# Solved: Downloading and then Crash



## linkinfigure9 (Jul 20, 2007)

Ok. I was on the networking forum and they told me to post this here before i deal with my internet problem. Every time i try to download something to my computer, my computer crashs. I have to save the downloader itself to my desktop and then turn it on to download anything. Also when I try to start any virus scanner except for SUPERAntiSpyware, the computer crashs. I finally got the HijackThis on my computer and here is what i got in the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:51 PM, on 7/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cp-tel.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\gcjiremeo.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gcjiremeo.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gcjiremeo.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gcjiremeo.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gcjiremeo.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gcjiremeo.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gcjiremeo.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gcjiremeo.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gcjiremeo.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gcjiremeo.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gcjiremeo.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gcjiremeo.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168115992875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169300917031
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\qwerty12.exe (file missing)
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Card Adapter (NETDown) - Unknown owner - C:\WINDOWS\smss.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6827 bytes

If anybody could help I'd be very grateful..


----------



## linkinfigure9 (Jul 20, 2007)

Oh and btw, I used VundoFix and SUPERAntiSpyware to get rid of nearly 700 threats yesterday. And I don't know whenether its my computer or the viruses that make the problems keep coming back...


----------



## JSntgRvr (Jul 1, 2003)

Hi,* linkinfigure9* 

Welcome!

*Jotti File Submission:*

Please go to  Jotti's malware scan

Copy and paste the following file path into the *"File to upload & scan"*box on the top of the page:

*c:\windows\system32\gcjiremeo.dll*

 Click on the submit button

 Please post the results in your next reply.


----------



## linkinfigure9 (Jul 20, 2007)

I am going to work with my brother inlaw for a few days but I shall be back Sunday. I'll work on this then. See ya later!!!


----------



## linkinfigure9 (Jul 20, 2007)

Scanner results 
Scan taken on 23 Jul 2007 19:37:17 (GMT) 
A-Squared Found Trojan.Win32.Agent.afg 
AntiVir Found TR/Agent.AOJ.17 
ArcaVir Found Trojan.Agent.Afg 
Avast Found Win32:Agent-HKH 
AVG Antivirus Found Generic5.ANU 
BitDefender Found Trojan.Agent.AAEZ 
ClamAV Found Trojan.Agent-4509 
CPsecure Found nothing 
Dr.Web Found Trojan.Netqv 
F-Prot Antivirus Found W32/Trojan.AKFB 
F-Secure Anti-Virus Found Trojan.Win32.Agent.afg 
Fortinet Found W32/NetVQ.QTZ!tr 
Kaspersky Anti-Virus Found Trojan.Win32.Agent.afg 
NOD32 Found Win32/Agent.NJJ 
Norman Virus Control Found nothing 
Panda Antivirus Found Trj/Spamer.BP 
Rising Antivirus Found Trojan.Win32.Agent.afg 
Sophos Antivirus Found Troj/NetVQ-Gen 
VirusBuster Found Trojan.Agent.IKK 
VBA32 Found Trojan.Win32.Agent.afg 


I hope this was the right way to do it..


----------



## JSntgRvr (Jul 1, 2003)

Hi, *linkinfigure9*. 

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it. First I need to have a sample of this file:

Set Explorer to view Hidden Files and Folders:

Right-click your Start button and go to "Explore".
Select Tools from the menu
Select Folder Options
Select the View tab
Click on Show all Files and Folders
Select *Apply to All Folders *| *Yes* | *Apply* |* OK*.
Please go here:
*The Spy Killer Forum*
Click on "New Topic"
Put your name, e-mail address, and this as the title: "*gcjiremeo.dll*"
Put a link to this thread in the description box.
Then next to the file box, at the bottom, click the *browse* button, then navigate to this file:

*c:\windows\system32\gcjiremeo.dll*

Click *Open*.
Click *Post*.
Set Explorer to Defaults:

Right-click your Start button and go to "Explore".
Select Tools from the menu
Select Folder Options
Select the View tab
Click on Restore Defaults
Select *Apply to All Folders *| *Yes* | *Apply* |* OK*.


Please download LSPFix from *here*.
Run the LSPFix.exe that you have just finished downloading.
Check the *I know what I'm doing* box.
In the *Keep* box you should see one or more instances of gcjiremeo.dll.
Select every instance of gcjiremeo.dll and move each one to the *Remove* box by clicking the *>>* button.
When you are done click *Finish>>*.








Your *Java* seems to be out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. *Beware it is NOT supported for use in 9x or ME and probably will not install in those systems*

*Ugrading Java*: 

Download the latest version of * Java Runtime Environment (JRE) 6u2*.
Scroll down to where it says "*The J2SE Runtime Environment (JRE) allows end-users to run Java applications*".
Click the "*Download*" button to the right.
Check the box that says: "*Accept License Agreement*".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Please download *VundoFix.exe* to your desktop.

*Note*:* In the event you already have Vundofix, this is a new version that I need you to download*.
Double-click *VundoFix.exe* to run it.
You will receive a message saying vundofix will close and re-open in a minute or less. Click *OK*
When VundoFix re-opens, click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click *OK*.
Turn your computer back on.
Please post the contents of C:\*vundofix.txt* in your next reply.
*Note:* It is possible that *VundoFix* encountered a file it could not remove. In this case, *VundoFix* will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo *button" when VundoFix appears at reboot.

Download ComboFix from *Here* or *Here* to your Desktop.

*Note*:* In the event you already have Combofix, this is a new version that I need you to download*.

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and in your next reply along with a Hijackthis log.
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*


----------



## linkinfigure9 (Jul 20, 2007)

Ok. VundoFix log first:

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 12:44:59 PM 7/19/2007

Listing files found while scanning....

C:\DOCUME~1\Kenny\LOCALS~1\Temp\tmp2.tmp.dll
C:\WINDOWS\nqqttv.ini
C:\WINDOWS\System32\tmp6.tmp.dll
C:\WINDOWS\vttqqn.dll

Beginning removal...

Attempting to delete C:\DOCUME~1\Kenny\LOCALS~1\Temp\tmp2.tmp.dll
C:\DOCUME~1\Kenny\LOCALS~1\Temp\tmp2.tmp.dll Has been deleted!

Attempting to delete C:\WINDOWS\nqqttv.ini
C:\WINDOWS\nqqttv.ini Has been deleted!

Attempting to delete C:\WINDOWS\vttqqn.dll
C:\WINDOWS\vttqqn.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 12:59:29 PM 7/19/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 2:35:46 PM 7/19/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 12:20:41 AM 7/20/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 3:05:51 PM 7/20/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 2:27:43 PM 7/23/2007

Listing files found while scanning....

No infected files were found.

Next is ComboFix log:
"Kenny" - 2007-07-23 16:29:27 - ComboFix 07-07-23.6 - Service Pack 1 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\hggecc.dll 
C:\WINDOWS\ljkjge.dll 
C:\WINDOWS\nnkkjh.dll 
C:\WINDOWS\opqpno.dll 
C:\WINDOWS\qomkii.dll 
C:\WINDOWS\wvwwxu.dll 
C:\WINDOWS\cceggh.ini 
C:\WINDOWS\egjkjl.ini

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Kenny\APPLIC~1.\macromedia\Flash Player\#SharedObjects\EBZB3T7D\www.broadcaster.com
C:\DOCUME~1\Kenny\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Kenny\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\Kenny\APPLIC~1.\ppatch~1
C:\DOCUME~1\Kenny\APPLIC~1\Install.dat
C:\DOCUME~1\Kenny\Desktop.\internet explorer.lnk
C:\Program Files\Common Files\{3034E~2
C:\Program Files\Common Files\{5034E~1
C:\Program Files\Common Files\{5034E~1\system.dll
C:\Program Files\Common Files\{5034E~2
C:\Program Files\Common Files\{5034E~2\system.dll
C:\WINDOWS\system32\beiuipoam.dll
C:\WINDOWS\system32\cvolhnyaurm.dll
C:\WINDOWS\system32\elarf.dll
C:\WINDOWS\system32\elwtwsd.dll
C:\WINDOWS\system32\gcjiremeo.dll
C:\WINDOWS\system32\sgwpo.dll
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\unkeava.dll
C:\WINDOWS\ystem3~1

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_COM+_MESSAGES
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETDOWN
-------\LEGACY_NTLDR.SYS
-------\LEGACY_POOF
-------\COM+ Messages
-------\DomainService
-------\kprof
-------\NETDown
-------\ntldr.sys
-------\poof

((((((((((((((((((((((((( Files Created from 2007-06-23 to 2007-07-23 )))))))))))))))))))))))))))))))

2007-07-23 15:55	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-07-21 08:24 d--------	C:\Program Files\Common Files\Cadsoft
2007-07-21 08:24 d--------	C:\Program Files\Cadsoft
2007-07-21 08:24 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cadsoft
2007-07-20 14:44 d--------	C:\Program Files\Trend Micro
2007-07-19 13:11 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-19 13:10 d--------	C:\Program Files\SUPERAntiSpyware
2007-07-19 13:10 d--------	C:\DOCUME~1\Kenny\APPLIC~1\SUPERAntiSpyware.com
2007-07-19 12:44 d--------	C:\VundoFix Backups
2007-07-13 19:00 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-06-24 12:41 d--------	C:\Program Files\Firefly Studios
2007-06-24 12:14	106,752	--a------	C:\WINDOWS\nnoolk.dll
2007-06-24 11:48 d--------	C:\WINDOWS\LastGood.Tmp

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-20 19:35:59	28,256	----a-w	C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-07-14 00:02:31	--------	d-----w	C:\Program Files\Lavasoft
2007-07-03 21:42:16	--------	d-----w	C:\Program Files\Microsoft Games
2007-06-30 20:40:23	74	----a-w	C:\WINDOWS\popcinfo.dat
2007-06-24 17:41:46	--------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-06-24 17:40:56	--------	d-----w	C:\Program Files\Common Files\InstallShield
2007-06-24 16:52:46	--------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-06-24 16:52:34	--------	d-----w	C:\Program Files\Norton SystemWorks
2007-06-24 16:43:31	--------	d-----w	C:\Program Files\Symantec
2007-06-11 22:51:30	466	----a-w	C:\WINDOWS\EReg072.dat
2007-05-28 03:31:05	--------	d-----w	C:\Program Files\ALCATech
2007-05-28 03:31:04	--------	d-----w	C:\Program Files\Sony Setup
2007-05-25 01:57:15	--------	d-----w	C:\Program Files\Texas Holdem
2007-04-29 18:04:37	260,096	----a-w	C:\WINDOWS\system32\mstask.dll
2007-04-29 18:04:37	172,544	----a-w	C:\WINDOWS\system32\schedsvc.dll
2007-04-29 18:04:36	10,752	----a-w	C:\WINDOWS\system32\mstinit.exe
2006-08-11 16:24:47	80	--sh--r	C:\WINDOWS\system32\D8BE079C99.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 18:06:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\System32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\System32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 LxrJD31d;LxrJD31d;\??\C:\WINDOWS\System32\Drivers\LxrJD31d.sys
R3 i81x;i81x;C:\WINDOWS\System32\DRIVERS\i81xnt5.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\System32\drivers\msmpu401.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\System32\drivers\MxlW2k.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\System32\DRIVERS\point32.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\System32\DRIVERS\USRpdA.sys
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\C:\WINDOWS\System32\drivers\NSDriver.sys
S3 CA561;ICatch (VI) PC Camera;C:\WINDOWS\System32\Drivers\SPCA561.SYS
S3 DCamUSBSQTECH;Dual-Mode DSC(2770);C:\WINDOWS\System32\Drivers\SQcaptur.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\System32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\System32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\System32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys
S3 iAimFP5;iAimFP5;C:\WINDOWS\System32\DRIVERS\wADV07nt.sys
S3 iAimFP6;iAimFP6;C:\WINDOWS\System32\DRIVERS\wADV08nt.sys
S3 iAimFP7;iAimFP7;C:\WINDOWS\System32\DRIVERS\wADV09nt.sys
S3 iAimFP8;iAimFP8;C:\WINDOWS\System32\DRIVERS\wADV11nt.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\System32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\System32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\System32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\System32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys
S3 iAimTV5;iAimTV5;C:\WINDOWS\System32\DRIVERS\wATV10nt.sys
S3 iAimTV6;iAimTV6;C:\WINDOWS\System32\DRIVERS\wATV06nt.sys
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 qqd.sys;qqd.sys;\??\C:\qqd.sys
S3 SABProcEnum;SABProcEnum;\??\C:\Program Files\Internet Explorer\SABProcEnum.sys

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-23 16:39:14
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000001f
"TracesSuccessful"=dword:00000016

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-23 16:42:25 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-23 16:41

--- E O F ---
And last but probably least:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:45 PM, on 7/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cp-tel.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\ipbubhlhkufnf.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ipbubhlhkufnf.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ipbubhlhkufnf.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ipbubhlhkufnf.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ipbubhlhkufnf.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ipbubhlhkufnf.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ipbubhlhkufnf.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ipbubhlhkufnf.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ipbubhlhkufnf.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ipbubhlhkufnf.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ipbubhlhkufnf.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ipbubhlhkufnf.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168115992875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169300917031
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6391 bytes

That should do it, huh? I done everything you said to do.. i hope...


----------



## JSntgRvr (Jul 1, 2003)

Hi, *linkinfigure9*. 

Another malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it. First I need to have a sample of this file:

Set Explorer to view Hidden Files and Folders:

Right-click your Start button and go to "Explore".
Select Tools from the menu
Select Folder Options
Select the View tab
Click on Show all Files and Folders
Select *Apply to All Folders *| *Yes* | *Apply* |* OK*.
Please go here:
*The Spy Killer Forum*
Click on "New Topic"
Put your name, e-mail address, and this as the title: "*ipbubhlhkufnf.dll*"
Put a link to this thread in the description box.
Then next to the file box, at the bottom, click the *browse* button, then navigate to this file:

*c:\windows\system32\ipbubhlhkufnf.dll*

Click *Open*.
Click *Post*.
Set Explorer to Defaults:

Right-click your Start button and go to "Explore".
Select Tools from the menu
Select Folder Options
Select the View tab
Click on Restore Defaults
Select *Apply to All Folders *| *Yes* | *Apply* |* OK*.


Run the LSPFix.exe that you downloaded earlier.
Check the *I know what I'm doing* box.
In the *Keep* box you should see one or more instances of* ipbubhlhkufnf.dll*.
Select every instance of *ipbubhlhkufnf.dll* and move each one to the *Remove* box by clicking the *>>* button.
When you are done click *Finish>>*.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. *

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cp-tel.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - AppInit_DLLs:

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.


*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *ComboFix-Do.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 



> File::
> C:\WINDOWS\nnoolk.dll
> C:\qqd.sys
> c:\windows\system32\ipbubhlhkufnf.dll
> ...












Once saved, refering to the picture above, drag *ComboFix-Do.txt* into *ComboFix.exe*, and post back the resulting report along with a fresh *Hijackthis* log..


----------



## linkinfigure9 (Jul 20, 2007)

The spy killer forum would not come up when i clicked it and wouldnt do anything when i tried to open it other ways so i could not do that part. And i couldnt find the file in the LSPFix thingy. But i did everything else as good as i could.

"Kenny" - 2007-07-23 20:44:58 - ComboFix 07-07-23.6 - Service Pack 1 NTFS 
Command switches used :: C:\Documents and Settings\Kenny\Desktop\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\cp1041.nls
C:\WINDOWS\nnoolk.dll
C:\WINDOWS\system32\lht.dll

((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))

2007-07-23 15:55	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-07-21 08:24 d--------	C:\Program Files\Common Files\Cadsoft
2007-07-21 08:24 d--------	C:\Program Files\Cadsoft
2007-07-21 08:24 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cadsoft
2007-07-20 14:44 d--------	C:\Program Files\Trend Micro
2007-07-19 13:11 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-19 13:10 d--------	C:\Program Files\SUPERAntiSpyware
2007-07-19 13:10 d--------	C:\DOCUME~1\Kenny\APPLIC~1\SUPERAntiSpyware.com
2007-07-19 12:44 d--------	C:\VundoFix Backups
2007-07-13 19:00 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-06-24 12:41 d--------	C:\Program Files\Firefly Studios
2007-06-24 11:48 d--------	C:\WINDOWS\LastGood.Tmp

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-20 19:35:59	28,256	----a-w	C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-07-14 00:02:31	--------	d-----w	C:\Program Files\Lavasoft
2007-07-03 21:42:16	--------	d-----w	C:\Program Files\Microsoft Games
2007-06-30 20:40:23	74	----a-w	C:\WINDOWS\popcinfo.dat
2007-06-24 17:41:46	--------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-06-24 17:40:56	--------	d-----w	C:\Program Files\Common Files\InstallShield
2007-06-24 16:52:46	--------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-06-24 16:52:34	--------	d-----w	C:\Program Files\Norton SystemWorks
2007-06-24 16:43:31	--------	d-----w	C:\Program Files\Symantec
2007-06-11 22:51:30	466	----a-w	C:\WINDOWS\EReg072.dat
2007-05-28 03:31:05	--------	d-----w	C:\Program Files\ALCATech
2007-05-28 03:31:04	--------	d-----w	C:\Program Files\Sony Setup
2007-05-25 01:57:15	--------	d-----w	C:\Program Files\Texas Holdem
2007-04-29 18:04:37	260,096	----a-w	C:\WINDOWS\system32\mstask.dll
2007-04-29 18:04:37	172,544	----a-w	C:\WINDOWS\system32\schedsvc.dll
2007-04-29 18:04:36	10,752	----a-w	C:\WINDOWS\system32\mstinit.exe
2006-08-11 16:24:47	80	--sh--r	C:\WINDOWS\system32\D8BE079C99.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 18:06:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\System32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\System32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 LxrJD31d;LxrJD31d;\??\C:\WINDOWS\System32\Drivers\LxrJD31d.sys
R3 i81x;i81x;C:\WINDOWS\System32\DRIVERS\i81xnt5.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\System32\drivers\msmpu401.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\System32\drivers\MxlW2k.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\System32\DRIVERS\point32.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\System32\DRIVERS\USRpdA.sys
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\C:\WINDOWS\System32\drivers\NSDriver.sys
S3 CA561;ICatch (VI) PC Camera;C:\WINDOWS\System32\Drivers\SPCA561.SYS
S3 DCamUSBSQTECH;Dual-Mode DSC(2770);C:\WINDOWS\System32\Drivers\SQcaptur.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\System32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\System32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\System32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys
S3 iAimFP5;iAimFP5;C:\WINDOWS\System32\DRIVERS\wADV07nt.sys
S3 iAimFP6;iAimFP6;C:\WINDOWS\System32\DRIVERS\wADV08nt.sys
S3 iAimFP7;iAimFP7;C:\WINDOWS\System32\DRIVERS\wADV09nt.sys
S3 iAimFP8;iAimFP8;C:\WINDOWS\System32\DRIVERS\wADV11nt.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\System32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\System32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\System32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\System32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys
S3 iAimTV5;iAimTV5;C:\WINDOWS\System32\DRIVERS\wATV10nt.sys
S3 iAimTV6;iAimTV6;C:\WINDOWS\System32\DRIVERS\wATV06nt.sys
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 qqd.sys;qqd.sys;\??\C:\qqd.sys
S3 SABProcEnum;SABProcEnum;\??\C:\Program Files\Internet Explorer\SABProcEnum.sys

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-23 20:54:10
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-23 20:57:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-23 20:56
C:\ComboFix2.txt ... 2007-07-23 16:42

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:40 PM, on 7/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\qsrcalrpbriop.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qsrcalrpbriop.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qsrcalrpbriop.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qsrcalrpbriop.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qsrcalrpbriop.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qsrcalrpbriop.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qsrcalrpbriop.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qsrcalrpbriop.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qsrcalrpbriop.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qsrcalrpbriop.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qsrcalrpbriop.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qsrcalrpbriop.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168115992875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169300917031
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6118 bytes


----------



## JSntgRvr (Jul 1, 2003)

Hi, *linkinfigure9* 

Lets take a deeper look:

Download *WinPFind3U.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *WinPFind3u* on your desktop.

Open the *WinPFind3u* folder and double-click on WinPFind3U.exe to start the program.
In the *Processes* group click *Non Microsoft *
In the *Win32 Services * group click *Non Microsoft*
In the *Driver Services * group click *Non Microsoft*
In the *Registry* group click *Non Microsoft *
In the *Files Created Within *group click *60 days *Make sure *Non-Microsoft only is UNCHECKED*
In the Files *Modified Within *group select *30 days *Make sure *Non-Microsoft only is UNCHECKED*
In the *File String Search *group select *Non Microsoft *
In the *Additional scans* sections please press select *All* and *uncheck* non-microsoft only

Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*


----------



## linkinfigure9 (Jul 20, 2007)

Ok. I did that as best i could....


----------



## JSntgRvr (Jul 1, 2003)

Hi, *linkinfigure9* 

Start *WinPFind3U*. Copy/Paste the information in the Quotebox below into the pane where it says *"Paste fix here"* and then click the Run Fix button.


```
[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> MMTray -> %ProgramFiles%\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Microsoft Works Update Detection -> %ProgramFiles%\Microsoft Works\WkDetect.exe
[Files/Folders - Created Within 60 days]
NY -> cp1041.nls -> %SystemDrive%\cp1041.nls
NY -> iihkmp.ini -> %SystemRoot%\iihkmp.ini
NY -> lkkkjl.ini -> %SystemRoot%\lkkkjl.ini
NY -> mmlnmp.ini -> %SystemRoot%\mmlnmp.ini
NY -> ooqsut.ini -> %SystemRoot%\ooqsut.ini
NY -> qpsvxx.ini -> %SystemRoot%\qpsvxx.ini
NY -> qsrqss.ini -> %SystemRoot%\qsrqss.ini
NY -> qsttvw.ini -> %SystemRoot%\qsttvw.ini
NY -> uxxybc.ini -> %SystemRoot%\uxxybc.ini
NY -> xaadeg.ini -> %SystemRoot%\xaadeg.ini
NY -> xaybbc.ini -> %SystemRoot%\xaybbc.ini
NY -> xwxwwa.ini -> %SystemRoot%\xwxwwa.ini
NY -> qsrcalrpbriop.dll -> %System32%\qsrcalrpbriop.dll
NY -> _r_a_p_.tmp -> %UserDesktop%\_r_a_p_.tmp
[Files/Folders - Modified Within 30 days]
NY -> cp1041.nls -> %SystemDrive%\cp1041.nls
NY -> iihkmp.ini -> %SystemRoot%\iihkmp.ini
NY -> lkkkjl.ini -> %SystemRoot%\lkkkjl.ini
NY -> mmlnmp.ini -> %SystemRoot%\mmlnmp.ini
NY -> ooqsut.ini -> %SystemRoot%\ooqsut.ini
NY -> qpsvxx.ini -> %SystemRoot%\qpsvxx.ini
NY -> qsrqss.ini -> %SystemRoot%\qsrqss.ini
NY -> qsttvw.ini -> %SystemRoot%\qsttvw.ini
NY -> uxxybc.ini -> %SystemRoot%\uxxybc.ini
NY -> xaadeg.ini -> %SystemRoot%\xaadeg.ini
NY -> xaybbc.ini -> %SystemRoot%\xaybbc.ini
NY -> xwxwwa.ini -> %SystemRoot%\xwxwwa.ini
NY -> _r_a_p_.tmp -> %UserDesktop%\_r_a_p_.tmp
[File String Scan - Non-Microsoft Only]
NY -> UPX! , UPX0 , -> %SystemDrive%\cp1041.nls
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. *Post that information back here along with a new Hijackthis log.*

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.


----------



## linkinfigure9 (Jul 20, 2007)

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MMTray deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft Works Update Detection deleted successfully.
[Files/Folders - Created Within 60 days]
C:\cp1041.nls moved successfully.
C:\WINDOWS\iihkmp.ini moved successfully.
C:\WINDOWS\lkkkjl.ini moved successfully.
C:\WINDOWS\mmlnmp.ini moved successfully.
C:\WINDOWS\ooqsut.ini moved successfully.
C:\WINDOWS\qpsvxx.ini moved successfully.
C:\WINDOWS\qsrqss.ini moved successfully.
C:\WINDOWS\qsttvw.ini moved successfully.
C:\WINDOWS\uxxybc.ini moved successfully.
C:\WINDOWS\xaadeg.ini moved successfully.
C:\WINDOWS\xaybbc.ini moved successfully.
C:\WINDOWS\xwxwwa.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\qsrcalrpbriop.dll
C:\WINDOWS\SYSTEM32\qsrcalrpbriop.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\qsrcalrpbriop.dll moved successfully.
C:\Documents and Settings\Kenny\Desktop\_r_a_p_.tmp moved successfully.
[Files/Folders - Modified Within 30 days]
File C:\cp1041.nls not found!
File C:\WINDOWS\iihkmp.ini not found!
File C:\WINDOWS\lkkkjl.ini not found!
File C:\WINDOWS\mmlnmp.ini not found!
File C:\WINDOWS\ooqsut.ini not found!
File C:\WINDOWS\qpsvxx.ini not found!
File C:\WINDOWS\qsrqss.ini not found!
File C:\WINDOWS\qsttvw.ini not found!
File C:\WINDOWS\uxxybc.ini not found!
File C:\WINDOWS\xaadeg.ini not found!
File C:\WINDOWS\xaybbc.ini not found!
File C:\WINDOWS\xwxwwa.ini not found!
File C:\Documents and Settings\Kenny\Desktop\_r_a_p_.tmp not found!
[File String Scan - Non-Microsoft Only]
File C:\cp1041.nls not found!
[Empty Temp Folders]
C:\DOCUME~1\Kenny\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\Kenny\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
Explorer started successfully
< End of log >
Created on 07/24/2007 13:10:26

After i finished this, the internet would not connect so i ran LSPFix and then restarted my computer and the internet worked..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:42 PM, on 7/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168115992875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169300917031
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5719 bytes


----------



## JohnWill (Oct 19, 2002)

Try this Automated WINSOCK Fix for XP to see if it fixes the TCP/IP stack.

You REALLY need to get SP2 installed as soon as *JSntgRvr* finishes helping you get rid of all the malware.


----------



## linkinfigure9 (Jul 20, 2007)

I tried the thingy you suggested. The internet seems like its moving slower now. Well, slower than usual. If i may ask, what is SP2?


----------



## linkinfigure9 (Jul 20, 2007)

Well that thing didnt fully fix it, i still have to restart my computer. but it lasted a small bit longer than it usually does..


----------



## JSntgRvr (Jul 1, 2003)

Hi, *linkinfigure9* 

Some how that trojan is being reproduced. Lets try another scanner:

Download *Deckard's System Scanner (DSS)* from *here* or *here* to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on *dss.exe *to run it, and follow the prompts.
When the scan is complete, two text files will open - *main.txt *<- this one will be maximized and *extra.txt *<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the *main.txt* and the *extra.txt* in your next reply.
If the files are too long, attach them to a reply:

Scroll down and click the [*Manage Attachments*] button
Browse to the following folder:
*C:\Deckard\System Scanner*

Click *Upload* to upload these files one by one
*Submit *your reply


----------



## linkinfigure9 (Jul 20, 2007)

Deckard's System Scanner v20070711.54
Run by Kenny on 2007-07-24 at 18:08:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
55: 2007-07-24 23:08:52 UTC - RP1227 - Deckard's System Scanner Restore Point
54: 2007-07-23 20:46:15 UTC - RP1226 - Installed Java(TM) 6 Update 2
53: 2007-07-23 20:38:29 UTC - RP1225 - Removed Java 2 Runtime Environment, SE v1.4.2_05
52: 2007-07-22 20:51:56 UTC - RP1224 - System Checkpoint
51: 2007-07-21 13:21:05 UTC - RP1223 - Installed Envisioneer Express 3.0

-- First Restore Point -- 
1: 2007-04-30 15:05:33 UTC - RP1173 - Installed Windows XP KB899587.

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Kenny.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:42 PM, on 7/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\geapb.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168115992875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169300917031
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5719 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20070723-204309-231 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20070723-204309-608 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cp-tel.net/
backup-20070723-204309-836 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20070723-204309-868 O20 - AppInit_DLLs:

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 LxrJD31d - c:\windows\system32\drivers\lxrjd31d.sys
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys (file missing)
S3 CA561 (ICatch (VI) PC Camera) - c:\windows\system32\drivers\spca561.sys (file missing)
S3 catchme - c:\docume~1\kenny\locals~1\temp\catchme.sys (file missing)
S3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ913>
S3 qqd.sys - c:\qqd.sys (file missing)
S3 SABProcEnum - c:\program files\internet explorer\sabprocenum.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 LxrJD31s (Lexar JD31) - lxrjd31s.exe

-- Files created between 2007-06-24 and 2007-07-24 -----------------------------

2007-07-24 17:18:54 24064 --a------ C:\WINDOWS\System32\gowjrpr.dll
2007-07-24 15:23:59 24064 --a------ C:\WINDOWS\System32\x.dll
2007-07-24 14:33:27 24064 --a------ C:\WINDOWS\System32\m.dll
2007-07-24 14:02:33 0 d-------- C:\Documents and Settings\Kenny\Application Data\Yahoo!
2007-07-24 14:02:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-07-24 13:52:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-07-24 13:49:17 0 d-------- C:\Program Files\Yahoo!
2007-07-24 13:18:17 24064 --a------ C:\WINDOWS\System32\geapb.dll
2007-07-23 15:46:21 0 d-------- C:\Program Files\Common Files\Java
2007-07-21 08:24:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Cadsoft
2007-07-21 08:24:07 0 d-------- C:\Program Files\Common Files\Cadsoft
2007-07-21 08:24:03 0 d-------- C:\Program Files\Cadsoft
2007-07-20 14:44:20 0 d-------- C:\Program Files\Trend Micro
2007-07-19 13:11:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-07-19 13:10:59 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-07-19 13:10:58 0 d-------- C:\Documents and Settings\Kenny\Application Data\SUPERAntiSpyware.com
2007-07-19 12:44:59 0 d-------- C:\VundoFix Backups
2007-07-13 19:00:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-24 12:41:57 0 d-------- C:\Program Files\Firefly Studios
2007-06-24 11:48:10 0 d-------- C:\WINDOWS\LastGood.Tmp

-- Find3M Report ---------------------------------------------------------------

2007-07-23 15:47:59 0 d-------- C:\Program Files\Java
2007-07-13 19:02:31 0 d-------- C:\Program Files\Lavasoft
2007-07-03 16:42:16 0 d-------- C:\Program Files\Microsoft Games
2007-06-30 15:40:23 74 --a------ C:\WINDOWS\popcinfo.dat
2007-06-24 12:41:46 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-06-24 12:40:56 0 d-------- C:\Program Files\Common Files\InstallShield
2007-06-24 12:12:02 0 d-------- C:\Documents and Settings\Kenny\Application Data\AVG7
2007-06-24 11:52:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-06-24 11:52:34 0 d-------- C:\Program Files\Norton SystemWorks
2007-06-24 11:43:31 0 d-------- C:\Program Files\Symantec
2007-06-11 17:51:30 466 --a------ C:\WINDOWS\EReg072.dat
2007-05-27 22:31:05 0 d-------- C:\Program Files\ALCATech
2007-05-27 22:31:04 0 d-------- C:\Program Files\Sony Setup
2007-05-24 20:57:15 0 d-------- C:\Program Files\Texas Holdem

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670}	C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}	C:\Program Files\Yahoo!\Common\yiesrvc.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}	C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"="C:\\WINDOWS\\System32\\Macromed\\Flash\\GetFlash.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages	REG_MULTI_SZ msv1_0\0\0
Security Packages	REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages	REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-07-24 at 18:10:39 ---------

Deckard's System Scanner v20070711.54
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(TM) CPU 1200MHz
Percentage of Memory in Use: 72%
Physical Memory (total/avail): 253.98 MiB / 69.12 MiB
Pagefile Memory (total/avail): 625.27 MiB / 470.37 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1976.81 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.3 GiB total, 10.31 GiB free. 
D: is CDROM (No Media)
E: is CDROM (No Media)

-- Security Center -------------------------------------------------------------

AUOptions is disabled.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Kenny\Application Data
CLASSPATH=C:\Program Files\PhotoDeluxe HE 3.1\AdobeConnectables;
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KENNYBABY
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Kenny
LOGONSERVER=\\KENNYBABY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 11 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0b01
ProgramFiles=C:\Program Files
PROMPT=$P$G
PS5ROOT=C:\Program Files\Roxio\Easy CD Creator 6\PhotoSuite\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Kenny\LOCALS~1\Temp
TMP=C:\DOCUME~1\Kenny\LOCALS~1\Temp
USERDOMAIN=KENNYBABY
USERNAME=Kenny
USERPROFILE=C:\Documents and Settings\Kenny
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Kenny _(admin)_

-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\PhotoDeluxe HE 3.1\DeIsL1.isu" -c"C:\Program Files\PhotoDeluxe HE 3.1\Uninst.dll"
--> C:\WINDOWS\uninst.exe -fC:\Maxis\SimFarm\DeIsL1.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acoustica Effects Pack --> C:\PROGRA~1\ACOUST~1\FX\UNWISE.EXE C:\PROGRA~1\ACOUST~1\FX\INSTALL.LOG
Acoustica Mixcraft --> C:\PROGRA~1\ACOUST~1\UNWISE.EXE C:\PROGRA~1\ACOUST~1\INSTALL.LOG
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Acrobat Reader 3.01 --> C:\WINDOWS\uninst.exe -fC:\Acrobat3\Reader\DeIsL1.isu
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Advanced Networking Pack for Windows XP --> C:\WINDOWS\$NtUninstallKB817778$\spuninst\spuninst.exe
ArcSoft Software Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F57D8342-E2E4-46F4-915A-F50817CBCB45}\setup.exe" -l0x9 
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
Bookworm Deluxe 1.03 --> C:\Program Files\PopCap Games\BookWorm Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\BookWorm Deluxe\Install.log"
BPM-Studio 4 Profi --> C:\WINDOWS\uninst.exe -f"C:\Program Files\ALCATech\BPM-Studio Profi\DeIsL1.isu" -c"C:\Program Files\ALCATech\BPM-Studio Profi\_ISREG32.DLL"
Casino Island To Go --> C:\PROGRA~1\POGOGA~1\CASINO~1\UNWISE.EXE C:\PROGRA~1\POGOGA~1\CASINO~1\INSTALL.LOG
Chicken Hunter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1535DCC2-6EB2-4FAC-9ABB-C3DC939BB87A}\Setup.exe" -l0x9 
Chuzzle Deluxe 1.0 --> C:\Program Files\PopCap Games\Chuzzle Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Chuzzle Deluxe\Install.log"
Command & Conquer Red Alert 2 --> C:\Westwood\RA2\Uninstll.EXE
Command && Conquer Red Alert 2 - Yuri's Revenge --> C:\Westwood\RA2\Uninstll.EXE
Commandos, Beyond the Call of Duty --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Eidos Interactive\Pyro\Commandos, Beyond the Call of Duty\DeIsL1.isu"
EA Network Play System --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Electronic Arts\Network Play System\uninst.isu"
Easy CD & DVD Creator 6 --> MsiExec.exe /I{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}
eGames GameButler --> C:\PROGRA~1\eGames\GAMEBU~1\UNWISE.EXE C:\PROGRA~1\eGames\GAMEBU~1\INSTALL.LOG
Envisioneer Express 3.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{1EBD2C18-069A-4582-BF40-2B506AF6CFAD} 
exPressit S.E. 2.1 --> "C:\Program Files\exPressit S.E. 2.1\UninstallerData\Uninstall exPressit S.E. 2.1.exe"
FL Studio 6 --> C:\Program Files\Image-Line\FL Studio 6\uninstall.exe
Gearhead Garage --> MsiExec.exe /I{47A0AF01-FB86-11D5-888A-005004D128A9}
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hoyle Board Games 5 --> C:\WINDOWS\IsUninst.exe -f"C:\SIERRA\Hoyle Board Games 5\Uninst.isu"
Intel(R) 810/810E/815/815E/815EM Chipset Graphics Driver Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8A708DD8-A5E6-11D4-A706-000629E95E20}\Setup.exe" -inteluninstall
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
JD Secure 3.1 --> C:\WINDOWS\System32\JDSecure31.exe /u
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Microsoft Age of Empires II --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Microsoft Works 6.0 --> MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}
Microsoft Works and Money 2002 Setup Launcher --> C:\Program Files\Microsoft Works and Money 2002\Setup\Launcher.exe D:\
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
My DSC --> C:\Program Files\InstallShield Installation Information\{225af9a1-b556-88d5-94aa-0010b5426419}\setup.exe
Network Play System (Patching) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Electronic Arts\Network Play System\NPSPatch.isu"
Pharaoh and Cleopatra --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{821DABD6-26F2-49E5-AE55-40A589ADBE6D}\Setup.exe" 
Photo Explosion --> MsiExec.exe /X{B8F19DA6-0BCD-48FC-9998-C6ACEAEEDEFE}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PrintMaster 12 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A304FDE-F4E3-446D-AA0D-31425C897B71}\setup.exe" -l0x9 anything
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Railroad Tycoon II - The 3 Continents --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Railroad Tycoon II - The 3 Continents\DeIsL1.isu" -c"C:\Program Files\Railroad Tycoon II - The 3 Continents\_ISREG32.DLL"
SereneScreen Aquarium --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\SereneScreen\Aquarium\Uninst.isu"
Sierra On-Line Games (Remove only) --> C:\BPM Studio Pro 4.2\Archive\SETUP.EXE /U
SimCity 3000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Maxis\SimCity 3000\Uninst.isu"
Solitaire --> C:\PROGRA~1\GALAXY~1\SOLITA~1\UNWISE.EXE C:\PROGRA~1\GALAXY~1\SOLITA~1\INSTALL.LOG
Star Wars Galactic Battlegrounds: Saga --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{10133CDD-50B9-4783-B336-8B48F3653715}\Setup.exe" -l0x9 
Stronghold Crusader --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8C3727F2-8E37-49E4-820C-03B1677F53B6}\setup.exe" -l0x9 
Su Doku Master --> C:\PROGRA~1\eGames\SUDOKU~1\UNWISE.EXE C:\PROGRA~1\eGames\SUDOKU~1\INSTALL.LOG
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Tetris (remove only) --> "C:\Program Files\Tetris\Tetris\uninstall.exe"
Texas Hold 'Em: High Stakes Poker --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3B95659-26C3-4448-8891-5E713F978F74}\Setup.exe" -l0x9 -removeonly
The Sims Makin' Magic --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A00D1BA-D03A-44E5-AF28-86A1F377DF61}\setup.exe" -l0009
Warcraft II BNE --> C:\WINDOWS\W2BNEUnin.exe C:\WINDOWS\W2BNEUnin.dat
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WWII: Normandy --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{456C1C87-0D3D-4CC2-B411-98A43D249C12}\normandy.exe" 
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\System32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
Zuma Deluxe 1.0 --> C:\Program Files\Zone.Com Deluxe Games\Zuma Deluxe\ZumaDeluxeUninstaller.exe "C:\Program Files\Zone.Com Deluxe Games\Zuma Deluxe\Install.log"

-- End of Deckard's System Scanner: finished at 2007-07-24 at 18:10:39 ---------

hope that wasnt too long...


----------



## JSntgRvr (Jul 1, 2003)

Hi, *linkinfigure9* 


*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *ComboFix-Do.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 



> File::
> C:\WINDOWS\System32\gowjrpr.dll
> C:\WINDOWS\System32\x.dll
> C:\WINDOWS\System32\m.dll
> ...












Once saved, refering to the picture above, drag *ComboFix-Do.txt* into *ComboFix.exe*, and post back the resulting report along with a Hijackthis.

If you lose your Internet Connection, use LSPFix again to get back online. The geapb.dll file is disrupting your LSP chain.


----------



## linkinfigure9 (Jul 20, 2007)

"Kenny" - 2007-07-24 23:38:04 - ComboFix 07-07-23.6 - Service Pack 1 NTFS 
Command switches used :: C:\Documents and Settings\Kenny\Desktop\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\cp1041.nls
C:\WINDOWS\EReg072.dat
C:\WINDOWS\System32\geapb.dll
C:\WINDOWS\System32\gowjrpr.dll
C:\WINDOWS\System32\m.dll
C:\WINDOWS\system32\pyknfxxvg.dll
C:\WINDOWS\System32\x.dll

((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 )))))))))))))))))))))))))))))))

2007-07-24 18:08 d--------	C:\Deckard
2007-07-24 14:02 d--------	C:\DOCUME~1\Kenny\APPLIC~1\Yahoo!
2007-07-24 14:02 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-07-24 13:52 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-07-24 13:49 d--------	C:\Program Files\Yahoo!
2007-07-23 15:55	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-07-21 08:24 d--------	C:\Program Files\Common Files\Cadsoft
2007-07-21 08:24 d--------	C:\Program Files\Cadsoft
2007-07-21 08:24 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cadsoft
2007-07-20 14:44 d--------	C:\Program Files\Trend Micro
2007-07-19 13:11 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-19 13:10 d--------	C:\Program Files\SUPERAntiSpyware
2007-07-19 13:10 d--------	C:\DOCUME~1\Kenny\APPLIC~1\SUPERAntiSpyware.com
2007-07-19 12:44 d--------	C:\VundoFix Backups
2007-07-13 19:00 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-06-24 12:41 d--------	C:\Program Files\Firefly Studios
2007-06-24 11:48 d--------	C:\WINDOWS\LastGood.Tmp

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-20 19:35:59	28,256	----a-w	C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-07-14 00:02:31	--------	d-----w	C:\Program Files\Lavasoft
2007-07-03 21:42:16	--------	d-----w	C:\Program Files\Microsoft Games
2007-06-30 20:40:23	74	----a-w	C:\WINDOWS\popcinfo.dat
2007-06-24 17:41:46	--------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-06-24 17:40:56	--------	d-----w	C:\Program Files\Common Files\InstallShield
2007-06-24 16:52:46	--------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-06-24 16:52:34	--------	d-----w	C:\Program Files\Norton SystemWorks
2007-06-24 16:43:31	--------	d-----w	C:\Program Files\Symantec
2007-05-28 03:31:05	--------	d-----w	C:\Program Files\ALCATech
2007-05-28 03:31:04	--------	d-----w	C:\Program Files\Sony Setup
2007-05-25 01:57:15	--------	d-----w	C:\Program Files\Texas Holdem
2007-04-29 18:04:37	260,096	----a-w	C:\WINDOWS\system32\mstask.dll
2007-04-29 18:04:37	172,544	----a-w	C:\WINDOWS\system32\schedsvc.dll
2007-04-29 18:04:36	10,752	----a-w	C:\WINDOWS\system32\mstinit.exe
2006-08-11 16:24:47	80	--sh--r	C:\WINDOWS\system32\D8BE079C99.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 18:06:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\System32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\System32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 LxrJD31d;LxrJD31d;\??\C:\WINDOWS\System32\Drivers\LxrJD31d.sys
R3 i81x;i81x;C:\WINDOWS\System32\DRIVERS\i81xnt5.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\System32\drivers\msmpu401.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\System32\drivers\MxlW2k.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\System32\DRIVERS\point32.sys
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\System32\DRIVERS\USRpdA.sys
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\C:\WINDOWS\System32\drivers\NSDriver.sys
S3 CA561;ICatch (VI) PC Camera;C:\WINDOWS\System32\Drivers\SPCA561.SYS
S3 DCamUSBSQTECH;Dual-Mode DSC(2770);C:\WINDOWS\System32\Drivers\SQcaptur.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\System32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\System32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\System32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys
S3 iAimFP5;iAimFP5;C:\WINDOWS\System32\DRIVERS\wADV07nt.sys
S3 iAimFP6;iAimFP6;C:\WINDOWS\System32\DRIVERS\wADV08nt.sys
S3 iAimFP7;iAimFP7;C:\WINDOWS\System32\DRIVERS\wADV09nt.sys
S3 iAimFP8;iAimFP8;C:\WINDOWS\System32\DRIVERS\wADV11nt.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\System32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\System32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\System32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\System32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys
S3 iAimTV5;iAimTV5;C:\WINDOWS\System32\DRIVERS\wATV10nt.sys
S3 iAimTV6;iAimTV6;C:\WINDOWS\System32\DRIVERS\wATV06nt.sys
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 qqd.sys;qqd.sys;\??\C:\qqd.sys
S3 SABProcEnum;SABProcEnum;\??\C:\Program Files\Internet Explorer\SABProcEnum.sys
S3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-24 23:46:35
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-24 23:49:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-24 23:48
C:\ComboFix2.txt ... 2007-07-23 20:57
C:\ComboFix3.txt ... 2007-07-23 16:42

--- E O F ---


----------



## JSntgRvr (Jul 1, 2003)

Hi, linkinfigure9 

Need to see a fresh Hijackthis log.


----------



## linkinfigure9 (Jul 20, 2007)

OH! That would be good, huh?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:12 AM, on 7/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cp-tel.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168115992875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169300917031
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5776 bytes


----------



## JSntgRvr (Jul 1, 2003)

Hi,* linkinfigure9* 

I believe we got the sucker!

Open this file in Notepad and post its contents:

*C:\ComboFix-quarantined-files.txt*


----------



## linkinfigure9 (Jul 20, 2007)

```
2004-07-04 09:00      767    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Kenny\Desktop\Internet Explorer.lnk.vir
2006-12-30 10:55      6656    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\{5034E~1\system.dll.vir
2006-12-31 23:30      6656    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\{5034E~2\system.dll.vir
2007-01-04 14:52      0    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Kenny\APPLIC~1\Install.dat.vir
2007-04-28 06:29      89    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\Kenny\APPLIC~1\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol.vir
2007-06-11 17:51      466    --a------    C:\Qoobox\Quarantine\C\WINDOWS\EReg072.dat.vir
2007-06-24 12:14      106752    --a------    C:\Qoobox\Quarantine\C\WINDOWS\nnoolk.dll.vir
2007-07-13 21:49      134930    --a------    C:\Qoobox\Quarantine\C\WINDOWS\qomkii.dll.vir
2007-07-14 15:36      134955    --a------    C:\Qoobox\Quarantine\C\WINDOWS\ljkjge.dll.vir
2007-07-14 16:45      1194210    --a------    C:\Qoobox\Quarantine\C\WINDOWS\egjkjl.ini.vir
2007-07-16 17:21      1191788    --a------    C:\Qoobox\Quarantine\C\WINDOWS\cceggh.ini.vir
2007-07-16 17:21      134976    --a------    C:\Qoobox\Quarantine\C\WINDOWS\hggecc.dll.vir
2007-07-17 15:20      134976    --a------    C:\Qoobox\Quarantine\C\WINDOWS\wvwwxu.dll.vir
2007-07-18 08:09      134976    --a------    C:\Qoobox\Quarantine\C\WINDOWS\nnkkjh.dll.vir
2007-07-18 11:34      134976    --a------    C:\Qoobox\Quarantine\C\WINDOWS\opqpno.dll.vir
2007-07-20 03:39      24064    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\cvolhnyaurm.dll.vir
2007-07-20 13:44      24064    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\unkeava.dll.vir
2007-07-20 14:31      24064    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\gcjiremeo.dll.vir
2007-07-20 17:55      24064    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\elwtwsd.dll.vir
2007-07-20 19:50      24064    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\beiuipoam.dll.vir
2007-07-23 13:30      24064    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\sgwpo.dll.vir
2007-07-23 14:37      24064    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\elarf.dll.vir
2007-07-23 16:35      1004    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_POOF.reg.cf
2007-07-23 16:35      1122    --a------    C:\Qoobox\Quarantine\Registry_backups\services_ntldr.reg.cf
2007-07-23 16:35      1232    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NTLDR.SYS.reg.cf
2007-07-23 16:35      2056    --a------    C:\Qoobox\Quarantine\Registry_backups\services_kprof.reg.cf
2007-07-23 16:35      2338    --a------    C:\Qoobox\Quarantine\Registry_backups\services_NETDown.reg.cf
2007-07-23 16:35      2416    --a------    C:\Qoobox\Quarantine\Registry_backups\services_poof.reg.cf
2007-07-23 16:35      2850    --a------    C:\Qoobox\Quarantine\Registry_backups\services_COM+ Messages.reg.cf
2007-07-23 16:35      2956    --a------    C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.cf
2007-07-23 16:35      808    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETDOWN.reg.cf
2007-07-23 16:35      846    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_COM+_MESSAGES.reg.cf
2007-07-23 16:35      846    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf
2007-07-23 18:31      24064    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\lht.dll.vir
2007-07-24 13:18      24064    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\geapb.dll.vir
2007-07-24 14:33      24064    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\m.dll.vir
2007-07-24 15:24      24064    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\x.dll.vir
2007-07-24 17:18      24064    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\gowjrpr.dll.vir
2007-07-24 19:49      24064    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pyknfxxvg.dll.vir


Folder PATH listing
Volume serial number is 71FAE346 5034:EA4B
C:\QOOBOX
\---Quarantine
    +---C
    |   +---DOCUME~1
    |   |   \---Kenny
    |   |       +---APPLIC~1
    |   |       |   |   Install.dat.vir
    |   |       |   |   
    |   |       |   \---Macromedia
    |   |       |       \---Flash Player
    |   |       |           \---macromedia.com
    |   |       |               \---support
    |   |       |                   \---flashplayer
    |   |       |                       \---sys
    |   |       |                           \---#www.broadcaster.com
    |   |       |                                   settings.sol.vir
    |   |       |                                   
    |   |       \---Desktop
    |   |               Internet Explorer.lnk.vir
    |   |               
    |   +---Program Files
    |   |   \---Common Files
    |   |       +---{5034E~1
    |   |       |       system.dll.vir
    |   |       |       
    |   |       \---{5034E~2
    |   |               system.dll.vir
    |   |               
    |   \---WINDOWS
    |       |   cceggh.ini.vir
    |       |   egjkjl.ini.vir
    |       |   EReg072.dat.vir
    |       |   hggecc.dll.vir
    |       |   ljkjge.dll.vir
    |       |   nnkkjh.dll.vir
    |       |   nnoolk.dll.vir
    |       |   opqpno.dll.vir
    |       |   qomkii.dll.vir
    |       |   wvwwxu.dll.vir
    |       |   
    |       \---system32
    |               beiuipoam.dll.vir
    |               cvolhnyaurm.dll.vir
    |               elarf.dll.vir
    |               elwtwsd.dll.vir
    |               gcjiremeo.dll.vir
    |               geapb.dll.vir
    |               gowjrpr.dll.vir
    |               lht.dll.vir
    |               m.dll.vir
    |               pyknfxxvg.dll.vir
    |               sgwpo.dll.vir
    |               unkeava.dll.vir
    |               x.dll.vir
    |               
    \---Registry_backups
            LEGACY_COM+_MESSAGES.reg.cf
            LEGACY_DOMAINSERVICE.reg.cf
            LEGACY_NETDOWN.reg.cf
            LEGACY_NTLDR.SYS.reg.cf
            LEGACY_POOF.reg.cf
            services_COM+ Messages.reg.cf
            services_DomainService.reg.cf
            services_kprof.reg.cf
            services_NETDown.reg.cf
            services_ntldr.reg.cf
            services_poof.reg.cf
```


----------



## linkinfigure9 (Jul 20, 2007)

Also, I don't know if it has anything to do with this, a lil window has been popping up that said there was a problem with Windows Explorer and I click Don't Send and the desktop disappears and then reappears a second or two later. I just wanted to see if this was because of the problem... Is it?


----------



## linkinfigure9 (Jul 20, 2007)

Also!, a different window popped up and said something about an error and it showed lil checks and words but i forgot what it was. And then when i clicked Cancel, it did like the other one did and make the desktop disappear and then reappear.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *linkinfigure9* 

Let me get first some samples of these files:

First download the attached *catchme.txt* to your desktop

Next,

Download *catchme.exe* from *thespykiller* forum *here* and save it to your desktop.

Double click the catchme.exe to run it and click on Add. A window will open with a list of files, select the catchme.txt on your desktop and press open. The files listed in it will appear in the catchme window. Now click on *Zip* to make a copy of this file which will be backed up to catchme.zip on your desktop.

Next, please go to *TheSpykiller* forum and upload this file so we can examine it. In order to do so, click on *New Topic*, fill in the needed details and give a link to your post here. ClIck on *Browse *and navigate to the *Catchme.zip* on your desktop select the .zip folder and once on the window, click on *Post.*( do not post HJT logs there as they will not get dealt with)

Run Deckard's System Scanner once again and post the report. This time follow these steps:

Go to Start->Run, type the following command and click OK:

*"%userprofile%\desktop\dss.exe" /config*

The Deckard System Scanner Config display will appear. Remove the check mark from System Restore, then click on* Scan*.

Post the resulting report.


----------



## linkinfigure9 (Jul 20, 2007)

Deckard's System Scanner v20070711.54
Run by Kenny on 2007-07-25 at 20:24:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Kenny.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:12 AM, on 7/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cp-tel.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168115992875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169300917031
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5776 bytes

-- Files created between 2007-06-25 and 2007-07-25 -----------------------------

2007-07-25 19:30:51 0 d-------- C:\Program Files\CCleaner
2007-07-25 19:26:47 1156 --a------ C:\WINDOWS\mozver.dat
2007-07-25 19:14:23 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-25 19:14:14 0 d-------- C:\Documents and Settings\Kenny\Application Data\Mozilla
2007-07-25 18:15:09 24064 --a------ C:\WINDOWS\System32\xsntnacxygxci.dll
2007-07-25 16:24:52 24064 --a------ C:\WINDOWS\System32\tjz.dll
2007-07-25 09:16:00 24064 --a------ C:\WINDOWS\System32\n.dll
2007-07-24 23:57:02 21376 --a------ C:\qqd.sys
2007-07-24 14:02:33 0 d-------- C:\Documents and Settings\Kenny\Application Data\Yahoo!
2007-07-24 14:02:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-07-24 13:52:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-07-24 13:49:17 0 d-------- C:\Program Files\Yahoo!
2007-07-23 15:46:21 0 d-------- C:\Program Files\Common Files\Java
2007-07-21 08:24:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Cadsoft
2007-07-21 08:24:07 0 d-------- C:\Program Files\Common Files\Cadsoft
2007-07-21 08:24:03 0 d-------- C:\Program Files\Cadsoft
2007-07-20 14:44:20 0 d-------- C:\Program Files\Trend Micro
2007-07-19 13:11:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-07-19 13:10:59 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-07-19 13:10:58 0 d-------- C:\Documents and Settings\Kenny\Application Data\SUPERAntiSpyware.com
2007-07-19 12:44:59 0 d-------- C:\VundoFix Backups
2007-07-13 19:00:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

-- Find3M Report ---------------------------------------------------------------

2007-07-23 15:47:59 0 d-------- C:\Program Files\Java
2007-07-13 19:02:31 0 d-------- C:\Program Files\Lavasoft
2007-07-03 16:42:16 0 d-------- C:\Program Files\Microsoft Games
2007-06-30 15:40:23 74 --a------ C:\WINDOWS\popcinfo.dat
2007-06-24 12:41:57 0 d-------- C:\Program Files\Firefly Studios
2007-06-24 12:41:46 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-06-24 12:40:56 0 d-------- C:\Program Files\Common Files\InstallShield
2007-06-24 12:12:02 0 d-------- C:\Documents and Settings\Kenny\Application Data\AVG7
2007-06-24 11:52:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-06-24 11:52:34 0 d-------- C:\Program Files\Norton SystemWorks
2007-06-24 11:43:31 0 d-------- C:\Program Files\Symantec
2007-05-27 22:31:05 0 d-------- C:\Program Files\ALCATech
2007-05-27 22:31:04 0 d-------- C:\Program Files\Sony Setup

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670}	C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}	C:\Program Files\Yahoo!\Common\yiesrvc.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}	C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"="C:\\WINDOWS\\System32\\Macromed\\Flash\\GetFlash.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages	REG_MULTI_SZ msv1_0\0\0
Security Packages	REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages	REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-07-25 at 20:25:42 ---------

I hope i did it right... I'm kinda sick right now so im doing the best i can. I've downloaded a few things since i last scanned. Including Firefox which is staying on the net unlike IE. So I think it helped some. All the stuff i have downloaded came from places i saw on posts here so i figured it would be safe..


----------



## linkinfigure9 (Jul 20, 2007)

The lil popup thingy wouldnt stop coming up so i clicked on a few of the lil blue links and it showed a file that it said was being sent with the report. The file is C:\DOCUME~1\Kenny\LOCALS~1\Temp\WER24.tmp.dir00\appcompat.txt


----------



## JSntgRvr (Jul 1, 2003)

*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *ComboFix-Do.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 



> File::
> C:\WINDOWS\System32\xsntnacxygxci.dll
> C:\WINDOWS\System32\tjz.dll
> C:\WINDOWS\System32\n.dll
> ...












Once saved, refering to the picture above, drag *ComboFix-Do.txt* into *ComboFix.exe*, and post back the resulting report.


----------



## JSntgRvr (Jul 1, 2003)

If successful deleting these files, please go *here* and download *Windows XP Service Pack 2*. You are being reinfected due to lack of Security..

*Windows XP Service Pack 2* must be installed in a clean computer. If you feel you are still infected, post another *Deckard's System Scanner* report following earlier instructions.


----------



## JSntgRvr (Jul 1, 2003)

The Catchme.zip was empty.


*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *CFScript.txt * 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 



> Collect::
> 
> Suspect::
> C:\Qoobox\Quarantine\C\WINDOWS\system32\lht.dll.vir
> ...












Once saved, refering to the picture above, drag *CFScript.txt* into *ComboFix.exe*. ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip

Please submit this file to:

http://www.thespykiller.co.uk/index.php?board=1.0

Please include a link to this topic in the message.


----------



## linkinfigure9 (Jul 20, 2007)

Hmmm. I tried the last one. I don't know if the post worked but i got the rest done. I shall start the other ComboFix thingy now..


----------



## linkinfigure9 (Jul 20, 2007)

And about the ComboFix-Do.txt, it would not work. I tried twice to do it and i left it alone for more than 30 minutes and it did nothing at all. I had to restart my computer and now the clock is weird. I don't know how to fix it and i dont know whenether the program will work again...


----------



## JSntgRvr (Jul 1, 2003)

Let me see another* Deckard's System Scanner *report.


----------



## linkinfigure9 (Jul 20, 2007)

Deckard's System Scanner v20070711.54
Run by Kenny on 2007-07-26 at 10:37:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Kenny.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37, on 2007-07-26
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kenny\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kenny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cp-tel.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\idvhtkncblz.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idvhtkncblz.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idvhtkncblz.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idvhtkncblz.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idvhtkncblz.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idvhtkncblz.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idvhtkncblz.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idvhtkncblz.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idvhtkncblz.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idvhtkncblz.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idvhtkncblz.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idvhtkncblz.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168115992875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169300917031
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6554 bytes

-- Files created between 2007-06-26 and 2007-07-26 -----------------------------

2007-07-26 10:36:48 24064 --a------ C:\WINDOWS\System32\idvhtkncblz.dll
2007-07-25 23:17:42 24064 --a------ C:\WINDOWS\System32\riypncr.dll
2007-07-25 22:01:10 0 d-------- C:\Documents and Settings\Kenny\Application Data\MySpace
2007-07-25 22:01:04 0 d-------- C:\Program Files\MySpace
2007-07-25 21:20:11 0 dr-h----- C:\Documents and Settings\Kenny\Recent
2007-07-25 20:26:05 0 d-------- C:\Documents and Settings\Kenny\Application Data\Talkback
2007-07-25 19:30:51 0 d-------- C:\Program Files\CCleaner
2007-07-25 19:26:47 1156 --a------ C:\WINDOWS\mozver.dat
2007-07-25 19:14:23 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-25 19:14:14 0 d-------- C:\Documents and Settings\Kenny\Application Data\Mozilla
2007-07-24 14:02:33 0 d-------- C:\Documents and Settings\Kenny\Application Data\Yahoo!
2007-07-24 14:02:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-07-24 13:52:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-07-24 13:49:17 0 d-------- C:\Program Files\Yahoo!
2007-07-23 15:46:21 0 d-------- C:\Program Files\Common Files\Java
2007-07-21 08:24:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Cadsoft
2007-07-21 08:24:07 0 d-------- C:\Program Files\Common Files\Cadsoft
2007-07-21 08:24:03 0 d-------- C:\Program Files\Cadsoft
2007-07-20 14:44:20 0 d-------- C:\Program Files\Trend Micro
2007-07-19 13:11:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-07-19 13:10:59 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-07-19 13:10:58 0 d-------- C:\Documents and Settings\Kenny\Application Data\SUPERAntiSpyware.com
2007-07-19 12:44:59 0 d-------- C:\VundoFix Backups
2007-07-13 19:00:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

-- Find3M Report ---------------------------------------------------------------

2007-07-23 15:47:59 0 d-------- C:\Program Files\Java
2007-07-13 19:02:31 0 d-------- C:\Program Files\Lavasoft
2007-07-03 16:42:16 0 d-------- C:\Program Files\Microsoft Games
2007-06-30 15:40:23 74 --a------ C:\WINDOWS\popcinfo.dat
2007-06-24 12:41:57 0 d-------- C:\Program Files\Firefly Studios
2007-06-24 12:41:46 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-06-24 12:40:56 0 d-------- C:\Program Files\Common Files\InstallShield
2007-06-24 12:12:02 0 d-------- C:\Documents and Settings\Kenny\Application Data\AVG7
2007-06-24 11:52:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-06-24 11:52:34 0 d-------- C:\Program Files\Norton SystemWorks
2007-06-24 11:43:31 0 d-------- C:\Program Files\Symantec
2007-05-27 22:31:05 0 d-------- C:\Program Files\ALCATech
2007-05-27 22:31:04 0 d-------- C:\Program Files\Sony Setup

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670}	C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}	C:\Program Files\Yahoo!\Common\yiesrvc.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}	C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"="C:\\WINDOWS\\System32\\Macromed\\Flash\\GetFlash.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages	REG_MULTI_SZ msv1_0\0\0
Security Packages	REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages	REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-07-26 at 10:38:12 ---------


----------



## JSntgRvr (Jul 1, 2003)

*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *ComboFix-Do.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 



> File::
> C:\WINDOWS\System32\idvhtkncblz.dll
> C:\WINDOWS\System32\riypncr.dll
> 
> ...












Once saved, refering to the picture above, drag *ComboFix-Do.txt* into *ComboFix.exe*, and post back the resulting report.

If you lose Internet connetion, use LSPFix. Download SP2. Don't leave it for later.


----------



## linkinfigure9 (Jul 20, 2007)

"Kenny" - 2007-07-26 13:23:28 - ComboFix 07-07-23.6 - Service Pack 1 NTFS 
Command switches used :: C:\Documents and Settings\Kenny\Desktop\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\cp2961.nls
C:\WINDOWS\System32\idvhtkncblz.dll
C:\WINDOWS\System32\riypncr.dll

((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 )))))))))))))))))))))))))))))))

2007-07-26 12:23 d--------	C:\DOCUME~1\Kenny\APPLIC~1\aignes
2007-07-26 11:46 d--------	C:\Program Files\TClockEx
2007-07-25 22:01 d--------	C:\Program Files\MySpace
2007-07-25 22:01 d--------	C:\DOCUME~1\Kenny\APPLIC~1\MySpace
2007-07-25 20:26 d--------	C:\DOCUME~1\Kenny\APPLIC~1\Talkback
2007-07-25 19:30 d--------	C:\Program Files\CCleaner
2007-07-25 19:26	1,156	--a------	C:\WINDOWS\mozver.dat
2007-07-25 19:14	0	--a------	C:\WINDOWS\nsreg.dat
2007-07-24 18:08 d--------	C:\Deckard
2007-07-24 14:02 d--------	C:\DOCUME~1\Kenny\APPLIC~1\Yahoo!
2007-07-24 14:02 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-07-24 13:52 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-07-24 13:49 d--------	C:\Program Files\Yahoo!
2007-07-23 15:55	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-07-21 08:24 d--------	C:\Program Files\Common Files\Cadsoft
2007-07-21 08:24 d--------	C:\Program Files\Cadsoft
2007-07-21 08:24 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cadsoft
2007-07-20 14:44 d--------	C:\Program Files\Trend Micro
2007-07-19 13:11 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-19 13:10 d--------	C:\Program Files\SUPERAntiSpyware
2007-07-19 13:10 d--------	C:\DOCUME~1\Kenny\APPLIC~1\SUPERAntiSpyware.com
2007-07-19 12:44 d--------	C:\VundoFix Backups
2007-07-13 19:00 d--------	C:\Program Files\Common Files\Wise Installation Wizard

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-26 15:00:58	28,256	----a-w	C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-07-14 00:02:31	--------	d-----w	C:\Program Files\Lavasoft
2007-07-03 21:42:16	--------	d-----w	C:\Program Files\Microsoft Games
2007-06-30 20:40:23	74	----a-w	C:\WINDOWS\popcinfo.dat
2007-06-24 17:41:57	--------	d-----w	C:\Program Files\Firefly Studios
2007-06-24 17:41:46	--------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-06-24 17:40:56	--------	d-----w	C:\Program Files\Common Files\InstallShield
2007-06-24 16:52:46	--------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-06-24 16:52:34	--------	d-----w	C:\Program Files\Norton SystemWorks
2007-06-24 16:43:31	--------	d-----w	C:\Program Files\Symantec
2007-05-28 03:31:05	--------	d-----w	C:\Program Files\ALCATech
2007-05-28 03:31:04	--------	d-----w	C:\Program Files\Sony Setup
2007-04-29 18:04:37	260,096	----a-w	C:\WINDOWS\system32\mstask.dll
2007-04-29 18:04:37	172,544	----a-w	C:\WINDOWS\system32\schedsvc.dll
2007-04-29 18:04:36	10,752	----a-w	C:\WINDOWS\system32\mstinit.exe
2006-08-11 16:24:47	80	--sh--r	C:\WINDOWS\system32\D8BE079C99.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx"="C:\Program Files\TClockEx\TCLOCKEX.EXE" [2000-03-09 01:15]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\System32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\System32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 LxrJD31d;LxrJD31d;\??\C:\WINDOWS\System32\Drivers\LxrJD31d.sys
R3 i81x;i81x;C:\WINDOWS\System32\DRIVERS\i81xnt5.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\System32\drivers\msmpu401.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\System32\drivers\MxlW2k.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\System32\DRIVERS\point32.sys
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\System32\DRIVERS\USRpdA.sys
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\C:\WINDOWS\System32\drivers\NSDriver.sys
S3 CA561;ICatch (VI) PC Camera;C:\WINDOWS\System32\Drivers\SPCA561.SYS
S3 DCamUSBSQTECH;Dual-Mode DSC(2770);C:\WINDOWS\System32\Drivers\SQcaptur.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\System32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\System32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\System32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys
S3 iAimFP5;iAimFP5;C:\WINDOWS\System32\DRIVERS\wADV07nt.sys
S3 iAimFP6;iAimFP6;C:\WINDOWS\System32\DRIVERS\wADV08nt.sys
S3 iAimFP7;iAimFP7;C:\WINDOWS\System32\DRIVERS\wADV09nt.sys
S3 iAimFP8;iAimFP8;C:\WINDOWS\System32\DRIVERS\wADV11nt.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\System32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\System32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\System32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\System32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys
S3 iAimTV5;iAimTV5;C:\WINDOWS\System32\DRIVERS\wATV10nt.sys
S3 iAimTV6;iAimTV6;C:\WINDOWS\System32\DRIVERS\wATV06nt.sys
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 qqd.sys;qqd.sys;\??\C:\qqd.sys
S3 SABProcEnum;SABProcEnum;\??\C:\Program Files\Internet Explorer\SABProcEnum.sys
S3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-26 13:31:28
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-26 13:34:09 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-26 13:33
C:\ComboFix2.txt ... 2007-07-25 23:17
C:\ComboFix3.txt ... 2007-07-24 23:49

--- E O F ---


----------



## linkinfigure9 (Jul 20, 2007)

I went to that site and tried to download SP2. I think it only gave me updates. Couldn't get the actual SP2...


----------



## JSntgRvr (Jul 1, 2003)

*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *ComboFix-Do.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 



> File::
> C:\qqd.sys
> 
> Folder::
> ...












Once saved, refering to the picture above, drag *ComboFix-Do.txt* into *ComboFix.exe*, and post back the resulting report.

If you lose Internet connetion, use LSPFix. *Try this link to download SP2. Don't leave it for later.*


----------



## linkinfigure9 (Jul 20, 2007)

I tried both of those and unfortunately, both didnt work. First, i tried downloading SP2 and i got the downloader on my computer to where i can click on it and it starts to download. I started it but during about 15 minutes into, something popped up and said that some file was being used and to exit all other programs. And all other programs were exited out of, and the popup wouldnt go away when i clicked ok. I forgot at that time to write down the name of the file tho... and the second thing, the ComboFix-Do.txt, wouldn't finish. I had it going for about an hour and nothing happened. I dont know what happened.....


----------



## JSntgRvr (Jul 1, 2003)

That sound kind of doggy.

Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt.exe* to run it.
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*C:\qqd.sys
C:\Qoobox*

 Return to OTMoveIt, right click on the *"Paste List of Files/Folders to be moved"* window and choose *Paste*.
Click the red *Moveit!* button.
*Copy everything on the Results window to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close *OTMoveIt*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

Go to* Start*->*All Programs*->*Accesories*->*System Tools*->*Activate Windows.
*. Describe what happens when you do that.


----------



## linkinfigure9 (Jul 20, 2007)

File/Folder C:\qqd.sys not found.
C:\Qoobox\Quarantine\Registry_backups moved successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32 moved successfully.
C:\Qoobox\Quarantine\C\WINDOWS moved successfully.
C:\Qoobox\Quarantine\C\Program Files\Common Files\{5034E~2 moved successfully.
C:\Qoobox\Quarantine\C\Program Files\Common Files\{5034E~1 moved successfully.
C:\Qoobox\Quarantine\C\Program Files\Common Files moved successfully.
C:\Qoobox\Quarantine\C\Program Files moved successfully.
C:\Qoobox\Quarantine\C\DOCUME~1\Kenny\Desktop moved successfully.
C:\Qoobox\Quarantine\C\DOCUME~1\Kenny\APPLIC~1\Macromedia\Flash Player moved successfully.
C:\Qoobox\Quarantine\C\DOCUME~1\Kenny\APPLIC~1\Macromedia moved successfully.
C:\Qoobox\Quarantine\C\DOCUME~1\Kenny\APPLIC~1 moved successfully.
C:\Qoobox\Quarantine\C\DOCUME~1\Kenny moved successfully.
C:\Qoobox\Quarantine\C\DOCUME~1 moved successfully.
C:\Qoobox\Quarantine\C moved successfully.
C:\Qoobox\Quarantine moved successfully.
C:\Qoobox moved successfully.

Created on 07-26-2007 20:37:10

I looked in that place but i couldn't find an Activate Windows..


----------



## JSntgRvr (Jul 1, 2003)

Delete the C:\OTMoveit! folder.

Copy and paste the following on the Run command line and click OK:

*oobe/msoobe /a *

Tell me what you see.


----------



## linkinfigure9 (Jul 20, 2007)

When the window came up it said "Windows has already been activated." or something like that. So i clicked exit..


----------



## JSntgRvr (Jul 1, 2003)

linkinfigure9 said:


> When the window came up it said "Windows has already been activated." or something like that. So i clicked exit..


If this is the case, when visiting *Windows Updates* you should be offered *Service Pack 2* (SP2) as a Security Update. Please visit *Windows Updates* and download all Security Updates available or your computer. To use Windows Updates you must use Internet Explorer to browse in.

Without all security updates in place your computer will be open for infection. Thats the reason I believe you are being re-infected.

Keep me posted!


----------



## linkinfigure9 (Jul 20, 2007)

Windows Genuine Advantage Validation Tool (KB892130)
Security Update for Windows XP (KB922819)

I had all updates except for those two.. And i don't know how to make the second one install. And the first one, i kept trying to install but it wouldn't..


----------



## JSntgRvr (Jul 1, 2003)

Open the following document in Notepad:

*C:\WINDOWS\WindowsUpdates.log*

This is a huge file. Copy and Paste only the last 30 lines or so in your next reply.


----------



## linkinfigure9 (Jul 20, 2007)

2007-07-27	17:59:24:390 648	718	Service	** END ** Service: Service exit [Exit code = 0x240001]
2007-07-27	17:59:24:390 648	718	Service	*************
2007-07-27	18:02:11:468 648	6f8	Misc	=========== Logging initialized (build: 7.0.6000.374, tz: -0500) ===========
2007-07-27	18:02:12:218 648	6f8	Misc = Process: C:\WINDOWS\System32\svchost.exe
2007-07-27	18:02:12:218 648	6f8	Misc = Module: C:\WINDOWS\System32\wuaueng.dll
2007-07-27	18:02:11:421 648	6f8	Service	*************
2007-07-27	18:02:12:218 648	6f8	Service	** START ** Service: Service startup
2007-07-27	18:02:12:234 648	6f8	Service	*********
2007-07-27	18:02:15:453 648	6f8	Agent * WU client version 7.0.6000.374
2007-07-27	18:02:15:453 648	6f8	Agent * Base directory: C:\WINDOWS\SoftwareDistribution
2007-07-27	18:02:17:734 648	6f8	Agent * Access type: No proxy
2007-07-27	18:02:17:734 648	6f8	Agent * Network state: Connected
2007-07-27	18:03:05:281 648	6f8	Agent	*********** Agent: Initializing Windows Update Agent ***********
2007-07-27	18:03:05:312 648	6f8	Agent	*********** Agent: Initializing global settings cache ***********
2007-07-27	18:03:05:343 648	6f8	Agent * WSUS server: <NULL>
2007-07-27	18:03:05:343 648	6f8	Agent * WSUS status server: <NULL>
2007-07-27	18:03:05:375 648	6f8	Agent * Target group: (Unassigned Computers)
2007-07-27	18:03:05:375 648	6f8	Agent * Windows Update access disabled: No
2007-07-27	18:03:10:453 648	6f8	DnldMgr	Download manager restoring 0 downloads
2007-07-27	18:03:10:609 648	6f8	AU	########### AU: Initializing Automatic Updates ###########
2007-07-27	18:03:10:671 648	6f8	AU # AU disabled through User preference
2007-07-27	18:03:10:671 648	6f8	AU	AU finished delayed initialization
2007-07-27	18:03:21:156 648	6f8	Report	*********** Report: Initializing static reporting data ***********
2007-07-27	18:03:21:156 648	6f8	Report * OS Version = 5.1.2600.1.0.65792
2007-07-27	18:03:24:718 648	6f8	Report * Computer Brand = HP Pavilion 04
2007-07-27	18:03:24:718 648	6f8	Report * Computer Model = P6317A-ABA 510n
2007-07-27	18:03:24:812 648	6f8	Report * Bios Revision = 3.06 
2007-07-27	18:03:24:812 648	6f8	Report * Bios Name = Version 3.06 
2007-07-27	18:03:24:812 648	6f8	Report * Bios Release Date = 2001-12-15T00:00:00
2007-07-27	18:03:24:812 648	6f8	Report * Locale ID = 1033


----------



## JSntgRvr (Jul 1, 2003)

Hi, *linkinfigure9* 

I need to see the information in this log concerning these updates:

Windows Genuine Advantage Validation Tool (KB892130)
Security Update for Windows XP (KB922819)

It should give us a hint on the reasons they have not installed.

Look in this log information concerning these two updates, and paste the latest information logged therein.


----------



## linkinfigure9 (Jul 20, 2007)

Here is the newest entry for 
Windows Genuine Advantage Validation Tool (KB892130):

2007-07-27	16:04:45:640 660	62c	Agent	*************
2007-07-27	16:04:45:640 660	62c	Agent	** START ** Agent: Installing updates [CallerId = MicrosoftUpdate]
2007-07-27	16:04:45:640 660	62c	Agent	*********
2007-07-27	16:04:45:640 660	62c	Agent * Updates to install = 1
2007-07-27	16:04:45:656 660	62c	Agent * Title = Windows Genuine Advantage Validation Tool (KB892130)
2007-07-27	16:04:45:656 660	62c	Agent * UpdateId = {AC24C13F-5FEF-4A69-A2CF-3B9E3DDE08D9}.100
2007-07-27	16:04:45:656 660	62c	Agent * Bundles 1 updates:
2007-07-27	16:04:45:656 660	62c	Agent * {95354275-8A0C-41F3-A884-B892498D05AF}.100
2007-07-27	16:04:58:171 660	62c	Service	WARNING: GetUserTokenFromSessionId failed with error 800704dd for session 0
2007-07-27	16:05:02:875 660	62c	Agent * WARNING: Exit code = 0x80240020
2007-07-27	16:05:02:875 660	62c	Agent	*********
2007-07-27	16:05:02:875 660	62c	Agent	** END ** Agent: Installing updates [CallerId = MicrosoftUpdate]
2007-07-27	16:05:02:875 660	62c	Agent	*************

And then for the other one:

2007-04-30	10:00:43	10128	3558	Handler	:::::::::::::
2007-04-30	10:00:43	10128	3558	Handler	:: START :: Handler: Windows Patch Install
2007-04-30	10:00:43	10128	3558	Handler	:::::::::
2007-04-30	10:00:43	10128	3558	Handler : Updates to install = 1
2007-04-30	10:00:43	10128	3558	Handler : Installing update {F9CD13B1-3CBE-4FD6-A723-7FD61B2D95ED}.102
2007-04-30	10:00:43	10128	37b0	Handler	Installing with parameters=-q -z -er, sandbox=C:\WINDOWS\SoftwareDistribution\Download\187d2ab765f3595de795d17271e0496c.
2007-04-30	10:00:48 836	650	Report	REPORT EVENT: {41322BD6-FD59-458B-9EA0-9D95997E653B}	2007-04-30 10:00:43-0500	1	191	101	{F12451F5-3F5D-46DC-9718-ECBC7BB6304F}	105	0	AutomaticUpdates	Success	Content Install	Installation successful and restart required for the following update: Security Update for Windows XP (KB922819)
2007-04-30	10:03:39	10128	37b0	Handler	Install completed with 0x80070bc2.
2007-04-30	10:03:39	10128	3558	Handler : Install completed: result type = 0x1, installer error = False, error = 0x80070bc2, disabled until reboot = No, reboot required = Yes
2007-04-30	10:03:39	10128	3558	Handler	:::::::::
2007-04-30	10:03:39	10128	3558	Handler	:: END :: Handler: Windows Patch Install
2007-04-30	10:03:39	10128	3558	Handler	:::::::::::::


----------



## JSntgRvr (Jul 1, 2003)

Hi, *linkinfigure9* 

Download the enclosed folder and extract its contents to the desktop. It is a folder contaning a batch file. Once extracted open the folder and double click on the batch file. *Post the report it will produce.*


----------



## linkinfigure9 (Jul 20, 2007)

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell	REG_DWORD	0x1
DefaultDomainName	REG_SZ	KENNYBABY
DefaultUserName	REG_SZ	Kenny
LegalNoticeCaption	REG_SZ	
LegalNoticeText	REG_SZ	
PowerdownAfterShutdown	REG_SZ	0
ReportBootOk	REG_SZ	1
Shell	REG_SZ	Explorer.exe
ShutdownWithoutLogon	REG_SZ	0
System	REG_SZ	
Userinit	REG_SZ	C:\WINDOWS\system32\userinit.exe,
VmApplet	REG_SZ	rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota	REG_DWORD	0xffffffff
allocatecdroms	REG_SZ	0
allocatedasd	REG_SZ	0
allocatefloppies	REG_SZ	0
cachedlogonscount	REG_SZ	10
forceunlocklogon	REG_DWORD	0x0
passwordexpirywarning	REG_DWORD	0xe
scremoveoption	REG_SZ	0
AllowMultipleTSSessions	REG_DWORD	0x1
UIHost	REG_EXPAND_SZ	logonui.exe
LogonType	REG_DWORD	0x1
Background	REG_SZ	0 0 0
DebugServerCommand	REG_SZ	no
SFCDisable	REG_DWORD	0x0
WinStationsDisabled	REG_SZ	0
HibernationPreviouslyEnabled	REG_DWORD	0x1
ShowLogonOptions	REG_DWORD	0x0
AltDefaultUserName	REG_SZ	Kenny
AltDefaultDomainName	REG_SZ	KENNYBABY

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}
<NO NAME>	REG_SZ	Wireless
ProcessGroupPolicy	REG_SZ	ProcessWIRELESSPolicy
DllName	REG_EXPAND_SZ	gptext.dll
NoUserPolicy	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}
<NO NAME>	REG_SZ	Folder Redirection
ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyEx
DllName	REG_EXPAND_SZ	fdeploy.dll
NoMachinePolicy	REG_DWORD	0x1
NoSlowLink	REG_DWORD	0x1
PerUserLocalSettings	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x0
NoBackgroundPolicy	REG_DWORD	0x0
GenerateGroupPolicy	REG_SZ	GenerateGroupPolicy
EventSources	REG_MULTI_SZ	(Folder Redirection,Application)\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}
<NO NAME>	REG_SZ	Microsoft Disk Quota
NoMachinePolicy	REG_DWORD	0x0
NoUserPolicy	REG_DWORD	0x1
NoSlowLink	REG_DWORD	0x1
NoBackgroundPolicy	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1
PerUserLocalSettings	REG_DWORD	0x0
RequiresSuccessfulRegistry	REG_DWORD	0x1
EnableAsynchronousProcessing	REG_DWORD	0x0
DllName	REG_EXPAND_SZ	dskquota.dll
ProcessGroupPolicy	REG_SZ	ProcessGroupPolicy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}
<NO NAME>	REG_SZ	QoS Packet Scheduler
ProcessGroupPolicy	REG_SZ	ProcessPSCHEDPolicy
DllName	REG_EXPAND_SZ	gptext.dll
NoUserPolicy	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}
<NO NAME>	REG_SZ	Scripts
ProcessGroupPolicy	REG_SZ	ProcessScriptsGroupPolicy
ProcessGroupPolicyEx	REG_SZ	ProcessScriptsGroupPolicyEx
GenerateGroupPolicy	REG_SZ	GenerateScriptsGroupPolicy
DllName	REG_EXPAND_SZ	gptext.dll
NoSlowLink	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1
NotifyLinkTransition	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy	REG_SZ	SceProcessSecurityPolicyGPO
GenerateGroupPolicy	REG_SZ	SceGenerateGroupPolicy
ExtensionRsopPlanningDebugLevel	REG_DWORD	0x1
ProcessGroupPolicyEx	REG_SZ	SceProcessSecurityPolicyGPOEx
ExtensionDebugLevel	REG_DWORD	0x1
DllName	REG_EXPAND_SZ	scecli.dll
<NO NAME>	REG_SZ	Security
NoUserPolicy	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1
EnableAsynchronousProcessing	REG_DWORD	0x1
MaxNoGPOListChangesInterval	REG_DWORD	0x3c0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}
ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyEx
GenerateGroupPolicy	REG_SZ	GenerateGroupPolicy
ProcessGroupPolicy	REG_SZ	ProcessGroupPolicy
DllName	REG_EXPAND_SZ	iedkcs32.dll
<NO NAME>	REG_SZ	Internet Explorer Branding
NoSlowLink	REG_DWORD	0x1
NoBackgroundPolicy	REG_DWORD	0x0
NoGPOListChanges	REG_DWORD	0x1
NoMachinePolicy	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
ProcessGroupPolicy	REG_SZ	SceProcessEFSRecoveryGPO
DllName	REG_EXPAND_SZ	scecli.dll
<NO NAME>	REG_SZ	EFS recovery
NoUserPolicy	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1
RequiresSuccessfulRegistry	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}
<NO NAME>	REG_SZ	Software Installation
DllName	REG_EXPAND_SZ	appmgmts.dll
ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyObjectsEx
GenerateGroupPolicy	REG_SZ	GenerateGroupPolicy
NoBackgroundPolicy	REG_DWORD	0x0
RequiresSucessfulRegistry	REG_DWORD	0x0
NoSlowLink	REG_DWORD	0x1
PerUserLocalSettings	REG_DWORD	0x1
EventSources	REG_MULTI_SZ	(Application Management,Application)\0(MsiInstaller,Application)\0\0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}
<NO NAME>	REG_SZ	IP Security
ProcessGroupPolicy	REG_SZ	ProcessIPSECPolicy
DllName	REG_EXPAND_SZ	gptext.dll
NoUserPolicy	REG_DWORD	0x1
NoGPOListChanges	REG_DWORD	0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon
DllName	REG_SZ	C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
Logon	REG_SZ	SABWINLOLogon
Logoff	REG_SZ	SABWINLOLogoff
Startup	REG_SZ	SABWINLOStartup
Shutdown	REG_SZ	SABWINLOShutdown
Asynchronous	REG_DWORD	0x0
Impersonate	REG_DWORD	0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
HelpAssistant	REG_DWORD	0x0
TsInternetUser	REG_DWORD	0x0
SQLAgentCmdExec	REG_DWORD	0x0
NetShowServices	REG_DWORD	0x0
IWAM_	REG_DWORD	0x10000
IUSR_	REG_DWORD	0x10000
VUSR_	REG_DWORD	0x10000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials


----------



## JSntgRvr (Jul 1, 2003)

Hi, *linkinfigure9* 

There are quite a few *Registry* entries missing.

First perform a Full Backup of the Registry:

Go to *Start*->*Run*, Type *Regedit.exe * and click Ok.
The Registry Editor will be displayed.
Click on *My Computer * in the Editor to highlight it.
Select *Registry* (File on XP) from the *Menu*, then *Export*
Name the export *Backup*
Save it on C:\
You now have a backup of your registry on C:\ (*C:\Backup.reg*).

Go to the Add/ Remove Programs option in the Control Panel and remove the following updates if present:

*Windows Genuine Advantage Validation Tool (KB892130)
Security Update for Windows XP (KB922819)*

Also clear the update from the C:\Windows\SoftwareDistribution\Download folder

*[C:\WINDOWS\SoftwareDistribution\Download\187d2ab765f3595de795d17271 e0496c.]*

Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, *Winlogon.reg* . Once extracted, open the folder and double click on the *Winlogon.reg* file and select *Yes* when prompted to merge it into the registry.

Restart the computer.

Go to Windows Updates site and download all available updates.


----------



## linkinfigure9 (Jul 20, 2007)

I couldn't remove the Windows Genuine Advantage Validation Tool (KB892130) and the other one wasnt there. So, i didnt do anything after that but i did do the backup thingy..


----------



## JSntgRvr (Jul 1, 2003)

Compplete the rest of the process. Download and run *Winlogon.reg* .

Restart the computer.

Go to Windows Updates site and download all available updates.


----------



## linkinfigure9 (Jul 20, 2007)

Ok. I did all of it. The only thing i ran into was the one update, it said i needed, wouldnt download. It had a similar name to the Windows Genuine Advantage Validation Tool (KB892130) but had a different number.. I didn't run into any problems elsewhere though..


----------



## JSntgRvr (Jul 1, 2003)

linkinfigure9 said:


> Ok. I did all of it. The only thing i ran into was the one update, it said i needed, wouldnt download. It had a similar name to the Windows Genuine Advantage Validation Tool (KB892130) but had a different number.. I didn't run into any problems elsewhere though..


There must be a some information about this issue in the *WindowsUpdate.log*. Look for it close to the end of the log and post it here. In fact, there should be a progress report on what you were able to achieved. Post that information in your next reply.


----------



## linkinfigure9 (Jul 20, 2007)

I couldn't find anything like that. I know it's pretty big, but could i just attach the log here and let you find it? lol


----------



## JSntgRvr (Jul 1, 2003)

linkinfigure9 said:


> I couldn't find anything like that. I know it's pretty big, but could i just attach the log here and let you find it? lol


Give it a try!


----------



## linkinfigure9 (Jul 20, 2007)

Give what a try? Sorry, im kinda out of it. I'm doped up on meds. I'm sick. X.x


----------



## JSntgRvr (Jul 1, 2003)

JSntgRvr said:


> Give it a try!


Take the *WindowsUpdates.log *and save the last half of it as *Wup.txt*. Attach the *WUP.txt* document to a reply.


----------



## linkinfigure9 (Jul 20, 2007)

Ok. That's nowhere near half of it because it was too big at halfway. But that's nearly a third or so..


----------



## JSntgRvr (Jul 1, 2003)

Hi, *linkinfigure9* 

1. Click Start, click Run, type *regsvr32 qmgr.dl*l in the Open box, and then click OK.
2. Click OK.
3. Click Start, click Run, type *regsvr32 qmgrprxy.dll* in the Open box, and then click OK.
4. Click OK.

If successful, go back to Windows Updates and download the *Validation Tool*.

Download and install SP2 From *Here*

Let me know of any problems. Write down any error messages.


----------



## linkinfigure9 (Jul 20, 2007)

Again, I got it saved on my desktop. When i tried to install it by double-clicked it, it unloaded a whole lot of files and then the installion started but then it popped up that c:\windows\system32\drivers\ndis.sys was in use and to exit all programs. I had firefox and IE up, so i exited them, but when i clicked retry like it told me to, it kept popping up. It wouldnt stop popping up so i just exited out of the thing totally..


----------



## JSntgRvr (Jul 1, 2003)

linkinfigure9 said:


> Again, I got it saved on my desktop. When i tried to install it by double-clicked it, it unloaded a whole lot of files and then the installion started but then it popped up that c:\windows\system32\drivers\ndis.sys was in use and to exit all programs. I had firefox and IE up, so i exited them, but when i clicked retry like it told me to, it kept popping up. It wouldnt stop popping up so i just exited out of the thing totally..


Very strange that the installation does not unhook the ndis.sys file. Lets use catchme to disable the ndis.sys file, then install *SP2*. Make sure you have the *SP2* installation file download on your desktop

Please create a folder in C:\ and label that folder, *Catchme*. Download catchme.exe ( 25kB ) from *Here* to the recently created C:\Catchme folder.

*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *DisableNdis.bat * 
Change the *Save as Type* to *All Files * 
and *Save* it on the same folder you saved*Catchme.exe*, C:\Catchme. 
Once saved, double click on the *DisableNdis.bat* file
Follow the prompts.
The fix will restart the computer.



> @echo off
> catchme -l nul -K %systemroot%\system32\drivers\ndis.sys
> echo.Press any key to reboot the machine
> pause >nul
> ...


After the restart, install SP2.

Perform another restart after installation to restore connectivity.

Keep me posted.


----------



## linkinfigure9 (Jul 20, 2007)

YAY!!!!! Lol. It got installed, finally. So now that that is done, what do i do? Should i wait to see if my internet still messes up?


----------



## JSntgRvr (Jul 1, 2003)

Let me see a fresh Hijackthis log.


----------



## linkinfigure9 (Jul 20, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:23, on 2007-07-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cp-tel.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185475446828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185475391546
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6745 bytes


----------



## JSntgRvr (Jul 1, 2003)

Hi, *linkinfigure9* 

There is an offender in the LSP chain. I will need to see a fresh *Deckard's System Scanner* log.


----------



## linkinfigure9 (Jul 20, 2007)

Deckard's System Scanner v20070711.54
Run by Kenny on 2007-07-30 at 15:02:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Kenny.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:23, on 2007-07-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cp-tel.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tvwbsizthmsqn.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185475446828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185475391546
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6745 bytes

-- Files created between 2007-06-30 and 2007-07-30 -----------------------------

2007-07-29 22:26:32 0 d-------- C:\Documents and Settings\Kenny\Application Data\LEGO Company
2007-07-29 21:24:06 0 d-------- C:\Program Files\LEGO Company
2007-07-29 18:53:22 0 d-------- C:\WINDOWS\Prefetch
2007-07-29 18:33:39 0 d-------- C:\WINDOWS\provisioning
2007-07-29 17:20:26 0 d-------- C:\CatchMe
2007-07-28 12:06:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-07-27 22:58:05 62727624 --a------ C:\Backup.reg
2007-07-26 18:52:30 0 dr-h----- C:\Documents and Settings\Kenny\Recent
2007-07-26 15:56:01 24064 --a------ C:\WINDOWS\system32\tvwbsizthmsqn.dll
2007-07-26 12:23:33 0 d-------- C:\Documents and Settings\Kenny\Application Data\aignes
2007-07-26 11:46:37 0 d-------- C:\Program Files\TClockEx
2007-07-25 22:01:10 0 d-------- C:\Documents and Settings\Kenny\Application Data\MySpace
2007-07-25 22:01:04 0 d-------- C:\Program Files\MySpace
2007-07-25 20:26:05 0 d-------- C:\Documents and Settings\Kenny\Application Data\Talkback
2007-07-25 19:30:51 0 d-------- C:\Program Files\CCleaner
2007-07-25 19:26:47 1156 --a------ C:\WINDOWS\mozver.dat
2007-07-25 19:14:23 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-25 19:14:14 0 d-------- C:\Documents and Settings\Kenny\Application Data\Mozilla
2007-07-24 14:02:33 0 d-------- C:\Documents and Settings\Kenny\Application Data\Yahoo!
2007-07-24 14:02:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-07-24 13:52:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-07-24 13:49:17 0 d-------- C:\Program Files\Yahoo!
2007-07-23 15:46:21 0 d-------- C:\Program Files\Common Files\Java
2007-07-21 08:24:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Cadsoft
2007-07-21 08:24:07 0 d-------- C:\Program Files\Common Files\Cadsoft
2007-07-21 08:24:03 0 d-------- C:\Program Files\Cadsoft
2007-07-20 14:44:20 0 d-------- C:\Program Files\Trend Micro
2007-07-19 13:11:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-07-19 13:10:59 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-07-19 13:10:58 0 d-------- C:\Documents and Settings\Kenny\Application Data\SUPERAntiSpyware.com
2007-07-19 12:44:59 0 d-------- C:\VundoFix Backups
2007-07-13 19:00:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

-- Find3M Report ---------------------------------------------------------------

2007-07-29 19:03:29 0 d-------- C:\Program Files\MSN Messenger
2007-07-29 18:35:02 0 d-------- C:\Program Files\Messenger
2007-07-29 18:33:46 0 d-------- C:\Program Files\Movie Maker
2007-07-29 18:24:45 0 d-------- C:\Program Files\Windows NT
2007-07-23 15:47:59 0 d-------- C:\Program Files\Java
2007-07-13 19:02:31 0 d-------- C:\Program Files\Lavasoft
2007-07-03 16:42:16 0 d-------- C:\Program Files\Microsoft Games
2007-06-30 15:40:23 74 --a------ C:\WINDOWS\popcinfo.dat
2007-06-24 12:41:57 0 d-------- C:\Program Files\Firefly Studios
2007-06-24 12:41:46 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-06-24 12:40:56 0 d-------- C:\Program Files\Common Files\InstallShield
2007-06-24 12:12:02 0 d-------- C:\Documents and Settings\Kenny\Application Data\AVG7
2007-06-24 11:52:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-06-24 11:52:34 0 d-------- C:\Program Files\Norton SystemWorks
2007-06-24 11:43:31 0 d-------- C:\Program Files\Symantec

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670}	C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}	C:\Program Files\Yahoo!\Common\yiesrvc.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}	C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"TClockEx"="C:\\Program Files\\TClockEx\\TCLOCKEX.EXE"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"="C:\\WINDOWS\\System32\\Macromed\\Flash\\GetFlash.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages	REG_MULTI_SZ msv1_0\0\0
Security Packages	REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages	REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=dword:00000002
"Avg7UpdSvc"=dword:00000002
"Avg7Alrt"=dword:00000002
"WmdmPmSN"=dword:00000003
"ImapiService"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-07-30 at 15:04:22 ---------


----------



## JSntgRvr (Jul 1, 2003)

Hi, *linkinfigure9* 

Use* LSPFix* and remove the following entries:

*nwprovau.dll
tvwbsizthmsqn.dll
*

Then delete the following file in Safe Mode:

*C:\WINDOWS\system32\tvwbsizthmsqn.dll*

Restart and post a fresh* Hijackthis* log.


----------



## linkinfigure9 (Jul 20, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:04, on 2007-07-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cp-tel.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185475446828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185475391546
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5760 bytes


----------



## JSntgRvr (Jul 1, 2003)

Hi, *linkinfigure9* 

That log looks mighty clear, Congratulations.









*Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.*

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

*Create a Restore point*:

Click *Start*, point to *All Programs*, point to *Accessories*, point to *System Tools*, and then click *System Restore*.
In the System Restore dialog box, click *Create a restore point*, and then click *Next*. 
Type a description for your restore point, such as "After Cleanup", then click *Create*.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
*Spybot Search & Destroy *- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

*AdAware* - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

SpywareBlaster - Great prevention tool to keep nasties from installing on your system.

*IE-SpyAd* - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

*CleanUP*! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

Windows Updates - It is *very important* to make sure that both Internet Explorer and Windows are kept current with *the latest critical security patches* from Microsoft. To do this just start *Internet Explorer* and select *Tools > Windows Update*, and follow the online instructions from there.

*Google Toolbar* - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

*Trillian* or *Miranda-IM* - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read *this* article by Tony Klein.

Click *Here* for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "*Solved*".

Best wishes!


----------



## linkinfigure9 (Jul 20, 2007)

THANK YOUUUUU!!!!!!! I'm so thankful. I couldn'ta done it without cha. If i have any more problems, i'll come to you. THANK YOU AGAIN!!!!!!!!!!!!!


----------

