VirusBuster 4.3.26:9 2008.02.14 -
Webwasher-Gateway 6.6.2 2008.02.14 -
Additional information
File size: 1290347 bytes
MD5: 33a3e77be71ddcc7dd232724f4d32a53
SHA1: 095aaccc53f4c50bccd6a5e140b4e017add8c6c7
PEiD: -
Prevx info: http://info.prevx.co...BA58E004623CC05
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com

#11 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,153 posts
  • Gender:Female


Posted 14 February 2008 - 08:38 PM

Welcome back

Juliet,Here are the scans. The computer is quicker,but we seem to get more junk email now. I'll watch the email over the next few days to see if it continues. I also have desktop.ini on the desktop.I dont know how that got there,can I delete it? After you look at these scan results,let me know if I could try the limewire test.
Hope you had a Happy Valentines Day!



Locate the desktop.ini file you have on your desktop>right click and open with notepad
Check what the info inside says and let me know.

Happy Valentines Day to you to!!


Virustotal is a service that analyzes suspicious files

File micwiz.dll received on 02.14.2008 21:51:02 (CET)
Current status: finished
Result: 3/32 (9.38%)
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.2.15.10 2008.02.14 -
AntiVir 7.6.0.65 2008.02.14 -
Authentium 4.93.8 2008.02.14 -
Avast 4.7.1098.0 2008.02.14 -
AVG 7.5.0.516 2008.02.14 -
BitDefender 7.2 2008.02.14 -
CAT-QuickHeal None 2008.02.14 -
ClamAV 0.92.1 2008.02.14 -
DrWeb 4.44.0.09170 2008.02.14 -
eSafe 7.0.15.0 2008.02.14 -
eTrust-Vet 31.3.5536 2008.02.14 -
Ewido 4.0 2008.02.14 -
FileAdvisor 1 2008.02.14 -
Fortinet 3.14.0.0 2008.02.14 -
F-Prot 4.4.2.54 2008.02.14 -
F-Secure 6.70.13260.0 2008.02.14 -
Ikarus T3.1.1.20 2008.02.14 -
Kaspersky 7.0.0.125 2008.02.14 -
McAfee 5230 2008.02.14 -
Microsoft 1.3204 2008.02.14 -
NOD32v2 2876 2008.02.14 -
Norman 5.80.02 2008.02.14 -
Panda 9.0.0.4 2008.02.14 -
Prevx1 V2 2008.02.14 Heuristic: Suspicious File With Mass Email Capabilities
Rising 20.31.30.00 2008.02.14 -
Sophos 4.26.0 2008.02.14 Sus/Dropper-A
Sunbelt 2.2.907.0 2008.02.14 -
Symantec 10 2008.02.14 Spyware.CheaterChecker <--looky looky here
TheHacker 6.2.9.220 2008.02.14 -
VBA32 3.12.6.1 2008.02.14 -
VirusBuster 4.3.26:9 2008.02.14 -
Webwasher-Gateway 6.6.2 2008.02.14 -





Go to My Computer->Tools->Folder Options->View tab:
[*]Under the Hidden files and folders heading:
[*]Select - Show hidden files and folders.
[*]Uncheck- Hide protected operating system files (recommended) option.
[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.
[*] Click OK. (Remember to Hide files and folders once done)


Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

C:\WINDOWS\system32\micwiz.dll


If this file resists deletion drop into safe....

Then reboot your computer.

Post back and let me know whats inside the Desktop.ini file

If we disabled any security programs while running scans and tools you can re-enable those now.
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#12 leftydrummrr

leftydrummrr

    Member

  • Members
  • 117 posts

Posted 15 February 2008 - 08:33 AM

Juliet, Here is the content of Desktop.ini There is also a copy in my documents,ok to delete? I couldnt delete micwiz.dll,a screen popped up with... Access Denied make sure disc not in use...etc. How do I drop this file into safe? Havent done that before. It appears that might be where Cheater Checker is? I didnt delete the radmin file yet.Is radmin a component of the Remote Administrator to use my wife's computer at work? ok to delete with out causing any other problems? thanks, [.ShellClassInfo] LocalizedResourceName=@shell32.dll,-21786

#13 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,153 posts
  • Gender:Female


Posted 15 February 2008 - 10:05 AM

Welcome back

Here is the content of Desktop.ini There is also a copy in my documents,ok to delete?

That file is OK..Nothing odd. .........re-name it to something like "desktop.old"
leave it for a while to see if any programs need it and if not you can delete it. If something has a problem go back and name it back.

I didnt delete the radmin file yet.Is radmin a component of the Remote Administrator to use my wife's computer at work? ok to delete with out causing any other problems? thanks,

It's the zip that help all the executables <sp that held the .exe's for the service, actually you can leave it.

I couldnt delete micwiz.dll,a screen popped up with... Access Denied make sure disc not in use...etc. How do I drop this file into safe? Havent done that before. It appears that might be where Cheater Checker is?

The Virus Total scan revealed to us that was were the exe for the program is held.

What we can try next


Reboot your computer into SafeMode
You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit enter.
http://www.bleepingc...tutorial61.html
How to start Windows in Safe Mode




Go to My Computer->Tools->Folder Options->View tab:
[*]Under the Hidden files and folders heading:
[*]Select - Show hidden files and folders.
[*]Uncheck- Hide protected operating system files (recommended) option.
[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.
[*] Click OK. (Remember to Hide files and folders once done)

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold


C:\WINDOWS\system32\micwiz.dll


Then reboot

Post back and let me know what happens.
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#14 leftydrummrr

leftydrummrr

    Member

  • Members
  • 117 posts

Posted 15 February 2008 - 10:38 AM

Juliet, Restarted successfully in safe mode,tried to delete micwiz.dll,but got the same Access Denied screen.Wouldn't let me delete it. What can we try next?

#15 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,153 posts
  • Gender:Female


Posted 15 February 2008 - 11:00 AM

Let's see if ComboFix can take it out


Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including the quotes, and change the "Save as type" to "All Files" and place it on your desktop.


KILLALL::

File::C:\WINDOWS\system32\micwiz.dll
Posted Image
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



Post back with the ComboFix.txt
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#16 leftydrummrr

leftydrummrr

    Member

  • Members
  • 117 posts

Posted 15 February 2008 - 11:28 AM

Juliet,
Here is the Combofix scan.
thanks,

ComboFix 08-02-14.1 - Mark Gisi 2008-02-15 10:09:28.2 - NTFSx86

Running from: C:\Documents and Settings\Mark Gisi\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark Gisi\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
File::C:\WINDOWS\system32\micwiz.dll
.

((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-13 18:49 . 2008-02-13 18:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-13 18:49 . 2008-02-13 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-13 18:43 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-02-13 18:42 . 2008-02-13 18:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-13 17:42 . 2004-08-04 01:56 388,608 --a------ C:\kmd.exe
2008-02-13 14:19 . 2008-02-13 14:19 <DIR> d-------- C:\Deckard
2008-02-13 12:43 . 2008-02-13 12:43 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{C4263C4A-B015-3BD9-B5C3-D93BC0C6D33B}.dat
2008-02-13 12:40 . 2008-02-13 12:40 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{5E1CD7C0-3FC4-A1E3-3F28-E3A14F2DE9A1}.dat
2008-02-13 12:33 . 2008-02-13 12:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 11:35 . 2008-02-13 11:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 20:43 . 2008-02-13 12:38 8,693,760 --a------ C:\WINDOWS\SYSTEM32\{DA3A1CD2-E326-25C5-2DE3-C52544B3CF25}.dat
2008-02-10 20:43 . 2008-02-13 12:38 2,177,024 --a------ C:\WINDOWS\SYSTEM32\{78499390-6C64-87B6-6F6C-B6871B3CBC87}.dat
2008-02-10 20:43 . 2008-02-13 12:38 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{E59EAB29-54DD-1A61-D654-611AA5046B1A}.dat
2008-02-08 21:32 . 2008-02-13 12:38 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{380CD53C-2AC3-C7F3-C32A-F3C7B44EF9C7}.dat
2008-01-28 11:30 . 2002-07-31 19:55 106 ---hs---- C:\WINDOWS\WSYS049.SYS
2008-01-28 11:30 . 2001-09-05 12:28 41 ---h----- C:\WINDOWS\trfntw32.cfg
2008-01-21 18:50 . 2008-01-21 18:51 <DIR> d-------- C:\Program Files\iTunes
2008-01-21 18:41 . 2008-01-21 18:41 <DIR> d-------- C:\Program Files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 00:21 --------- d-----w C:\Program Files\LimeWire
2008-02-14 22:58 43,742 ----a-w C:\Documents and Settings\Mark Gisi\Application Data\wklnhst.dat
2008-02-14 20:40 --------- d-----w C:\Program Files\filesubmit
2008-02-14 00:43 --------- d-----w C:\Program Files\Java
2008-02-13 17:35 --------- d-----w C:\Program Files\Lavasoft
2008-02-13 17:07 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Lavasoft
2008-02-12 19:21 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-09 02:54 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Move Networks
2008-01-29 00:18 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Image Zone Express
2008-01-23 17:19 --------- d-----w C:\Program Files\RegistryFix
2008-01-22 00:51 --------- d-----w C:\Program Files\iPod
2008-01-22 00:41 --------- d-----w C:\Program Files\QuickTime
2007-12-30 20:51 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-30 20:51 --------- d-----w C:\Program Files\Apple Software Update
2007-12-30 18:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2004-12-12 22:50 251,040 ----a-w C:\Documents and Settings\Mark Gisi\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Fatdll]
@={2574C284-194B-43B3-A057-E188849BA5CC}

[HKEY_CLASSES_ROOT\CLSID\{2574C284-194B-43B3-A057-E188849BA5CC}]
2007-04-16 09:52 1290347 --a------ C:\WINDOWS\system32\micwiz.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-26 21:21 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mark Gisi^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\Mark Gisi\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Security Console]
C:\Program Files\BulletProofSoft.com\BPS Security Console\SecCon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Spyware Remover]
C:\Program Files\BulletProofSoft.com\BPS Spyware Remover\SpyRem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPSF]
C:\Program Files\BulletProofSoft.com\AdvancedPersonalFirewall\BPS Firewall.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
C:\Program Files\ClamWin\bin\ClamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 20:52 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 08:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 08:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 19:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
--a------ 2003-07-14 13:30 98304 C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-07-01 15:20 212992 C:\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-03-04 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--------- 2003-12-05 21:08 50688 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
--a------ 2003-06-18 11:00 200704 C:\Program Files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 18:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]
C:\Program Files\PCPitstop\Optimize\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2005-06-03 07:16 81920 C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-10-26 21:21 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2005-04-22 19:49 397312 C:\PROGRA~1\Yahoo!\YOP\yop.exe

R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" [2005-06-21 14:16]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
S3 DrvFltIp;DrvFltIp;C:\Program Files\BulletProofSoft.com\AdvancedPersonalFirewall\DrvFltIp.sys []
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2004-03-30 10:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2004-12-06 21:50:07 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 10:16:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\micwiz.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-02-15 10:22:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 16:22:03
ComboFix2.txt 2008-02-14 00:15:31
.
2008-02-14 18:01:50 --- E O F ---

#17 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,153 posts
  • Gender:Female


Posted 15 February 2008 - 12:24 PM

Right click on your task bar
Look for this entry and end task
C:\WINDOWS\system32\micwiz.dll <--it maybe listed as just micwiz.dll

Next, launch Notepad, (Start > Run, type in: notepad)
copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{2574C284-194B-43B3-A057-E188849BA5CC}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Fatdll]

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards

Reboot your computer



Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including the quotes, and change the "Save as type" to "All Files" and place it on your desktop.

KILLALL::
File::
C:\WINDOWS\system32\micwiz.dll

drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Post back with the ComboFix.txt
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#18 leftydrummrr

leftydrummrr

    Member

  • Members
  • 117 posts

Posted 15 February 2008 - 03:06 PM

Juliet,
Here is the latest scan. I didnt know how to look for that file in the taskbar,I've never done that before.
thanks,

ComboFix 08-02-14.1 - Mark Gisi 2008-02-15 13:41:52.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.282 [GMT -6:00]
Running from: C:\Documents and Settings\Mark Gisi\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark Gisi\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\micwiz.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\micwiz.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-13 18:49 . 2008-02-13 18:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-13 18:49 . 2008-02-13 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-13 18:43 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-02-13 18:42 . 2008-02-13 18:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-13 17:42 . 2004-08-04 01:56 388,608 --a------ C:\kmd.exe
2008-02-13 14:19 . 2008-02-13 14:19 <DIR> d-------- C:\Deckard
2008-02-13 12:43 . 2008-02-13 12:43 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{C4263C4A-B015-3BD9-B5C3-D93BC0C6D33B}.dat
2008-02-13 12:40 . 2008-02-13 12:40 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{5E1CD7C0-3FC4-A1E3-3F28-E3A14F2DE9A1}.dat
2008-02-13 12:33 . 2008-02-13 12:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 11:35 . 2008-02-13 11:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 20:43 . 2008-02-13 12:38 8,693,760 --a------ C:\WINDOWS\SYSTEM32\{DA3A1CD2-E326-25C5-2DE3-C52544B3CF25}.dat
2008-02-10 20:43 . 2008-02-13 12:38 2,177,024 --a------ C:\WINDOWS\SYSTEM32\{78499390-6C64-87B6-6F6C-B6871B3CBC87}.dat
2008-02-10 20:43 . 2008-02-13 12:38 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{E59EAB29-54DD-1A61-D654-611AA5046B1A}.dat
2008-02-08 21:32 . 2008-02-13 12:38 1,093,632 --a------ C:\WINDOWS\SYSTEM32\{380CD53C-2AC3-C7F3-C32A-F3C7B44EF9C7}.dat
2008-01-28 11:30 . 2002-07-31 19:55 106 ---hs---- C:\WINDOWS\WSYS049.SYS
2008-01-28 11:30 . 2001-09-05 12:28 41 ---h----- C:\WINDOWS\trfntw32.cfg
2008-01-21 18:50 . 2008-01-21 18:51 <DIR> d-------- C:\Program Files\iTunes
2008-01-21 18:41 . 2008-01-21 18:41 <DIR> d-------- C:\Program Files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 00:21 --------- d-----w C:\Program Files\LimeWire
2008-02-14 22:58 43,742 ----a-w C:\Documents and Settings\Mark Gisi\Application Data\wklnhst.dat
2008-02-14 20:40 --------- d-----w C:\Program Files\filesubmit
2008-02-14 00:43 --------- d-----w C:\Program Files\Java
2008-02-13 17:35 --------- d-----w C:\Program Files\Lavasoft
2008-02-13 17:07 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Lavasoft
2008-02-12 19:21 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-09 02:54 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Move Networks
2008-01-29 00:18 --------- d-----w C:\Documents and Settings\Mark Gisi\Application Data\Image Zone Express
2008-01-23 17:19 --------- d-----w C:\Program Files\RegistryFix
2008-01-22 00:51 --------- d-----w C:\Program Files\iPod
2008-01-22 00:41 --------- d-----w C:\Program Files\QuickTime
2007-12-30 20:51 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-30 20:51 --------- d-----w C:\Program Files\Apple Software Update
2007-12-30 18:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2004-12-12 22:50 251,040 ----a-w C:\Documents and Settings\Mark Gisi\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-26 21:21 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mark Gisi^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\Mark Gisi\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Security Console]
C:\Program Files\BulletProofSoft.com\BPS Security Console\SecCon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPS Spyware Remover]
C:\Program Files\BulletProofSoft.com\BPS Spyware Remover\SpyRem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BPSF]
C:\Program Files\BulletProofSoft.com\AdvancedPersonalFirewall\BPS Firewall.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
C:\Program Files\ClamWin\bin\ClamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 20:52 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 08:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 08:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 19:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
--a------ 2003-07-14 13:30 98304 C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-07-01 15:20 212992 C:\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-03-04 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--------- 2003-12-05 21:08 50688 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
--a------ 2003-06-18 11:00 200704 C:\Program Files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 18:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]
C:\Program Files\PCPitstop\Optimize\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2005-06-03 07:16 81920 C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-10-26 21:21 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2005-04-22 19:49 397312 C:\PROGRA~1\Yahoo!\YOP\yop.exe

R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" [2005-06-21 14:16]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
S3 DrvFltIp;DrvFltIp;C:\Program Files\BulletProofSoft.com\AdvancedPersonalFirewall\DrvFltIp.sys []
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys [2004-03-30 10:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2004-12-06 21:50:07 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 13:48:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-02-15 13:54:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 19:54:20
ComboFix2.txt 2008-02-15 16:22:07
ComboFix3.txt 2008-02-14 00:15:31
.
2008-02-15 18:01:32 --- E O F ---

#19 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,153 posts
  • Gender:Female


Posted 15 February 2008 - 04:26 PM

IT'S GONE! LOL All I can think of now and if you haven't done so is reboot your computer if ComboFix didn't. Post back and let me know what issues remain.
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#20 leftydrummrr

leftydrummrr

    Member

  • Members
  • 117 posts

Posted 15 February 2008 - 04:40 PM

Juliet, I guess now is the time for the LimeWire test? Thanks for all your help,I have made a donation to P.C.Pitstop.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users