# PC is a MESS!



## xintrop (Dec 5, 2007)

My son said he accidently downloaded something, wont tell me what? I use Zone Alarm as firewall and avast as my form my virus protection. Microsoft is constantly pop up windows telling me to run their spy scanner. "Critical System Warning .. Infected with a version of Spyware.IEPass.thief" "Firewall Warning"s, "Windows Security Center", "System Defender Security Center, "WinSpywareProtect alert in the form of a box in right hand left corner sliding from bottom right corner, etc.. It wants me to run Vista scan and I never needed to do this before? *concerned*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:12 PM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Sys3B.exe
C:\Sys3C.exe
C:\Program Files\DNA\btdna.exe
C:\Sys3A.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\ShortKeys2\shortkey.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: 92.48.81.32 iHabbixReloaded
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: vrmdtneg - {B4B8E731-19DA-43DF-9E91-4B33E8478EF3} - C:\WINDOWS\vrmdtneg.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKLM\..\Run: [SysF.exe] C:\SysF.exe
O4 - HKLM\..\Run: [Sys10.exe] C:\Sys10.exe
O4 - HKLM\..\Run: [Sys11.exe] C:\Sys11.exe
O4 - HKLM\..\Run: [Sys12.exe] C:\Sys12.exe
O4 - HKLM\..\Run: [Sys13.exe] C:\Sys13.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKCU\..\Run: [SysF.exe] C:\SysF.exe
O4 - HKCU\..\Run: [Sys10.exe] C:\Sys10.exe
O4 - HKCU\..\Run: [Sys11.exe] C:\Sys11.exe
O4 - HKCU\..\Run: [Sys12.exe] C:\Sys12.exe
O4 - HKCU\..\Run: [Sys13.exe] C:\Sys13.exe
O4 - HKCU\..\Run: [WinSpywareProtect] "C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe" /autorun
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: ShortKeys 2.lnk = C:\Program Files\ShortKeys2\shortkey.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/200015205/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.33.7/ttinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O21 - SSODL: wpvmqosg - {7E2A8AC8-6879-43DF-931E-DCE8947C4D29} - C:\WINDOWS\wpvmqosg.dll (file missing)
O21 - SSODL: xvorfwbd - {8415D1F7-848A-4804-B8F2-01B194B7FE62} - C:\WINDOWS\xvorfwbd.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PHPGeekUtil - Unknown owner - (no file)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://artimpressive.com/wp-content/uploads/2007/07/379858.jpg
O24 - Desktop Component 1: (no name) - http://charas-project.net/resources/Titles/6579_1171637130_small.png
O24 - Desktop Component 2: (no name) - http://upload.wikimedia.org/wikipedia/en/f/f3/SSBB_Cover.jpg
O24 - Desktop Component 3: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 11640 bytes


----------



## ~Candy~ (Jan 27, 2001)

Ouch, that is a mess  ....while you are waiting a qualified 'gold or blue shield person', you might go to add/remove programs and uninstall anything like Bit Torrent, Limewire, Kaaza or any other P2P program. Here is a little reading on P2P programs, just in case you aren't aware.

http://stealingisillegal.com/

Another thing I'll point out is this, many internet service providers are now holding the person who signed up for their service responsible for illegal file sharing, sending out email notices to cease and desist, and also going as far as suing individuals.


----------



## Cookiegal (Aug 27, 2003)

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause _"unpredictable results"_.
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, the Advanced Options Menu should appear
Select the first option, to run Windows in Safe Mode, then press *Enter*
Choose your usual account.

Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
Type *Y* to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot. 
Press any Key and it will restart the PC. 
When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to the clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log.

*Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.*


----------



## xintrop (Dec 5, 2007)

*SDFix: Version 1.195 *
Run by Jude on Sun 06/22/2008 at 05:50 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

*Checking Services *:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

*Checking Files *:

Trojan Files Found:

C:\Sys1.exe - Deleted
C:\Sys3.exe - Deleted
C:\Sys37.exe - Deleted
C:\Sys4.exe - Deleted
C:\Sys1.exe - Deleted
C:\Sys3.exe - Deleted
C:\Sys37.exe - Deleted
C:\Sys4.exe - Deleted
C:\DOCUME~1\JUDE~1.JUD\LOCALS~1\Temp\privacy_danger\index.htm - Deleted
C:\DOCUME~1\JUDE~1.JUD\LOCALS~1\Temp\privacy_danger\images\capt.gif - Deleted
C:\DOCUME~1\JUDE~1.JUD\LOCALS~1\Temp\privacy_danger\images\danger.jpg - Deleted
C:\DOCUME~1\JUDE~1.JUD\LOCALS~1\Temp\privacy_danger\images\down.gif - Deleted
C:\DOCUME~1\JUDE~1.JUD\LOCALS~1\Temp\privacy_danger\images\spacer.gif - Deleted
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Desktop\Quality BDSM galleries.url - Deleted
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Desktop\Uncensored porn.url - Deleted
C:\WINDOWS\system32\sex1.ico - Deleted
C:\WINDOWS\system32\sex2.ico - Deleted
C:\DOCUME~1\JUDE~1.JUD\LOCALS~1\Temp\media.php.bat - Deleted
C:\WINDOWS\neltabxw.exe - Deleted
C:\WINDOWS\system32\[email protected]@@k.dll - Deleted
C:\WINDOWS\vrmdtneg.dll - Deleted
C:\WINDOWS\xvorfwbd.dll - Deleted

Folder C:\DOCUME~1\JUDE~1.JUD\LOCALS~1\Temp\privacy_danger - Removed

Removing Temp Files

*ADS Check *:

*Final Check *:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 20:24:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"appinit_dlls"=""

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

*Remaining Services *:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:EnabledNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

*Remaining Files *:

File Backups: - C:\SDFix\SDFix\backups\backups.zip

*Files with Hidden Attributes *:

Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Thu 24 Apr 2008 56 ..SHR --- "C:\WINDOWS\system32\00EA860D08.sys"
Fri 13 Jun 2008 1,786 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sat 1 Nov 2003 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 13 Jun 2008 88 ..SHR --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\0B328F544C.sys"
Fri 13 Jun 2008 1,682 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\KGyGaAvL.sys"
Fri 28 May 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\DRMv1.bak"
Mon 25 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv02.tmp"
Tue 17 Feb 2004 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Tue 17 Feb 2004 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Tue 17 Feb 2004 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off1.tmp"
Sat 12 Jul 2003 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off2.tmp"
Tue 17 Feb 2004 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off3.tmp"
Tue 17 Feb 2004 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off8D.tmp"
Fri 28 May 2004 4,348 ...H. --- "C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\My Documents\My Music\License Backup\drmv1key.bak"
Thu 2 Sep 2004 20 A..H. --- "C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 24 Jun 2004 12,431,945 A..H. --- "C:\Program Files\Common Files\Enterbrain\RGSS\Standard\Graphics.exe"
Thu 26 Feb 2004 49,386 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\VisualStudio\7.1\vs000223.tmp"

*Finished!*


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:09 PM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\VAV\vav.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WinSpywareProtect] "C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe" /autorun
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/200015205/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.33.7/ttinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PHPGeekUtil - Unknown owner - (no file)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://artimpressive.com/wp-content/uploads/2007/07/379858.jpg
O24 - Desktop Component 1: (no name) - http://charas-project.net/resources/Titles/6579_1171637130_small.png
O24 - Desktop Component 2: (no name) - http://upload.wikimedia.org/wikipedia/en/f/f3/SSBB_Cover.jpg
O24 - Desktop Component 3: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 10441 bytes


----------



## Cookiegal (Aug 27, 2003)

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.


----------



## xintrop (Dec 5, 2007)

During ComboFix's "Rreparing for Log Report, "SpywarProtect alert constantly slid across my screen informing me of all the Trojans and worms I am infected with. Pop ups happened "Win Spy Protect" "Upgrade to full version etc.." I have no idea how I have any version of this on my pc?
Anyway here are my logs. Thanks.


----------



## xintrop (Dec 5, 2007)

ComboFix 08-06-20.4 - Jude 2008-06-24 18:46:19.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.613 [GMT -4:00]
Running from: C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\WINDOWS\eaqb.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 )))))))))))))))))))))))))))))))
.

2008-06-22 17:25 . 2008-06-22 17:25 d--------	C:\SDFix
2008-06-19 21:04 . 2008-06-16 17:18	30,720	--a------	C:\SysF.exe
2008-06-19 18:57 . 2008-06-19 18:57 d--------	C:\Program Files\VAV
2008-06-19 18:57 . 2008-06-19 18:57 d--------	C:\Program Files\PCHealthCenter
2008-06-19 18:57 . 2008-05-27 16:13	117,248	--a------	C:\WINDOWS\system32\vav.cpl
2008-06-19 18:56 . 2008-06-19 18:56 d--------	C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd
2008-06-16 22:31 . 2008-04-14 07:01	272,128	-----c---	C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-06 19:57 . 2008-06-20 23:26	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-06-06 19:57 . 2008-06-06 19:57	1,409	--a------	C:\WINDOWS\QTFont.for
2008-05-29 00:55 . 2008-05-29 03:26 d--------	C:\Jared-Moved

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 22:43	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\DNA
2008-06-24 22:19	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\mIRC
2008-06-24 19:31	1,786	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-23 22:03	---------	d-----w	C:\Program Files\mIRC
2008-06-23 00:10	28,990,982	----a-w	C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-20 03:18	---------	d-----w	C:\Program Files\ShortKeys2
2008-06-15 19:16	---------	d-----w	C:\Program Files\iHabbix Ltd
2008-06-13 20:56	88	--sh--r	C:\Documents and Settings\All Users.WINDOWS\Application Data\0B328F544C.sys
2008-06-13 20:56	1,682	--sha-w	C:\Documents and Settings\All Users.WINDOWS\Application Data\KGyGaAvL.sys
2008-06-08 14:59	---------	d--h--w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\ijjigame
2008-06-03 22:32	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-06-03 20:38	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\GarageGames
2008-05-28 22:50	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\BitTorrent
2008-05-09 19:56	---------	d-----w	C:\Program Files\BYOND
2008-05-08 12:28	202,752	----a-w	C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll
2008-04-30 21:26	286,720	----a-w	C:\WINDOWS\iun506.exe
2008-04-29 13:40	---------	d---a-w	C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-04-29 13:38	---------	d-----w	C:\Program Files\SpywareBlaster
2008-04-26 00:42	---------	d-----w	C:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 01:20	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\Malwarebytes
2008-04-25 01:20	---------	d-----w	C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-04-21 06:56	666,624	----a-w	C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12	151,583	----a-w	C:\WINDOWS\system32\msjint40.dll
2008-03-12 19:07	6,605	----a-w	C:\Program Files\INSTALL.LOG
2007-07-18 23:06	9	-c--a-w	C:\Program Files\install_log.dat
2006-01-10 22:25	32	-c--a-r	C:\Documents and Settings\All Users\hash.dat
2005-08-27 01:11	4	----a-w	C:\Program Files\Common Files\Cvtaqlog.dat
2005-02-02 07:30	487,424	----a-w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\chatlnk.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 17:20 289088]
"WinSpywareProtect"="C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe" [2008-06-19 18:56 1159680]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100429 -Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; byond_4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-08-01 03:00 191488]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 06:03 221184]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02 919280]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 05:00 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Antivirus"="C:\Program Files\VAV\vav.exe" [2008-06-11 12:36 325632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\GBA\Spyware Doctor\swdoctor.exe" [2005-12-13 15:13 1976544]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2004-03-28 23:02:53 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"aux"= ctwdm32.dll
"vidc.ir32"= C:\WINDOWS\system32\ir32_32.dll
"vidc.ir31"= C:\WINDOWS\system32\ir32_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=C:\WINDOWS\pss\Photo Loader supervisory.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ShortKeys 2.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ShortKeys 2.lnk
backup=C:\WINDOWS\pss\ShortKeys 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^hamachi.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM Logger]
C:\PROGRA~1\Nalsoft\AIMLOG~1\AIMLogger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2008-03-17 23:31 587568 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--a------ 2006-07-11 06:06 3144800 C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-06-16 06:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 05:50 155648 C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"90:TCP"= 90:TCP:Kinger's Hotel

S3 dump_wmimmc;dump_wmimmc;C:\AAAAAA\ENGLISH\Gunbound Revolution\GameGuard\dump_wmimmc.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-24 07:30:00 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.exe
- C:\Program Files\RegSweep
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 18:49:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???X???????????? C?????Disc Detector?B???A???????A?? [email protected][email protected]?? [email protected][email protected][email protected][email protected][email protected]?9?????????????????B?????\?????????????????????????????B

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-24 19:06:34
ComboFix-quarantined-files.txt 2008-06-24 23:06:30

Pre-Run: 25,354,166,272 bytes free
Post-Run: 25,422,249,984 bytes free

160	--- E O F ---	2008-06-19 00:53:23


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:24 PM, on 6/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\VAV\vav.exe
C:\Program Files\DNA\btdna.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE
C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WinSpywareProtect] "C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe" /autorun
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/200015205/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.33.7/ttinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PHPGeekUtil - Unknown owner - (no file)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://artimpressive.com/wp-content/uploads/2007/07/379858.jpg
O24 - Desktop Component 1: (no name) - http://charas-project.net/resources/Titles/6579_1171637130_small.png
O24 - Desktop Component 2: (no name) - http://upload.wikimedia.org/wikipedia/en/f/f3/SSBB_Cover.jpg

--
End of file - 10312 bytes


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\SysF.exe
C:\WINDOWS\system32\vav.cpl

Folder::
C:\Program Files\VAV
C:\Program Files\PCHealthCenter
C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd

DirLook::
C:\Jared-Moved

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinSpywareProtect"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Antivirus"=-
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## xintrop (Dec 5, 2007)

ComboFix 08-06-20.4 - Jude 2008-06-25 17:33:18.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.655 [GMT -4:00]
Running from: C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\SysF.exe
C:\WINDOWS\system32\vav.cpl
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd
C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080619210602000.log
C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080619231936671.log
C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080620061339796.log
C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080620172902468.log
C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080622095527218.log
C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080622204517937.log
C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080623101048843.log
C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080625005219921.log
C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080625103753515.log
C:\Documents and Settings\All Users.WINDOWS\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico
C:\Program Files\VAV
C:\Program Files\VAV\vav.cpl
C:\Program Files\VAV\vav.exe
C:\Program Files\VAV\vav0.dat
C:\Program Files\VAV\vav1.dat
C:\SysF.exe
C:\WINDOWS\system32\vav.cpl

.
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2008-06-22 17:25 . 2008-06-22 17:25 d--------	C:\SDFix
2008-06-16 22:31 . 2008-04-14 07:01	272,128	-----c---	C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-29 00:55 . 2008-05-29 03:26 d--------	C:\Jared-Moved

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 21:38	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\DNA
2008-06-25 04:09	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\mIRC
2008-06-24 23:10	---------	d-----w	C:\Program Files\mIRC
2008-06-20 03:18	---------	d-----w	C:\Program Files\ShortKeys2
2008-06-15 19:16	---------	d-----w	C:\Program Files\iHabbix Ltd
2008-06-13 20:56	88	--sh--r	C:\Documents and Settings\All Users.WINDOWS\Application Data\0B328F544C.sys
2008-06-13 20:56	1,682	--sha-w	C:\Documents and Settings\All Users.WINDOWS\Application Data\KGyGaAvL.sys
2008-06-08 14:59	---------	d--h--w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\ijjigame
2008-06-03 22:32	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-06-03 20:38	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\GarageGames
2008-05-28 22:50	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\BitTorrent
2008-05-09 19:56	---------	d-----w	C:\Program Files\BYOND
2008-05-08 12:28	202,752	----a-w	C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-30 21:26	286,720	----a-w	C:\WINDOWS\iun506.exe
2008-04-29 13:40	---------	d---a-w	C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-04-29 13:38	---------	d-----w	C:\Program Files\SpywareBlaster
2008-04-26 00:42	---------	d-----w	C:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 01:20	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\Malwarebytes
2008-04-25 01:20	---------	d-----w	C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-03-12 19:07	6,605	----a-w	C:\Program Files\INSTALL.LOG
2007-07-18 23:06	9	-c--a-w	C:\Program Files\install_log.dat
2006-01-10 22:25	32	-c--a-r	C:\Documents and Settings\All Users\hash.dat
2005-08-27 01:11	4	----a-w	C:\Program Files\Common Files\Cvtaqlog.dat
2005-02-02 07:30	487,424	----a-w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\chatlnk.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Jared-Moved ----

((((((((((((((((((((((((((((( [email protected]_19.06.12.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-23 14:10:12	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2008-06-25 21:40:11	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2008-06-25 21:40:28	16,384	----atw	C:\WINDOWS\Temp\Perflib_Perfdata_3dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 17:20 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-08-01 03:00 191488]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 06:03 221184]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02 919280]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 05:00 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\GBA\Spyware Doctor\swdoctor.exe" [2005-12-13 15:13 1976544]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2004-03-28 23:02:53 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"aux"= ctwdm32.dll
"vidc.ir32"= C:\WINDOWS\system32\ir32_32.dll
"vidc.ir31"= C:\WINDOWS\system32\ir32_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=C:\WINDOWS\pss\Photo Loader supervisory.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ShortKeys 2.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ShortKeys 2.lnk
backup=C:\WINDOWS\pss\ShortKeys 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^hamachi.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM Logger]
C:\PROGRA~1\Nalsoft\AIMLOG~1\AIMLogger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2008-03-17 23:31 587568 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--a------ 2006-07-11 06:06 3144800 C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-06-16 06:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 05:50 155648 C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"90:TCP"= 90:TCP:Kinger's Hotel

S3 dump_wmimmc;dump_wmimmc;C:\AAAAAA\ENGLISH\Gunbound Revolution\GameGuard\dump_wmimmc.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-24 07:30:00 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.exe
- C:\Program Files\RegSweep
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 17:41:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?? [email protected][email protected]?? [email protected][email protected][email protected][email protected][email protected]?? [email protected]???????????????????B?????L?????????????????????????????B

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-25 18:01:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-25 22:01:47
ComboFix2.txt 2008-06-24 23:06:39

Pre-Run: 25,408,126,976 bytes free
Post-Run: 25,435,492,352 bytes free

205	--- E O F ---	2008-06-19 00:53:23


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:23 PM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/200015205/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.33.7/ttinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PHPGeekUtil - Unknown owner - (no file)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://artimpressive.com/wp-content/uploads/2007/07/379858.jpg
O24 - Desktop Component 1: (no name) - http://charas-project.net/resources/Titles/6579_1171637130_small.png
O24 - Desktop Component 2: (no name) - http://upload.wikimedia.org/wikipedia/en/f/f3/SSBB_Cover.jpg

--
End of file - 9835 bytes


----------



## Cookiegal (Aug 27, 2003)

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
*Please copy and paste the Scan Log results in your next reply.*

Click *Close* to exit the program.

Please run Kaspersky online virus scan *Kaspersky Online Scanner*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the *"Extended database" *for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

*Note:* You have to use Internet Explorer to do the online scan.

*Post a new HiJackThis log along with the results from the SuperAntiSpyware and Kaspersky scans.*


----------



## xintrop (Dec 5, 2007)

After over 12 hours of SUPERAntiSpyware scanning. I came to my pc to find it shut down.There was no option under "Scanner Logs" to "double-click SUPERAntiSpyware Scan Log." apparently something prevented the scan to complete or the pc was working too hard and just shut down.
The last things I saw in its scan was something like over 600 tracking cookies, 6 Trojans(unknown origin), a couple of other trojans and worms. NOTE: Before running scan, I forgot to turn off my avast and zonealarm, avast interfered (stopped?) with the scan by showing it had a threat and to "move it to chest". I will need to try to run scan again with avast and zonealarm turned off. The scan takes a very long time as there are three users and additional people that go online on this pc and many files.


----------



## ~Candy~ (Jan 27, 2001)

Since it shut down, it could have overheated after scanning that long.


----------



## Cookiegal (Aug 27, 2003)

Before running the new scan, delete your temporary files and clear cookies:

Go to *Start* - *Run* and type in *cleanmgr* and click OK. 
Let it scan your system for files to remove. 
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. 
Press OK to remove them.

*Clean your Cache and Cookies in IE:* 
Close all instances of Outlook Express and Internet Explorer 
Go to Control Panel > Internet Options > General tab 
Click the "Delete Cookies" button 
Next to it, Click the "Delete Files" button 
When prompted, place a check in: "Delete all offline content", click OK

and then reset them as follows:

In IE click on Tools - Internet Options - privacy tab and select "advanced". Set First Party cookies to "prompt" and Third Party cookies to either "block" or "prompt" and check "always allow session cookies". Basically, you should refuse all cookies except those from sites you trust or need to log in to.

You can refuse a cookie each time it asks (if you're not sure and don't want to block it all the time) or you can select the option to "apply my decision to all cookies from this website" and then select "block or allow". If you block a cookie and later find it's needed, you can go back into Internet Options, under the privacy tab and click on "sites" and remove it from the list of blocked cookies there or change its designation to "always allow".

*Clear your Cache and Cookies in Firefox:* 
Click Privacy in the menu on the left side of the Options window. 
Click the Clear button located to the right of each option (History, Cookies, Cache). 
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All. 
A confirmation dialog box will be shown before clearing the information.

That should reduce the size of the scan considerably.


----------



## xintrop (Dec 5, 2007)

Hello and thank you for keeping this thread open. I had an auto accident and was unable to follow up until now. A few comments before I post logs. I could not run Kaspersky Online Scanner. My pc met all requirements and used IE but while "Updating" It showed 
"Downloading and installing the Program (0%)..."
"Update Size: 0KB"
"Transfer size: 0KB" 
I let it hang there for over 1hr a few times. I went into my control panel and saw I had Kaspersky as a program installed already and read all the fine print on the Kaspersky "help".
It said I needed Sun Java installed (although I don't remember having to do this in the past). I went to Sun's page and downloaded, same result. I read 
"When you click the Kaspersky Online Scanner 7.0 button to download the program from its page at the Kaspersky Lab website, the Kaspersky Online Scanner 7.0 window opens in a new Web browser window." I thought I may need to download the free 30 day trial for it to work. I went to my control panel deleted the existing Kaspersky and sent for the free 30 day trial. Upon my attempt to install it demanded I delete ZoneAlarm from my system, so I stopped there. 

Besides the logs I am going to post I have a few concerns. 

The first is after my first visit here with Derek I had approximately 38 free GB out of the total size 74.5 Total GB. I was down to 17 free. After I "deleted your temporary files and clear cookies" as you suggested I am back up to 21.2 free GB.

The second is I found out that my children have been turning off avast and ZoneAlarm while they are online. They claim these programs slow down the performance of the pc and have even convince my wife to close the programs due to the fact the pc shuts down constantly when she is online using a demanding site graphically, (Online Slot Machines I believe) and does not when these programs are not running. I do know avast runs and updates in the background and does slow performance to a degree. <-- Do you believe this to be true?

When you have the opportunity to help me with these questions I would greatly appreciate it.  *whew* Without further ado, following are my SUPERAntiSpy and latest hijackthis logs. Thanks again.


----------



## xintrop (Dec 5, 2007)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/05/2008 at 06:03 PM

Application Version : 4.15.1000

Core Rules Database Version : 3497
Trace Rules Database Version: 1488

Scan type : Complete Scan
Total Scan Time : 04:52:42

Memory items scanned : 315
Memory threats detected : 0
Registry items scanned : 4952
Registry threats detected : 0
File items scanned : 373206
File threats detected : 200

Adware.Tracking Cookie
.atdmt.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.stat.youku.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.mediaplex.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.mediaplex.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.advertising.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.advertising.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.advertising.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.advertising.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.advertising.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.advertising.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.adopt.euroclick.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.e-2dj6wglikpcjchq.stats.esomniture.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.edge.ru4.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.onlinerewardcenter.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.revsci.net [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.revsci.net [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.valueclick.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.revenue.net [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.revenue.net [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.revenue.net [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.revenue.net [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.revenue.net [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.revenue.net [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.revenue.net [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.revenue.net [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.zedo.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.ath.belnk.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.belnk.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.belnk.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.bluestreak.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.nextag.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.nextag.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
web-stat.webspawner.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.icc.intellisrv.net [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.cnn.122.2o7.net [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.2o7.net [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.2o7.net [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
mediamgr.ugo.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.burstnet.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.burstnet.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.targetnet.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
.targetnet.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
ads1.rodale.com [ C:\Documents and Settings\FlameHead\Application Data\Mozilla\Firefox\Profiles\default.aa1\cookies.txt ]
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected].dietsinreview[2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt


----------



## xintrop (Dec 5, 2007)

C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\FlameHead\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\FlameHead\Local Settings\Temp\Cookies\[email protected][1].txt
.doubleclick.net [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.toplist.cz [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
stat.onestat.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
stat.onestat.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
stat.onestat.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
stat.onestat.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.stats.freeonlinegames.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.zedo.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
.valueclick.com [ C:\Documents and Settings\Jared\Application Data\Mozilla\Firefox\Profiles\default.5mi\cookies.txt ]
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Cookies\[email protected][3].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Cookies\[email protected][2].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Cookies\[email protected][2].txt
.atwola.com [ C:\Documents and Settings\Wicksell\Application Data\Mozilla\Profiles\default\r3biedek.slt\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\Wicksell\Application Data\Mozilla\Profiles\default\r3biedek.slt\cookies.txt ]

Rogue.Dropper/Gen
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\PCHEALTHCENTER\1.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP53\A0039634.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP53\A0039655.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP53\A0039656.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP53\A0039657.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP53\A0039671.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040790.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040791.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040792.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040818.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040819.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040820.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP60\A0041936.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP60\A0041937.EXE

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\PCHEALTHCENTER\3.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\PCHEALTHCENTER\4.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\PCHEALTHCENTER\SEX1.ICO.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\PCHEALTHCENTER\SEX2.ICO.VIR
C:\QOOBOX\QUARANTINE\C\SYSF.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP52\A0039600.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP52\A0039601.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP53\A0039632.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP53\A0039633.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP53\A0039643.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP53\A0039653.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP53\A0039654.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP53\A0039672.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP54\A0040746.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040784.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040789.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040793.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040794.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040815.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040816.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040817.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP60\A0041938.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP60\A0041939.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP60\A0041941.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP60\A0041942.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP60\A0041945.EXE

Trojan.Dropper/Gen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040795.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040813.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP59\A0041048.EXE

Trojan.Unclassified/GTS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040797.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP55\A0040821.DLL

Rogue.Vista AntiVirus 2008
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP60\A0041943.CPL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP60\A0041944.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EA97C120-5AB9-42FF-9A82-AD3DA17429FB}\RP60\A0041946.CPL

Adware.Adlogix
C:\WINDOWS\SYSTEM32\PACIFISY.DLL


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:18 PM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\DNA\btdna.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 92.48.81.32 iHabbixReloaded
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.33.7/ttinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PHPGeekUtil - Unknown owner - (no file)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://artimpressive.com/wp-content/uploads/2007/07/379858.jpg
O24 - Desktop Component 1: (no name) - http://charas-project.net/resources/Titles/6579_1171637130_small.png
O24 - Desktop Component 2: (no name) - http://upload.wikimedia.org/wikipedia/en/f/f3/SSBB_Cover.jpg

--
End of file - 10706 bytes


----------



## xintrop (Dec 5, 2007)

One more comment. While I was running SUPERAnitSPY I noticed the "FlameHead\Cookies" so I paused the scan, went into my two son's "Users" and deleteded their temporary files and cleared cookies as I did on mine. Then restarted the scan. 
*A very patient Father and Husband*


----------



## ~Candy~ (Jan 27, 2001)

The reason the kids are complaining about it running slow, is probably because they are downloading copyrighted materials illegally via the bit torrent program that I mentioned quite some time ago. You should see that that program is uninstalled, and even blocked if you have the ability to do so.

You should NEVER turn your virus program off, ESPECIALLY when downloading from that site, many of the downloads found there are virus laden to begin with.

Sorry to hear about your auto accident, hope things turned out ok.


----------



## Cookiegal (Aug 27, 2003)

I'm sorry to hear about the car accident too and hope it wasn't too serious.

Please delete this file manually:

C:\WINDOWS\SYSTEM32\*PACIFISY.DLL*

Are you now or were you at one time running an Apache server?

I think it would be good to see a HijackThis log taken from each of the other user accounts please.


----------



## xintrop (Dec 5, 2007)

No serious injuries thank you both. Totaled cars however.
Please detail how to delete "C:\WINDOWS\SYSTEM32\PACIFISY.DLL".

After Google'n "Apache server" I questioned my youngest and he said "Yes, I needed it to get into a Hotel in a community called "Habbo" which I don't need anymore Dad"
Upon my attempt to run hijack this on my Son's users--> "It looks like you're running HijackThis from a read-only device like a CD or locked floppy disk. If you want to make backups of items you fix, you must copy Hijackthis.exe to your hard disk first, and run it from there." "If you continue, you might get 'Path/File Access' errors. " Then It gives me option "OK" and looks like I can run a scan. (which I did not until you advise). It is located in "C:\Program Files\Trend Micro\ HijackThis."? <-- Is that not my hard disk?


----------



## Cookiegal (Aug 27, 2003)

Yes that should be fine. You can go ahead and run the scan.

The Apache server still has a service loading so we'll take care of that once I've seen the other HijackThis scans.


----------



## Cookiegal (Aug 27, 2003)

To delete this file:

C:\WINDOWS\SYSTEM32\*PACIFISY.DLL*

Click on "*My Computer*" and then click on your *C (primary) drive*.

Click on the *Windows *folder to open it.

Now click on the *System32* folder to open it.

In the System32 folder, scroll down to the file *PACIFISY.DLL*, right-click on it and select "*Delete*" from the right-click menu.


----------



## ~Candy~ (Jan 27, 2001)

Info on Habbo, just in case you want to know 

http://www.habbo.com/


----------



## xintrop (Dec 5, 2007)

Followed instructions to delete "file PACIFISY.DLL", as I entered System32 folder, my avast went off (siren and all) informing me of a trojan. I panicked and sent it to chest. I could not find "PACIFISY.DLL" there. I then did a complete search for files with "PACIFISY.DLL" in the file name. Hard Drives and in subfolders. Search results were negative.

Below is my oldest son's hijackthis log. My youngest to follow as I need to switch users.


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:46 PM, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\DNA\btdna.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 92.48.81.32 iHabbixReloaded
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\AIMLogger.exe /start /minimize
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [/0123456789:;<=>[email protected]] ,-./0123456789:;<=>[email protected]
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: downloads.emugp.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.33.7/ttinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PHPGeekUtil - Unknown owner - (no file)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://myspace-944.vo.llnwd.net/01345/44/94/1345094944_l.jpg

--
End of file - 11649 bytes


----------



## xintrop (Dec 5, 2007)

BTW- My youngest son uses my user more often than his.


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:20 PM, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newsday.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 92.48.81.32 iHabbixReloaded
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\AIMLogger.exe /start /minimize
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [/0123456789:;<=>[email protected]] ,-./0123456789:;<=>[email protected]
O4 - HKCU\..\Run: [+,-./0123456789:;<=>[email protected]] ()*+,-./0123456789:;<=>[email protected]
O4 - HKCU\..\Run: [+,-./0123456789:;<=>[email protected]] ()*+,-./0123456789:;<=>[email protected]
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Startup: Xfire.lnk = C:\ALLSTAR\Xfire\xfire.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.33.7/ttinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PHPGeekUtil - Unknown owner - (no file)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10239 bytes


----------



## ~Candy~ (Jan 27, 2001)

xintrop said:


> BTW- My youngest son uses my user more often than his.


He's a smart one 

Seriously though, there is no reason to have user profiles if you let everyone use your account


----------



## Cookiegal (Aug 27, 2003)

Please check in Avast's quarantine folder (or vault or whatever it's called as I'm not familiar with it) and see what the name of the file was that Avast picked off and the entire path to its location.

For the first HijackThis lost for your son please do this:

Go to *Start *- *Run * type in *cmd *then click OK. The MSDOS window will be displayed. At the prompt type the following:

*SC Delete PHPGeekUtil*

Then press Enter

Type Exit and press Enter.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 92.48.81.32 iHabbixReloaded
O4 - HKCU\..\Run: [/0123456789:;<=>[email protected]] ,-./0123456789:;<=>[email protected]
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O15 - Trusted Zone: downloads.emugp.com
O15 - Trusted Zone: *.windupdates.com*

Reboot and post a new HijackThis log from this account.


----------



## Cookiegal (Aug 27, 2003)

For the second log:

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 92.48.81.32 iHabbixReloaded
O4 - HKCU\..\Run: [/0123456789:;<=>[email protected]] ,-./0123456789:;<=>[email protected]
O4 - HKCU\..\Run: [+,-./0123456789:;<=>[email protected]] ()*+,-./0123456789:;<=>[email protected]
O4 - HKCU\..\Run: [+,-./0123456789:;<=>[email protected]] ()*+,-./0123456789:;<=>[email protected]
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O23 - Service: PHPGeekUtil - Unknown owner - (no file)*

Reboot and post a new HijackThis log from this account please.


----------



## xintrop (Dec 5, 2007)

This is what I put in avast virus chest and all info i can find.

Original File Name = msefoi.dll
Original Folder = C:\WINDOWS\system32
Size of file = 44544
Last modification time = 8/23/2001 12:00am
Time of transfer to chest = 7/6/208 6:54:41PM
Category = Infected files
Virus description = Win32:Trojan-gen{Ot...
File ID = 268


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:48 PM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: 92.48.81.32 iHabbixReloaded
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\AIMLogger.exe /start /minimize
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.33.7/ttinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PHPGeekUtil - Unknown owner - (no file)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://myspace-944.vo.llnwd.net/01345/44/94/1345094944_l.jpg

--
End of file - 9870 bytes


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:07 PM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newsday.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: 92.48.81.32 iHabbixReloaded
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\AIMLogger.exe /start /minimize
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [+,-./0123456789:;<=>[email protected]] ()*+,-./0123456789:;<=>[email protected]
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Startup: Xfire.lnk = C:\ALLSTAR\Xfire\xfire.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.33.7/ttinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PHPGeekUtil - Unknown owner - (no file)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9886 bytes


----------



## xintrop (Dec 5, 2007)

BTW- When upon typing in MSDOS window "SC Delete PHPGeekUtill" before first HijackThis scan. 

"Access is denied."
C:\Documents and Settings\Flamehead


----------



## Cookiegal (Aug 27, 2003)

That's not the correct command. Are you sure you ran the command properly? It should only have one letter "l" at the end (not two).


----------



## xintrop (Dec 5, 2007)

I most likely ran the right command and typo'd here. I tried 3 more times just now with same results. 

Go to Start - Run type in cmd then click OK. The MSDOS window will be displayed. At the prompt type the following:

SC Delete PHPGeekUtil <---

Then press Enter


----------



## ~Candy~ (Jan 27, 2001)

Try to copy and paste from her post above, just in case.


----------



## xintrop (Dec 5, 2007)

I did try AcaCandy. DOS does not allow it ;-) Thanks


----------



## ~Candy~ (Jan 27, 2001)

Actually, it does........are you right clicking in the black box and then selecting paste?


----------



## Cookiegal (Aug 27, 2003)

Are you logged in as Flamehead when running the command?


----------



## xintrop (Dec 5, 2007)

Yes I am sure of it. What should I do now?


----------



## xintrop (Dec 5, 2007)

"Actually, it does........are you right clicking in the black box and then selecting paste?" 

Sorry didn't read that. No I used Ctrl V and two fonts came up. I will try the paste again, but I am sure I typed in the right command.


----------



## Cookiegal (Aug 27, 2003)

OK, let us know please.


----------



## xintrop (Dec 5, 2007)

Copied and pasted as advised. Same results. :-(


----------



## Cookiegal (Aug 27, 2003)

What do you see when you get to the command prompt?

Does it look like this?

C:\Documents and Settings\Flamehead>


----------



## xintrop (Dec 5, 2007)

Yes.


----------



## Cookiegal (Aug 27, 2003)

Download *OTScanIt.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt* on your desktop.

Close any open browsers.
Disconnect from the Internet.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of OTScanIt.
Open the *OTScanIt* folder and double-click on OTScanIt.exe to start the program.
Check the box that says *Scan All User Accounts*
Under Drivers select the radio button for *All*
Check the Radio buttons for Files/Folders Created Within *90 Days* and Files/Folders Modified Within *90 Days* 
Under Additional Scans check the following:
Reg - BotCheck
Reg - Disabled MS Config Items
Reg - File Associations
Reg - Security Settings
Reg - Software Policy Settings
Reg - Uninstall List
File - Additional Folder Scans
Evnt - EventViewer Errors/Warnings (last 7 days)

Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it automatically.
Save that Notepad file. Click the *Format* menu and make sure that *Word wrap* is not checked. If it is then click on it to uncheck it.
Use the *Reply* button and upload Notepad file here as an attachment please.


----------



## xintrop (Dec 5, 2007)

"The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes"

This scan only took about 30 seconds.?


----------



## xintrop (Dec 5, 2007)

"Upload Errors"
"OTScanIt.Txt:
Your file of 524.5 KB bytes exceeds the forum's limit of 500.0 KB for this filetype"


"and make sure that Word wrap is not checked. If it is then click on it to uncheck it."
I neglected to see if that was the case, will re-do scan and look. :-(


----------



## xintrop (Dec 5, 2007)

"wrap" was not checked. The file is too big to attach.


----------



## Cookiegal (Aug 27, 2003)

You can either zip it first or split it into two attachments.


----------



## xintrop (Dec 5, 2007)

I was having problems zipping file and splitting attachments. Lost the original so re-ran scan and it came out less KB and fits now. ?? *shrugs*

Current Attachments (492.0 KB)
txt.gif OTScanIt.Txt (492.0 KB)


----------



## Cookiegal (Aug 27, 2003)

Start *OTScanIt*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.


```
[Kill Explorer]
[Unregister Dlls]
[Win32 Services - Non-Microsoft Only]
NY -> (PHPGeekUtil) PHPGeekUtil [Win32_Own | Auto | Stopped] -> 
[Registry - Non-Microsoft Only]
< Guest Startup Folder > -> C:\Documents and Settings\Guest\Start Menu\Programs\Startup
YN -> %SystemDrive%\Documents and Settings\Guest\Start Menu\Programs\Startup\Delta AutoLoad.lnk -> %UserProfile%\My Documents\PSX\Delta\delta.exe
YN -> %SystemDrive%\Documents and Settings\Guest\Start Menu\Programs\Startup\Scheduler.lnk -> %ProgramFiles%\SpyCatcher 2006\Scheduler daemon.exe
[Registry - Additional Scans - Non-Microsoft Only]
< Uninstall List [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
YN -> {3248F0A8-6813-11D6-A77B-00B0D0150060} -> J2SE Runtime Environment 5.0 Update 6
[Files/Folders - Created Within 90 days]
NY -> 7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 90 days]
NY -> 33 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 37 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 140 bytes -> %AllUsersProfile%\Application Data\TEMP:20240A47
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\Application Data\TEMP:5C321E34
NY -> @Alternate Data Stream - 135 bytes -> %AllUsersProfile%\Application Data\TEMP:7C017FB1
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```


----------



## xintrop (Dec 5, 2007)

Explorer killed successfully
[Win32 Services - Non-Microsoft Only]
Service PHPGeekUtil stopped successfully.
Service PHPGeekUtil deleted successfully.
File not found.
[Registry - Non-Microsoft Only]
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\Delta AutoLoad.lnk moved successfully.
File C:\Documents and Settings\Guest\Start Menu\Programs\Startup\Delta AutoLoad.lnk not found.
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\Scheduler.lnk moved successfully.
File C:\Documents and Settings\Guest\Start Menu\Programs\Startup\Scheduler.lnk not found.
[Registry - Additional Scans - Non-Microsoft Only]
[Files/Folders - Created Within 90 days]
C:\WINDOWS\msdownld.tmp folder deleted successfully.
[Files/Folders - Modified Within 90 days]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:20240A47 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:5C321E34 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:7C017FB1 deleted successfully.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\XP03JDUG\comicsanimation_animemanga;sz=300x250;kl=N;kga=-1;kr=H;kw=naruto+chat+room+episode+1;kgg=-1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=509212046593431[2].56 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\XP03JDUG\Directions;MN=93206400;u=r0a57d5a0f3c05186;wm=o;city=west%20islip;st=ny;dma=new%20york;co=usa;zip=11795;distancebucket=1;distance=12;rm=1;!c=d-jav;sz=728x90;tile=1;dco[1] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\OIV42T2S\activity;src=1814306;met=1;v=1;pid=26317462;aid=200017524;ko=0;cid=27288792;rid=27306671;rv=1;&timestamp=1215580934281;eid1=9;ecn1=1;etm1=0;&_dc_ck=try[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\7XKNWPGE\activity;src=1137660;met=1;v=1;pid=27167063;aid=203634151;ko=0;cid=26737561;rid=26755418;rv=1;&timestamp=7926684;eid1=9;ecn1=1;etm1=0;&_dc_ck=try[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\7XKNWPGE\activity;src=1137660;met=1;v=1;pid=27167064;aid=203631837;ko=0;cid=26737329;rid=26755186;rv=1;&timestamp=7926903;eid1=9;ecn1=1;etm1=0;&_dc_ck=try[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\7XKNWPGE\activity;src=1549964;met=1;v=1;pid=18708550;aid=205435170;ko=0;cid=27332028;rid=27349907;rv=1;&timestamp=1215580652156;eid1=2;ecn1=1;etm1=9;&_dc_ck=try[1].gif scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\7XKNWPGE\comicsanimation_animemanga;sz=300x250;kl=N;kga=-1;kr=H;kw=naruto+chat+room+episode+8;kgg=-1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=2935643913248042[1].5 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\7XKNWPGE\tv_tvprograms;sz=300x250;kl=N;kga=-1;kr=F;kw=family+guy+blue+harvest+full+episode;kgg=-1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=1768854358424713[1].7 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\03PT5325\click,JRhEAPEaBACv1A8AWvcEAAIAAAAAAP8AAAAEAgIABgOOywMAyCABAM1gBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAxLdEgAAAAA,,http%3A%2F%2Fwww.tv-links.cc%2Ftop[2].htm,;ord=1215580940 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\03PT5325\comicsanimation_animemanga;sz=300x250;kl=N;kga=-1;kr=H;kw=naruto+chat+room+episode+9;kgg=-1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=9757885532216872[2] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\03PT5325\Maps;MN=93206397;u=r0a57d5a0f3c05186;wm=o;city=west%20islip;st=ny;dma=new%20york;co=usa;zip=11795;rm=1;!c=d-jav;sz=728x90;tile=1;dcove=d;ord=531298499[1] scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3e8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 07142008_205338

Files moved on Reboot...
File C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\XP03JDUG\comicsanimation_animemanga;sz=300x250;kl=N;kga=-1;kr=H;kw=naruto+chat+room+episode+1;kgg=-1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=509212046593431[2].56 not found!
File C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\XP03JDUG\Directions;MN=93206400;u=r0a57d5a0f3c05186;wm=o;city=west%20islip;st=ny;dma=new%20york;co=usa;zip=11795;distancebucket=1;distance=12;rm=1;!c=d-jav;sz=728x90;tile=1;dco[1] not found!
File C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\OIV42T2S\activity;src=1814306;met=1;v=1;pid=26317462;aid=200017524;ko=0;cid=27288792;rid=27306671;rv=1;&timestamp=1215580934281;eid1=9;ecn1=1;etm1=0;&_dc_ck=try[1].gif not found!
File C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\7XKNWPGE\activity;src=1137660;met=1;v=1;pid=27167063;aid=203634151;ko=0;cid=26737561;rid=26755418;rv=1;&timestamp=7926684;eid1=9;ecn1=1;etm1=0;&_dc_ck=try[1].gif not found!
File C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\7XKNWPGE\activity;src=1137660;met=1;v=1;pid=27167064;aid=203631837;ko=0;cid=26737329;rid=26755186;rv=1;&timestamp=7926903;eid1=9;ecn1=1;etm1=0;&_dc_ck=try[1].gif not found!
File C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\7XKNWPGE\activity;src=1549964;met=1;v=1;pid=18708550;aid=205435170;ko=0;cid=27332028;rid=27349907;rv=1;&timestamp=1215580652156;eid1=2;ecn1=1;etm1=9;&_dc_ck=try[1].gif not found!
File C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\7XKNWPGE\comicsanimation_animemanga;sz=300x250;kl=N;kga=-1;kr=H;kw=naruto+chat+room+episode+8;kgg=-1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=2935643913248042[1].5 not found!
File C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\7XKNWPGE\tv_tvprograms;sz=300x250;kl=N;kga=-1;kr=F;kw=family+guy+blue+harvest+full+episode;kgg=-1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=1768854358424713[1].7 not found!
File C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\03PT5325\click,JRhEAPEaBACv1A8AWvcEAAIAAAAAAP8AAAAEAgIABgOOywMAyCABAM1gBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAxLdEgAAAAA,,http%3A%2F%2Fwww.tv-links.cc%2Ftop[2].htm,;ord=1215580940 not found!
File C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\03PT5325\comicsanimation_animemanga;sz=300x250;kl=N;kga=-1;kr=H;kw=naruto+chat+room+episode+9;kgg=-1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=9757885532216872[2] not found!
File C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Local Settings\Temp\Temporary Internet Files\Content.IE5\03PT5325\Maps;MN=93206397;u=r0a57d5a0f3c05186;wm=o;city=west%20islip;st=ny;dma=new%20york;co=usa;zip=11795;rm=1;!c=d-jav;sz=728x90;tile=1;dcove=d;ord=531298499[1] not found!
C:\WINDOWS\temp\Perflib_Perfdata_3e8.dat moved successfully.


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:56 PM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 92.48.81.32 iHabbixReloaded
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://artimpressive.com/wp-content/uploads/2007/07/379858.jpg
O24 - Desktop Component 1: (no name) - http://charas-project.net/resources/Titles/6579_1171637130_small.png
O24 - Desktop Component 2: (no name) - http://upload.wikimedia.org/wikipedia/en/f/f3/SSBB_Cover.jpg

--
End of file - 10973 bytes


----------



## Cookiegal (Aug 27, 2003)

OK, that's good. We deleted the service with OTScanIt.

How are things now?


----------



## xintrop (Dec 5, 2007)

It has seemed to be working fine since the beginning. 
"OK, that's good. We deleted the service with OTScanIt." What service is that?

I have been so busy working almost all I do is use the pc to come here and try to fix it. Also all the programs used to fix, ie: SUPERAntiSpyware etc. I always keep hijackthis in case I need to come back, but have you a program to delete everything we used besides that? I remember doing so in the past? I also plan on deleting a ton of programs my little guy has downloaded.
Many thanks.


----------



## Cookiegal (Aug 27, 2003)

It was the PHPGeekUtil service that I was trying to get you to delete with the command. It was releated to the Apache server but the file was missing and the service was trying to start up so it was showing up in the error logs all the time.

Here are some final instructions for you.

The following program will remove some of the tools we've used and their associated files and backups and then it will delete itself.

Please download *OTMoveIt2 by OldTimer*.

*Save* it to your *desktop*.
Make sure you have an Internet Connection.
Double-click *OTMoveIt.exe* to run it. (Vista users, please right-click on *OTMoveIt2.exe* and select "Run as an *Administrator*")
Click on the *CleanUp!* button
A list of tool components used in the cleanup of malware will be downloaded.
If your firewall or real-time protection attempts to block OTMoveIt2 to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application which will delete itself.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose *Yes.*

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

Delete Temporary Files:

Go to *Start* - *Run* and type in *cleanmgr* and click OK. 
Let it scan your system for files to remove. 
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. 
Press OK to remove them.

***

You should trim down your start-ups (these show as the 04 entries in your HijackThis log) as there are too many running. You can research them at these sites and if they arent required at start-up then you can uncheck them in msconfig via Start - Run - type msconfig click OK and then click on the start-up tab.

http://castlecops.com/StartupList.html
http://www.bleepingcomputer.com/startups/
http://www.windowsstartup.com/wso/index.php


----------



## xintrop (Dec 5, 2007)

Hello and thank you again for all your help.
I am having an issue with cleanmgr. I tried three times to run it. As I look at taskmanager, my CPU Usage is running at close to 100% when it is running that program.
I do have SPYWAREBLASTER installed already btw. 
I do have ATF-Cleaner and CCleaner installed. Would either of these programs do the same thing as cleanmgr?
I am going to skip to trimming down my start ups, delete some programs that my little guy keeps on downloading until I hear back from you regarding cleanmgr.
Have a great day!


----------



## xintrop (Dec 5, 2007)

Oh i forgot to let you know due to the pc working so hard "CPU Usage is running at close to 100%" when running cleanmgr, my pc keeps shutting down. Just turns off.


----------



## xintrop (Dec 5, 2007)

Ok, I looked for the following in my startup. I have it down to the following 4 programs that start.

ISUSPM
ashDisp
NvCpl
zlclient

I did not see the three you listed. As a matter of fact, upon google searching startups, one of the sites that talk about startup items is castlecops.com! Am I missing something here?


----------



## Cookiegal (Aug 27, 2003)

xintrop said:


> Oh i forgot to let you know due to the pc working so hard "CPU Usage is running at close to 100%" when running cleanmgr, my pc keeps shutting down. Just turns off.


Sounds like it's overheating. It's normal for the CPU usage to go up high when running CleanMgr but it's possible you don't have the resources to run it.

How much RAM do you have?

What is the size of the paging file? To find that information, do this:

Click Start, and then click Control Panel. 
If in Category view, click on Click Performance and Maintenance and then click System (if in Classic view just click System). 
On the Advanced tab, under Performance, click Settings. 
On the Advanced tab, under Virtual memory, click Change. 
Don't change anything but let me know what it says the size of the initial file is.


----------



## Cookiegal (Aug 27, 2003)

xintrop said:


> Ok, I looked for the following in my startup. I have it down to the following 4 programs that start.
> 
> ISUSPM
> ashDisp
> ...


I don't understand what you're saying about the "three I listed". One of them was CastleCops.

These are the four you mentioned above:

ISUSPM - InstallShield Update Service. It's not required at startup.
ashDisp - Avast - YES. Leave to run at startup.
NvCpl - Nvidia - Not needed unless you're overclocking your graphics card.
zlclient - Zone Alarm - YES. Leave to run at startup.

Please post a new HijackThis log.


----------



## ~Candy~ (Jan 27, 2001)

You can stop your little guy from being able to install programs  Take away his administrator rights on his user profile.


----------



## xintrop (Dec 5, 2007)

AcaCandy said:


> You can stop your little guy from being able to install programs  Take away his administrator rights on his user profile.


We are both here atm discussing this now AcaCandy and have come to an agreement. We have been going over programs "bit torrent" programs and Limewire have been deleted as well as about 15 other programs he downloaded at one time or another and decided he didn't like them. Thanks for your input.


----------



## xintrop (Dec 5, 2007)

Cookiegal said:


> Sounds like it's overheating. It's normal for the CPU usage to go up high when running CleanMgr but it's possible you don't have the resources to run it.
> 
> How much RAM do you have?
> 
> Initial size (MB): 1536


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:09:25 PM, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 92.48.81.32 iHabbixReloaded
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://artimpressive.com/wp-content/uploads/2007/07/379858.jpg
O24 - Desktop Component 1: (no name) - http://charas-project.net/resources/Titles/6579_1171637130_small.png
O24 - Desktop Component 2: (no name) - http://upload.wikimedia.org/wikipedia/en/f/f3/SSBB_Cover.jpg

--
End of file - 9591 bytes


----------



## ~Candy~ (Jan 27, 2001)

xintrop said:


> We are both here atm discussing this now AcaCandy and have come to an agreement. We have been going over programs "bit torrent" programs and Limewire have been deleted as well as about 15 other programs he downloaded at one time or another and decided he didn't like them. Thanks for your input.


:up:


----------



## Cookiegal (Aug 27, 2003)

I also need this information please.

What is the size of the paging file? To find that information, do this:

Click Start, and then click Control Panel. 
If in Category view, click on Click Performance and Maintenance and then click System (if in Classic view just click System). 
On the Advanced tab, under Performance, click Settings. 
On the Advanced tab, under Virtual memory, click Change. 
Don't change anything but let me know what it says the size of the initial file is.


----------



## xintrop (Dec 5, 2007)

Paging File Size (MB)
C: 1536-3072

Paging file size for selected drive
Drive C:
Space available 28964 MB
Initial size (MB) 1536
Maximum size (MB) 3072
Total paging file size for all drives
Minimum allowed 2MB
Recommended 1534 MB
Currently Allocated 1534 MB


----------



## Cookiegal (Aug 27, 2003)

OK, it looks like you have 1gb of RAM.

This could be a problem:

*Space available 28964 MB*

Do you defrag the computer regularly and clean out Tempoary and Temporary Internet files?


----------



## xintrop (Dec 5, 2007)

I do clean out temporary internet files, but rarely defrag. I believe due to the same issue as when I tried to run cleanmgr. The pc shuts down if I recall.
I just ran CCleaner --> 

Space available 28993 not much of a difference.


----------



## ~Candy~ (Jan 27, 2001)

That's still quite a bit of free space, isn't it?


----------



## Cookiegal (Aug 27, 2003)

I didn't think it looked like much but I wasn't sure. 

Do you have any other ideas why the machine would be shutting down running CleanMgr?


----------



## xintrop (Dec 5, 2007)

Like I said, sometimes when i try to defrag, if my son is watching streaming cartoons (he will use wii online instead now) programs or sites that get the CPU usage close to 100%.

I am going to try again as soon as I can. I have been very busy the last week or so and the only time I can sit down here is on weekends. If I am not working overtime


----------



## Cookiegal (Aug 27, 2003)

Actually I was asking Candy if she had any ideas as she's very knowledgeable about these things. 

But you shouldn't be running other programs when defragging the computer.

Let's take a look in the Event Viewer as well to see if there are any errors logged that may be helpful with troubleshooting.

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## ~Candy~ (Jan 27, 2001)

Oops, I didn't see the question in your post, I looked right after you posted, so maybe you added it? 

Usually shutting down while running an intensive process is related to heat build up, either hard drive, video card, or cpu.

If the bios setting has a shutdown temp, it may reach that point and shut down.


----------



## xintrop (Dec 5, 2007)

There are a total of 12 of these at different times of the day/night. (most when I am sleeping). So my son is online then. Matter of fact I am at work at 3:24:24 PM, so thats him as well  All errors are all the same so I wont bother pasting them all.

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 7/24/2008
Time: 3:24:24 PM
User: N/A
Computer:	JUDE-5PCD8SABXZ
Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 36 re.exe 6
0020: 2e 30 2e 32 39 30 30 2e .0.2900.
0028: 32 31 38 30 20 69 6e 20 2180 in 
0030: 68 75 6e 67 61 70 70 20 hungapp 
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 30 30 30 t 000000
0050: 30 30 00

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 7/22/2008
Time: 1:55:24 AM
User: N/A
Computer:	JUDE-5PCD8SABXZ
Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 36 re.exe 6
0020: 2e 30 2e 32 39 30 30 2e .0.2900.
0028: 32 31 38 30 20 69 6e 20 2180 in 
0030: 68 75 6e 67 61 70 70 20 hungapp 
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 30 30 30 t 000000
0050: 30 30 00

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 7/22/2008
Time: 1:55:24 AM
User: N/A
Computer:	JUDE-5PCD8SABXZ
Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 36 re.exe 6
0020: 2e 30 2e 32 39 30 30 2e .0.2900.
0028: 32 31 38 30 20 69 6e 20 2180 in 
0030: 68 75 6e 67 61 70 70 20 hungapp 
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 30 30 30 t 000000
0050: 30 30 00

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 7/22/2008
Time: 1:29:48 AM
User: N/A
Computer:	JUDE-5PCD8SABXZ
Description:
Hanging application ruby186-26[1].exe, version 1.8.6.111, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 72 75 62 79 31 38 ruby18
0018: 36 2d 32 36 5b 31 5d 2e 6-26[1].
0020: 65 78 65 20 31 2e 38 2e exe 1.8.
0028: 36 2e 31 31 31 20 69 6e 6.111 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 7/22/2008
Time: 1:29:48 AM
User: N/A
Computer:	JUDE-5PCD8SABXZ
Description:
Hanging application ruby186-26[1].exe, version 1.8.6.111, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 72 75 62 79 31 38 ruby18
0018: 36 2d 32 36 5b 31 5d 2e 6-26[1].
0020: 65 78 65 20 31 2e 38 2e exe 1.8.
0028: 36 2e 31 31 31 20 69 6e 6.111 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 7/22/2008
Time: 1:29:46 AM
User: N/A
Computer:	JUDE-5PCD8SABXZ
Description:
Hanging application ruby186-26[1].exe, version 1.8.6.111, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 72 75 62 79 31 38 ruby18
0018: 36 2d 32 36 5b 31 5d 2e 6-26[1].
0020: 65 78 65 20 31 2e 38 2e exe 1.8.
0028: 36 2e 31 31 31 20 69 6e 6.111 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 7/22/2008
Time: 12:51:57 AM
User: N/A
Computer:	JUDE-5PCD8SABXZ
Description:
Hanging application dreamdaemon.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 64 72 65 61 6d 64 dreamd
0018: 61 65 6d 6f 6e 2e 65 78 aemon.ex
0020: 65 20 30 2e 30 2e 30 2e e 0.0.0.
0028: 30 20 69 6e 20 68 75 6e 0 in hun
0030: 67 61 70 70 20 30 2e 30 gapp 0.0
0038: 2e 30 2e 30 20 61 74 20 .0.0 at 
0040: 6f 66 66 73 65 74 20 30 offset 0
0048: 30 30 30 30 30 30 30 0000000


----------



## xintrop (Dec 5, 2007)

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 7/24/2008
Time: 5:13:06 AM
User: N/A
Computer:	JUDE-5PCD8SABXZ
Description:
The IPSEC Services service terminated with the following error: 
The authentication service is unknown.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 7/23/2008
Time: 3:58:57 PM
User: N/A
Computer:	JUDE-5PCD8SABXZ
Description:
The IPSEC Services service terminated with the following error: 
The authentication service is unknown.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 7/23/2008
Time: 3:25:06 PM
User: N/A
Computer:	JUDE-5PCD8SABXZ
Description:
The IPSEC Services service terminated with the following error: 
The authentication service is unknown.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 7/22/2008
Time: 10:20:01 PM
User: N/A
Computer:	JUDE-5PCD8SABXZ
Description:
The IPSEC Services service terminated with the following error: 
The authentication service is unknown.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 7/22/2008
Time: 3:00:04 PM
User: N/A
Computer:	JUDE-5PCD8SABXZ
Description:
The IPSEC Services service terminated with the following error: 
The authentication service is unknown.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 7/22/2008
Time: 2:22:05 AM
User: N/A
Computer:	JUDE-5PCD8SABXZ
Description:
The IPSEC Services service terminated with the following error: 
The authentication service is unknown.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

^^^<---- A few more of the same as above then...

Event Type:	Error
Event Source:	sr
Event Category:	None
Event ID:	1
Date: 7/20/2008
Time: 8:31:34 PM
User: N/A
Computer:	JUDE-5PCD8SABXZ
Description:
The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'Sweeper.cfg' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 04 00 4e 00 ......N.
0008: 00 00 00 00 01 00 00 c0 .......À
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 7/20/2008
Time: 7:29:20 PM
User: N/A
Computer:	JUDE-5PCD8SABXZ
Description:
The IPSEC Services service terminated with the following error: 
The authentication service is unknown.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The "System" goes back to 6/22 with 40+ more of the "Event Type:	Error
Event Source:	Service Control Manager"


----------



## xintrop (Dec 5, 2007)

I am going to attempt "cleanmgr" again now.


----------



## xintrop (Dec 5, 2007)

No dice. The program starts right away, three "bars" come up running and then it stalls there until the pc turns off.


----------



## ~Candy~ (Jan 27, 2001)

Will it run in safe mode?


----------



## xintrop (Dec 5, 2007)

Well, looks like I may need to start over. My avast siren went off today, I haven't been using the pc much at all with all the work I have been putting in. Something pop'd up saying "Your pc is running much slower than usual, download (whatever it was to fix etc..). I clicked the top right "x" to close and something was downloaded "Install.exe" I was on myspace when this happened. I am going to give a new hijackthis log. The only thing I know that my kids were doing was downloading ring tones for their cellular phones lately.


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:51 PM, on 8/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 92.48.81.32 iHabbixReloaded
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://artimpressive.com/wp-content/uploads/2007/07/379858.jpg
O24 - Desktop Component 1: (no name) - http://charas-project.net/resources/Titles/6579_1171637130_small.png
O24 - Desktop Component 2: (no name) - http://upload.wikimedia.org/wikipedia/en/f/f3/SSBB_Cover.jpg

--
End of file - 9798 bytes


----------



## Cookiegal (Aug 27, 2003)

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now grab the latest version, scan and post the log. Be sure to disable all security programs when running the scan.

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.


----------



## xintrop (Dec 5, 2007)

"Windows cannot find 'Combofix'. make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

Did I remove Combofix using the instructions you gave me below on page "5"?

"Here are some final instructions for you.

The following program will remove some of the tools we've used and their associated files and backups and then it will delete itself.

Please download *OTMoveIt2 by OldTimer*.

*Save* it to your *desktop*.
Make sure you have an Internet Connection.
Double-click *OTMoveIt.exe* to run it. (Vista users, please right-click on *OTMoveIt2.exe* and select "Run as an *Administrator*")
Click on the *CleanUp!* button
A list of tool components used in the cleanup of malware will be downloaded.
If your firewall or real-time protection attempts to block OTMoveIt2 to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application which will delete itself.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose *Yes.*

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create."

Delete Temporary Files:

Go to *Start* - *Run* and type in *cleanmgr* and click OK. 
Let it scan your system for files to remove. 
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. 
Press OK to remove them.

[/QUOTE]


----------



## Cookiegal (Aug 27, 2003)

Yes, then just get the new one please.


----------



## xintrop (Dec 5, 2007)

ComboFix 08-08-15.04 - Jude 2008-08-16 10:41:51.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.630 [GMT -4:00]
Running from: C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\macromedia\Flash Player\#SharedObjects\AY3TRJ42\interclick.com
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\macromedia\Flash Player\#SharedObjects\AY3TRJ42\interclick.com\ud.sol
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Cookies\[email protected][1].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Cookies\[email protected][2].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Cookies\[email protected][1].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Cookies\[email protected][2].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Cookies\[email protected][1].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Cookies\[email protected][1].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Cookies\[email protected][1].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Cookies\[email protected][1].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Cookies\[email protected][2].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Cookies\[email protected][1].txt
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Cookies\[email protected][3].txt
C:\WINDOWS\system32\actskn43.ocx

.
((((((((((((((((((((((((( Files Created from 2008-07-16 to 2008-08-16 )))))))))))))))))))))))))))))))
.

2008-07-26 04:39 . 2008-07-26 04:39	0	--a------	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\jagex_runescape_preferences.dat
2008-07-23 00:22 . 2008-07-23 00:22 d--------	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\zweitgeist
2008-07-20 12:18 . 2008-07-20 12:18 d--------	C:\Program Files\SpywareBlaster
2008-07-17 13:31 . 2008-07-17 13:36 d--------	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\BYOND

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 14:35	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\mIRC
2008-08-16 13:13	---------	d-----w	C:\Program Files\mIRC
2008-08-08 03:39	1,838	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
2008-08-03 22:32	---------	d-----w	C:\Program Files\LimeWire
2008-07-21 18:56	88	--sh--r	C:\Documents and Settings\All Users.WINDOWS\Application Data\0B328F544C.sys
2008-07-21 18:56	1,734	--sha-w	C:\Documents and Settings\All Users.WINDOWS\Application Data\KGyGaAvL.sys
2008-07-20 19:36	---------	d-----w	C:\Program Files\YVD
2008-07-20 19:32	---------	d-----w	C:\Program Files\PlaneShift Steel Blue
2008-07-20 19:29	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-07-20 19:18	---------	d-----w	C:\Program Files\HaCKeR
2008-07-20 16:23	---------	d---a-w	C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-07-20 15:49	---------	d-----w	C:\Program Files\NCH Swift Sound
2008-07-20 15:13	---------	d-----w	C:\Program Files\BitTorrent
2008-07-20 13:25	---------	d-----w	C:\Program Files\SUPERAntiSpyware
2008-07-20 13:25	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\SUPERAntiSpyware.com
2008-07-16 06:38	---------	d-----w	C:\Program Files\iHabbix Ltd
2008-07-15 19:49	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\PowerChallenge
2008-07-14 12:06	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\Character Creator
2008-07-12 21:18	---------	d-----w	C:\Program Files\ICQ6
2008-07-12 21:18	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\ICQ
2008-07-10 03:47	---------	d-----w	C:\Program Files\Microsoft Games
2008-07-09 06:58	72,192	----a-w	C:\WINDOWS\cadkasdeinst01e.exe
2008-07-07 07:45	73,216	----a-w	C:\WINDOWS\ST6UNST.EXE
2008-07-07 07:45	286,720	------w	C:\WINDOWS\Setup1.exe
2008-07-05 23:21	---------	d-----w	C:\Program Files\Java
2008-07-04 15:26	30,814,311	----a-w	C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-29 23:48	---------	d-----w	C:\Program Files\QuickTime
2008-06-29 23:48	---------	d-----w	C:\Program Files\Bonjour
2008-06-28 00:24	---------	d-----w	C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-06-28 00:21	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-06-27 16:59	434,688	----a-w	C:\WINDOWS\system32\ss2uinst.exe
2008-06-20 17:41	245,248	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 03:18	---------	d-----w	C:\Program Files\ShortKeys2
2008-03-12 19:07	6,605	----a-w	C:\Program Files\INSTALL.LOG
2007-07-18 23:06	9	-c--a-w	C:\Program Files\install_log.dat
2006-01-10 22:25	32	-c--a-r	C:\Documents and Settings\All Users\hash.dat
2005-08-27 01:11	4	----a-w	C:\Program Files\Common Files\Cvtaqlog.dat
2005-02-02 07:30	487,424	----a-w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\chatlnk.exe
2008-04-24 18:31	56	--sh--r	C:\WINDOWS\system32\00EA860D08.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-08-01 03:00 191488]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 06:03 221184]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 15:16 5058560]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02 919280]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\GBA\Spyware Doctor\swdoctor.exe" [2005-12-13 15:13 1976544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"aux"= ctwdm32.dll
"vidc.ir32"= C:\WINDOWS\system32\ir32_32.dll
"vidc.ir31"= C:\WINDOWS\system32\ir32_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=C:\WINDOWS\pss\Photo Loader supervisory.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ShortKeys 2.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ShortKeys 2.lnk
backup=C:\WINDOWS\pss\ShortKeys 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^hamachi.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2008-05-18 12:30 172280 C:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-06-16 06:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 05:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"90:TCP"= 90:TCP:Kinger's Hotel

S3 dump_wmimmc;dump_wmimmc;C:\AAAAAA\ENGLISH\Gunbound Revolution\GameGuard\dump_wmimmc.sys []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{6A048BB7-E017-4326-B207-AA996C77BBCB} - (no file)
MSConfigStartUp-AIM Logger - C:\PROGRA~1\Nalsoft\AIMLOG~1\AIMLogger.exe
MSConfigStartUp-BitTorrent - C:\Program Files\BitTorrent\bittorrent.exe
MSConfigStartUp-BitTorrent DNA - C:\Program Files\DNA\btdna.exe
MSConfigStartUp-EPSON Stylus CX4200 Series - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
MSConfigStartUp-ICQ Lite - C:\Program Files\ICQLite\ICQLite.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\Mozilla\Firefox\Profiles\Dad\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aesoponline.com/login.asp

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 10:48:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?? [email protected][email protected]?? [email protected][email protected][email protected][email protected][email protected]?? [email protected]???????????????????B?????L?????????????????????????????B

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-16 11:06:33
ComboFix-quarantined-files.txt 2008-08-16 15:06:30

Pre-Run: 27,199,062,016 bytes free
Post-Run: 27,257,864,192 bytes free

183	--- E O F ---	2008-07-10 00:59:25


----------



## Cookiegal (Aug 27, 2003)

Please download Malwarebytes Anti-Malware form *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply along with a new HijackThis log please.

Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*


----------



## xintrop (Dec 5, 2007)

Malwarebytes' Anti-Malware 1.25
Database version: 1064
Windows 5.1.2600 Service Pack 2

8:19:44 PM 8/17/2008
mbam-log-08-17-2008 (20-19-44).txt

Scan type: Quick Scan
Objects scanned: 65866
Time elapsed: 15 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Adsl Software Ltd (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:16 PM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 92.48.81.32 iHabbixReloaded
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://artimpressive.com/wp-content/uploads/2007/07/379858.jpg
O24 - Desktop Component 1: (no name) - http://charas-project.net/resources/Titles/6579_1171637130_small.png
O24 - Desktop Component 2: (no name) - http://upload.wikimedia.org/wikipedia/en/f/f3/SSBB_Cover.jpg

--
End of file - 9896 bytes


----------



## Cookiegal (Aug 27, 2003)

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version (it's the fifith one down the list :

*Java Runtime Environment (JRE) 6 Update 7*

Instructions for Kaspersky scan:


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.


----------



## xintrop (Dec 5, 2007)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, August 20, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 20, 2008 14:03:41
Records in database: 1113861
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 382329
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 08:43:21


File name / Threat name / Threats count
C:\GBA\Spyware Doctor\tools\eg.dat	Infected: Backdoor.Win32.Hupigon.dccn	1
C:\Jared Folder\Setup(2).exe	Infected: not-a-virus:AdTool.Win32.Zango.ag	1
C:\Jared Folder\Setup.exe	Infected: not-a-virus:AdTool.Win32.Zango.ag	1
C:\Program Files\mIRC\backups\mirc.exe	Infected: not-a-virus:Client-IRC.Win32.mIRC.612	1
C:\Program Files\mIRC\mirc.exe	Infected: not-a-virus:Client-IRC.Win32.mIRC.631	1

The selected area was scanned.


----------



## Cookiegal (Aug 27, 2003)

Delete these two files and post a new HijackThis log plese.

C:\Jared Folder\*Setup(2).exe*
C:\Jared Folder\*Setup.exe*


----------



## xintrop (Dec 5, 2007)

Ok, they are deleted in the recycle bin.


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:44 AM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 92.48.81.32 iHabbixReloaded
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://tn3-1.deviantart.com/fs5/300W/i/2004/276/6/c/Naruto_vs_Sasuke_by_martegodpopo.jpg
O24 - Desktop Component 1: (no name) - http://artimpressive.com/wp-content/uploads/2007/07/379858.jpg
O24 - Desktop Component 2: (no name) - http://charas-project.net/resources/Titles/6579_1171637130_small.png
O24 - Desktop Component 3: (no name) - http://upload.wikimedia.org/wikipedia/en/f/f3/SSBB_Cover.jpg
O24 - Desktop Component 4: (no name) - http://i177.photobucket.com/albums/w222/ss021447/kirby_bg.jpg
O24 - Desktop Component 5: (no name) - http://i185.photobucket.com/albums/x275/kakairu14/naruto/narutoshippuudenepisodewallpaper.jpg
O24 - Desktop Component 6: (no name) - http://images.elfwood.com/fanq/s/p/spitaelsd2/redeyesblackdragon.jpg

--
End of file - 10304 bytes


----------



## Cookiegal (Aug 27, 2003)

How are things now?


----------



## xintrop (Dec 5, 2007)

Its been running fine except for that one incident and this. I still don't understand why I cannot run certain things that I should be able to.



xintrop said:


> Hello and thank you again for all your help.
> I am having an issue with cleanmgr. I tried three times to run it. As I look at taskmanager, my CPU Usage is running at close to 100% when it is running that program.
> I do have SPYWAREBLASTER installed already btw.
> I do have ATF-Cleaner and CCleaner installed. Would either of these programs do the same thing as cleanmgr?


If you like we can close this thread and mark it as solved after any other clean-up tasks you suggest. If anything happens again, I will start a new thread. 
Thank you


----------



## Cookiegal (Aug 27, 2003)

What happens when you run Cleanmgr? Does it still shut down your computer?

Try running it this way:

Click Start - All Programs - Accessories - System Tools and then click Disk Cleanup. 


Have you tried to run a defrag? I remember you said you had a problem with that before too.


----------



## xintrop (Dec 5, 2007)

Yes it does. The first way you showed me and using System Tools Disk Cleanup. It starts up and goes to three lines quickly then just kind of stalls there using 100% of my CPU. It never gets past that and eventually shuts down my computer. 

I am able to defrag however. It does not use that much of my CPU upon testing. I see it is going to take a very long time. I should of done it when I went fishing!


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program. (Vista users right-click and slect "Run As Administrator").
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.

Then see if Cleanmgr will run please.


----------



## xintrop (Dec 5, 2007)

hehe, I just did that before I came here. I have ATF Cleaner.


----------



## Cookiegal (Aug 27, 2003)

How many other user accounts are there on this computer?


----------



## xintrop (Dec 5, 2007)

I was able to defrag I saved the results if needed. 

There are two other accounts. One account is only active in the summer or holidays when home from college. Another account is rarely used, so the main account is the one myself, my wife and my son use.


----------



## Cookiegal (Aug 27, 2003)

Can you post a HijackThis log from the other account please?


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:57 PM, on 8/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: 92.48.81.32 iHabbixReloaded
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\AIMLogger.exe /start /minimize
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://myspace-944.vo.llnwd.net/01345/44/94/1345094944_l.jpg

--
End of file - 9805 bytes


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:04 PM, on 8/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newsday.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: 92.48.81.32 iHabbixReloaded
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\AIMLogger.exe /start /minimize
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [+,-./0123456789:;<=>[email protected]] ()*+,-./0123456789:;<=>[email protected]
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Startup: Xfire.lnk = C:\ALLSTAR\Xfire\xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9052 bytes


----------



## Cookiegal (Aug 27, 2003)

In the second log, rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*O4 - HKCU\..\Run: [+,-./0123456789:;<=>[email protected]] ()*+,-./0123456789:;<=>[email protected]*

Reboot and see if that makes any difference please.


----------



## xintrop (Dec 5, 2007)

Done and still the computer shuts down when I attempt disk clean-up or cleanmgr. Doing some research on my own I found other's who have same or close problem to mine. I read one from "Tech Support forums" It read "Right-click my computer => properties => hardware => device manager. In the view menu check "show hidden devices" and tell us whether there's any device with a yellow warning sign."
The person that posted their problem had NO yellow warning sign, mine has two.

In Device Manager
"Imagining devices" "Unknown Device" 
"Other devices" "Multimedia Audio Controller" 
I hesitate to paste the URL here, I am unsure of policy regarding it.


----------



## xintrop (Dec 5, 2007)

I also found this. Its exactly the issue I am having.
http://support.microsoft.com/default.aspx?scid=kb;en-us;812248


----------



## Cookiegal (Aug 27, 2003)

Are you having a problem with the sound on your computer? What make is your sound card?


----------



## xintrop (Dec 5, 2007)

No problems with sound on this computer. 
I don't know the make of my sound card, I did find this. 

Sounds and Audio Devices 
Audio
SB Live! Wave Device
-------------------------------------------------------------------------------------------------------------
Under "Hardware"
Everything says "This device is working properly"


----------



## Cookiegal (Aug 27, 2003)

The Imaging devices is likely a camera or something like that which is not always connected.

I'm going to have to refer you to the Hardware forum regarding the errors in the Device Manager. So please start a new thread there and mention the problem running CleanMgr as well.


----------



## ~Candy~ (Jan 27, 2001)

Remove the items with the exclamation marks, then reboot the computer.


----------



## Cookiegal (Aug 27, 2003)

Thanks Candy. :up:


----------



## ~Candy~ (Jan 27, 2001)

Anytime


----------



## xintrop (Dec 5, 2007)

Thank you Candy, is there a certain method I would use, ie: is there options to delete etc?


----------



## ~Candy~ (Jan 27, 2001)

Just right click on each one, and choose delete/uninstall, whichever is your choice there.


----------



## xintrop (Dec 5, 2007)

Oh they are both from my monitor. My last one blew out and every time I reboot, the monitor works fine but it says. 
"Windows could not load the installer for Monitor. Contact your hardware vendor for assistance. Then a balloon pops bottom right hand corner "Found New Hardware 84779A6YJYB8DELL D10L8L" then another "Found New Hardware...etc.."
So yea, this is not the monitor it came with, but I hesitate to delete or uninstall, for obvious reasons.


----------



## ~Candy~ (Jan 27, 2001)

If the monitor is gone, you don't need the device there  If you're concerned about any ill effects, create a restore point so you can revert back to where you are now


----------



## xintrop (Dec 5, 2007)

I will start by explaining my Windows Security Automatic updates is off and I cannot get it back on no matter how I try using Microsoft's suggestions. My avast went off a few times and I moved virus's to chest. A new screen saver took over saying spyware detected on your computer. My browser is slow and there is a red shield in my taskbar with an x in it. I am going to post a new highjackthis log. OH and do you advertise porn on this site? Because I am looking at it right now in between where I am posting and your "Tech SUpport Guy"TM stating "_ _ _ _ Singles in my area" "MYSPACE of SEX(18+)", " _ _ _ _ A LOCAL GIRL", etc.. I doubt it and my computer is again a mess. 

:-(


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:43 PM, on 9/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\xspaoash.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 92.48.81.32 iHabbixReloaded
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BM03f3123f] Rundll32.exe "C:\WINDOWS\system32\pugdhoij.dll",s
O4 - HKLM\..\Run: [lphcrggj0e1c1] C:\WINDOWS\system32\lphcrggj0e1c1.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://tn3-1.deviantart.com/fs5/300W/i/2004/276/6/c/Naruto_vs_Sasuke_by_martegodpopo.jpg
O24 - Desktop Component 1: (no name) - http://artimpressive.com/wp-content/uploads/2007/07/379858.jpg
O24 - Desktop Component 2: (no name) - http://charas-project.net/resources/Titles/6579_1171637130_small.png
O24 - Desktop Component 3: (no name) - http://upload.wikimedia.org/wikipedia/en/f/f3/SSBB_Cover.jpg
O24 - Desktop Component 4: (no name) - http://i177.photobucket.com/albums/w222/ss021447/kirby_bg.jpg
O24 - Desktop Component 5: (no name) - http://i185.photobucket.com/albums/x275/kakairu14/naruto/narutoshippuudenepisodewallpaper.jpg
O24 - Desktop Component 6: (no name) - http://images.elfwood.com/fanq/s/p/spitaelsd2/redeyesblackdragon.jpg

--
End of file - 9944 bytes


----------



## Cookiegal (Aug 27, 2003)

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now get the latest version:

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to ComboFox.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.


----------



## xintrop (Dec 5, 2007)

After running Combofix /u it uninstalled the current one. I cannot get to the link you posted I see it as "http://www.bleepingcomputer.com/combofix/how-to-use-combofix" in the URL, while using firefox. It does not even "time out", it changes to "about:blank". I tried IE and virus scanners and pop-ups start if I use IE. When I try Opera, the screen just stays white, then changes to "about:blank" as well. 

I cannot get into my e-mail or certain sites.


----------



## Cookiegal (Aug 27, 2003)

Try doing a system restore to just before this happened.


----------



## xintrop (Dec 5, 2007)

I was able to get to the link, download combofix and run it tonight. Having run combofix in the past, it seemed to delete many files/folders it had not in the past. 
Following is log.


----------



## xintrop (Dec 5, 2007)

ComboFix 08-09-04.09 - Jude 2008-09-05 19:34:25.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.657 [GMT -4:00]
Running from: C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\JUDE~1.JUD\LOCALS~1\Temp\tmp1.tmp
C:\Documents and Settings\All Users.WINDOWS\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\rhcvggj0e1c1
C:\WINDOWS\BM03f3123f.txt
C:\WINDOWS\BM03f3123f.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\byXRiGWN.dll
C:\WINDOWS\system32\efcYsSMC.dll
C:\WINDOWS\system32\fstfdlde.dll
C:\WINDOWS\system32\lphcrggj0e1c1.exe
C:\WINDOWS\system32\lSCKkkkj.ini
C:\WINDOWS\system32\lSCKkkkj.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\phcrggj0e1c1.bmp
C:\WINDOWS\system32\pldnhlxd.ini
C:\WINDOWS\system32\pphcrggj0e1c1.exe
C:\WINDOWS\system32\pugdhoij.dll
C:\WINDOWS\system32\pyotugvu.dll
C:\WINDOWS\system32\ranypllo.ini
C:\WINDOWS\system32\rumimw.dll
C:\WINDOWS\system32\uodysm.dll
C:\WINDOWS\system32\xqvzqv.dll
C:\WINDOWS\system32\ywtvbhma.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.

2008-09-04 22:26 . 2008-09-04 22:26 d--------	C:\Program Files\rhcvggj0e1c1
2008-09-03 19:27 . 2008-09-03 19:40 d--------	C:\Program Files\One Piece Online
2008-09-03 14:47 . 2008-09-03 14:47	311,296	--a------	C:\WINDOWS\system32\jkkkKCSl.dll
2008-08-29 04:26 . 2008-08-29 04:26 d--------	C:\Program Files\Apprentice
2008-08-28 02:01 . 2005-05-26 15:34	2,297,552	--a------	C:\WINDOWS\system32\d3dx9_26.dll
2008-08-28 02:00 . 2008-08-28 02:00 d--------	C:\temp\MTGOInstall
2008-08-28 01:52 . 2008-08-28 02:02 d--------	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\Wizards of the Coast
2008-08-28 01:50 . 2008-08-28 01:50 d--------	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\InstallShield
2008-08-25 17:18 . 2008-08-25 17:18 d--------	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\.frugoo_file_store_32
2008-08-23 14:08 . 2008-08-23 14:09 d--------	C:\Program Files\Kaiba Corp VDS
2008-08-20 11:36 . 2008-08-20 11:44 d--------	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\.SunDownloadManager
2008-08-19 18:40 . 2008-08-19 18:40 d--------	C:\Program Files\American Systems
2008-08-19 18:40 . 2008-07-01 13:24	302,184	--a------	C:\WINDOWS\amuninst.exe
2008-08-19 18:40 . 2008-08-19 18:40	555	--a------	C:\WINDOWS\unezmac.ini
2008-08-19 18:40 . 2008-08-19 18:40	36	--a------	C:\WINDOWS\ezmacros.INI
2008-08-17 20:00 . 2008-08-17 15:01	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 20:00 . 2008-08-17 15:01	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-13 21:39 . 2008-05-01 10:30	331,776	-----c---	C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 23:45	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\Hamachi
2008-09-05 02:07	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\mIRC
2008-09-05 01:43	---------	d-----w	C:\Program Files\mIRC
2008-08-28 05:50	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-08-28 05:50	---------	d-----w	C:\Program Files\Wizards of the Coast
2008-08-28 00:12	---------	d-----w	C:\Program Files\iHabbix Ltd
2008-08-23 19:20	25,280	----a-w	C:\WINDOWS\system32\drivers\hamachi.sys
2008-08-23 19:20	---------	d-----w	C:\Program Files\Hamachi
2008-08-20 05:57	---------	d-----w	C:\Program Files\Cartoon Network
2008-08-18 00:00	---------	d-----w	C:\Program Files\Malwarebytes' Anti-Malware
2008-08-03 22:32	---------	d-----w	C:\Program Files\LimeWire
2008-07-26 08:39	0	----a-w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\jagex_runescape_preferences.dat
2008-07-23 04:22	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\zweitgeist
2008-07-21 18:56	88	--sh--r	C:\Documents and Settings\All Users.WINDOWS\Application Data\0B328F544C.sys
2008-07-21 18:56	1,734	--sha-w	C:\Documents and Settings\All Users.WINDOWS\Application Data\KGyGaAvL.sys
2008-07-20 19:36	---------	d-----w	C:\Program Files\YVD
2008-07-20 19:32	---------	d-----w	C:\Program Files\PlaneShift Steel Blue
2008-07-20 19:18	---------	d-----w	C:\Program Files\HaCKeR
2008-07-20 16:23	---------	d---a-w	C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-07-20 16:18	---------	d-----w	C:\Program Files\SpywareBlaster
2008-07-20 15:49	---------	d-----w	C:\Program Files\NCH Swift Sound
2008-07-20 15:13	---------	d-----w	C:\Program Files\BitTorrent
2008-07-20 13:25	---------	d-----w	C:\Program Files\SUPERAntiSpyware
2008-07-20 13:25	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\SUPERAntiSpyware.com
2008-07-17 17:36	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\BYOND
2008-07-15 19:49	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\PowerChallenge
2008-07-14 12:06	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\Character Creator
2008-07-12 21:18	---------	d-----w	C:\Program Files\ICQ6
2008-07-12 21:18	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\ICQ
2008-07-10 03:47	---------	d-----w	C:\Program Files\Microsoft Games
2008-07-09 06:58	72,192	----a-w	C:\WINDOWS\cadkasdeinst01e.exe
2008-07-07 07:45	73,216	----a-w	C:\WINDOWS\ST6UNST.EXE
2008-07-07 07:45	286,720	------w	C:\WINDOWS\Setup1.exe
2008-07-05 23:21	---------	d-----w	C:\Program Files\Java
2008-03-12 19:07	6,605	----a-w	C:\Program Files\INSTALL.LOG
2007-07-18 23:06	9	-c--a-w	C:\Program Files\install_log.dat
2006-01-10 22:25	32	-c--a-r	C:\Documents and Settings\All Users\hash.dat
2005-08-27 01:11	4	----a-w	C:\Program Files\Common Files\Cvtaqlog.dat
2005-02-02 07:30	487,424	----a-w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\chatlnk.exe
2008-04-24 18:31	56	--sh--r	C:\WINDOWS\system32\00EA860D08.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02F36F75-D1E2-46E0-A227-853FA33AFD4C}]
2008-09-03 14:47	311296	--a------	C:\WINDOWS\system32\jkkkKCSl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-08-01 191488]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 79224]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 5058560]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"SMrhcvggj0e1c1"="C:\Program Files\rhcvggj0e1c1\rhcvggj0e1c1.exe" [2008-09-04 831488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\GBA\Spyware Doctor\swdoctor.exe" [2005-12-13 1976544]

C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [2008-08-23 625952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"aux"= ctwdm32.dll
"vidc.ir32"= C:\WINDOWS\system32\ir32_32.dll
"vidc.ir31"= C:\WINDOWS\system32\ir32_32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=C:\WINDOWS\pss\Photo Loader supervisory.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ShortKeys 2.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ShortKeys 2.lnk
backup=C:\WINDOWS\pss\ShortKeys 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^hamachi.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2008-05-18 12:30 172280 C:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-06-16 06:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 05:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"90:TCP"= 90:TCP:Kinger's Hotel

S3 dump_wmimmc;dump_wmimmc;C:\AAAAAA\ENGLISH\Gunbound Revolution\GameGuard\dump_wmimmc.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{58A900D9-77AA-435B-9E3A-EA6EE6A549C9} - C:\WINDOWS\system32\byXRiGWN.dll
BHO-{819b25f3-e929-4da4-804e-df0813efa5b0} - C:\WINDOWS\system32\xqvzqv.dll
HKLM-Run-lphcrggj0e1c1 - C:\WINDOWS\system32\lphcrggj0e1c1.exe
HKLM-Run-BM03f3123f - C:\WINDOWS\system32\pugdhoij.dll
ShellExecuteHooks-{58A900D9-77AA-435B-9E3A-EA6EE6A549C9} - C:\WINDOWS\system32\byXRiGWN.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\Mozilla\Firefox\Profiles\Dad\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aesoponline.com/login.asp
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-05 19:46:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?? [email protected][email protected]?? [email protected][email protected][email protected][email protected][email protected]?? [email protected]???????????????????B?????L?????????????????????????????B

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-05 20:07:28 - machine was rebooted [Jude]
ComboFix-quarantined-files.txt 2008-09-06 00:07:21
ComboFix2.txt 2008-08-16 15:06:35

Pre-Run: 24,602,996,736 bytes free
Post-Run: 25,662,267,392 bytes free

235	--- E O F ---	2008-08-19 02:36:57


----------



## Cookiegal (Aug 27, 2003)

Have you done LimeWire or Torrents downloads over the past couple of days?


----------



## xintrop (Dec 5, 2007)

No and no one in the household has according to them. I thought I deleted LimeWire a while ago and didn't know anything about what a "Torrent" was until Candy explained to me in Private message when I asked. I want to get all that out of this computer if it is there. I do know before he left(about 3 weeks ago?) my oldest downloaded ring tones from a site prior to leaving for college for his mom and brother. I left a voice mail for him and will ask him where he downloaded those ring tones from.

After running combofix the computer was running fine. All signs of problems were gone. My wife went into her e-mail and my youngest son watched things on Utube. Now today a red shield with the "x" is back in my taskbar and the browser seems sluggish. I believe this is how my second "Emergency" post started out. When I hold curser over the red shield it says "Windows Security Alert". Last time I believe I clicked it and thats when all hell broke loose. I do have Automatic Updates checked in "Settings", Control panel, "Automatic Updates", However when I click on Windows Updates it states "The site cannot continue because one or more of these services is not running" Also a window is now popping up occasionally, it is a blank page stating "cannot connect to server". Below is what Automatic updates says.


----------



## xintrop (Dec 5, 2007)

I have done all of this in the last few days prior to the last "Emergency" Post. I believe this is the issue besides anything else it started?

Automatic Updates (allows the site to find, download and install high-priority updates for your computer) 
Background Intelligent Transfer Service (BITS) (helps updates download more quickly and without problems if the download process is interrupted) 
Event Log (keeps a record of updating activities to help with troubleshooting, if needed) 
To make sure these services are running:
1. Click Start, and then click Run.
2. Type services.msc and then click OK.
3. In the list of services, double-click on Automatic Updates and then click Properties.
4. In the Startup type list, select Automatic and click Apply.
5. Verify that the Service status is started, if the Service Status is Stopped click on the Start Button.
6. In the list of services, double-click on Background Intelligent Transfer Service (BITS) and then click Properties.
7. In the Startup type list, select Manual and click Apply.
8. Verify that the Service status is started, If the Service Status is Stopped click on the Start Button.
9. In the list of services, double-click on Event Log and then click Properties.
10. In the Startup type list, select Automatic and click Apply.
11. Verify that the Service status is started, If the Service Status is Stopped click on the Start Button.


----------



## xintrop (Dec 5, 2007)

Many of the symptoms are back again as they were prior to running combofix last night. Browser is slow or will not work. Cannot get to certain sites or E-mails. Avast is NOT informing me of any issues and besides the RED SHIELD on my task bar, that screen saver is NOT there and NO pop-ups telling me I have any problems with the computer atm.


----------



## xintrop (Dec 5, 2007)

Sorry, I am not trying to "bump this thread", only show you what I am finding as I find them. LimeWire WAS installed again in the computer, I just deleted it again. "last used 8/20". That would have to be my youngest as my oldest was away at that time. I am setting a password in my user as he obviously is unable to abide by rules set.


----------



## ~Candy~ (Jan 27, 2001)

You also need to secure his user as well, if he has admin rights, i.e. he can download it again and still create havoc on the entire system, those need to be changed, and his user level "downgraded."

I think I mentioned that before.


----------



## xintrop (Dec 5, 2007)

Yes and thank you Candy. I took away admin perms from both users a while ago, but thats useless if he as access to my user .. DOH! (which he does not from now on).
BTW- upon going into his user, avast and ZoneAlarm did not load, the screen froze when I went into programs and I was forced to turn off the computer using the power button in the back. I have been in both user's before to run scans and avast and ZoneAlarm always loaded properly. Now I am afraid even to go into their user accounts to remedy! I am looking at the situation from mine to see settings on them. Now that he has no access to my user, when he goes to another, there will be no firewall or real time protection at all!


----------



## ~Candy~ (Jan 27, 2001)

I assume they are both too old for a good old fashioned spanking


----------



## xintrop (Dec 5, 2007)

Just a bit 
Am I to run SDfix now?


----------



## Cookiegal (Aug 27, 2003)

Please download Malwarebytes Anti-Malware form *Here* or *Here*

If you still have it from before, it's important that you update it and allow it install version 1.26 as previous versions had a bug. Let me know if you can't do this and don't run the program if it won't install the new version.

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply along with a new HijackThis log please.

Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*


----------



## xintrop (Dec 5, 2007)

Malwarebytes' Anti-Malware 1.26
Database version: 1120
Windows 5.1.2600 Service Pack 2

9/6/2008 6:39:34 PM
mbam-log-2008-09-06 (18-39-34).txt

Scan type: Quick Scan
Objects scanned: 78817
Time elapsed: 32 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 13
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 24
Files Infected: 35

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\cumoqtsf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jkkkKCSl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xeptcs.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a71a286a-79a0-43f7-9391-c5b3bd5ad49a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a71a286a-79a0-43f7-9391-c5b3bd5ad49a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b5aad995-e9c4-4802-a678-9e4c04aec8f7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b5aad995-e9c4-4802-a678-9e4c04aec8f7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\00c021a3 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcvggj0e1c1 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm03f3123f (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\jkkkkcsl -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\jkkkkcsl -> Delete on reboot.

Folders Infected:
C:\Program Files\rhcvggj0e1c1 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\FlameHead\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\FlameHead\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\FlameHead\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\FlameHead\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\FlameHead\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\FlameHead\Application Data\ShoppingReport\cs\res2 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\rhcvggj0e1c1 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\rhcvggj0e1c1\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\rhcvggj0e1c1\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\rhcvggj0e1c1\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\rhcvggj0e1c1\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\rhcvggj0e1c1\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\rhcvggj0e1c1\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\rhcvggj0e1c1\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\rhcvggj0e1c1\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\rhcvggj0e1c1\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\rhcvggj0e1c1\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\jkkkKCSl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lSCKkkkj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lSCKkkkj.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xeptcs.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cumoqtsf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fstqomuc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\estixnkh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\rhcvggj0e1c1\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcvggj0e1c1\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcvggj0e1c1\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcvggj0e1c1\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcvggj0e1c1\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcvggj0e1c1\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcvggj0e1c1\rhcvggj0e1c1.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcvggj0e1c1\rhcvggj0e1c1.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcvggj0e1c1\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jared\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\FlameHead\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\FlameHead\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\FlameHead\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\FlameHead\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\FlameHead\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\FlameHead\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\FlameHead\Application Data\ShoppingReport\cs\res2\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ankkavqx.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM03f3123f.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM03f3123f.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:51 PM, on 9/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O20 - AppInit_DLLs: xeptcs.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://tn3-1.deviantart.com/fs5/300W/i/2004/276/6/c/Naruto_vs_Sasuke_by_martegodpopo.jpg
O24 - Desktop Component 1: (no name) - http://artimpressive.com/wp-content/uploads/2007/07/379858.jpg
O24 - Desktop Component 2: (no name) - http://charas-project.net/resources/Titles/6579_1171637130_small.png
O24 - Desktop Component 3: (no name) - http://upload.wikimedia.org/wikipedia/en/f/f3/SSBB_Cover.jpg
O24 - Desktop Component 4: (no name) - http://i177.photobucket.com/albums/w222/ss021447/kirby_bg.jpg
O24 - Desktop Component 5: (no name) - http://i185.photobucket.com/albums/x275/kakairu14/naruto/narutoshippuudenepisodewallpaper.jpg
O24 - Desktop Component 6: (no name) - http://images.elfwood.com/fanq/s/p/spitaelsd2/redeyesblackdragon.jpg

--
End of file - 9947 bytes


----------



## xintrop (Dec 5, 2007)

The "Red Shield" was for Automatic updates which I finally got to work using microsoft help. Now that I have it running again it is gone from my taskbar. All those copy-cat "RED SHIELDS" had me paranoid from past experience.


----------



## Cookiegal (Aug 27, 2003)

Now please run ComboFix again and post the new log.


----------



## xintrop (Dec 5, 2007)

ComboFix 08-09-04.09 - Jude 2008-09-06 21:05:32.11 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.604 [GMT -4:00]
Running from: C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
.

2008-09-06 20:00 . 2008-09-06 20:00 d--------	C:\WINDOWS\LastGood
2008-09-06 16:14 . 2008-09-06 16:14 d--------	C:\New Folder (2)
2008-09-03 19:27 . 2008-09-03 19:40 d--------	C:\Program Files\One Piece Online
2008-08-29 04:26 . 2008-08-29 04:26 d--------	C:\Program Files\Apprentice
2008-08-28 02:01 . 2005-05-26 15:34	2,297,552	--a------	C:\WINDOWS\system32\d3dx9_26.dll
2008-08-28 02:00 . 2008-08-28 02:00 d--------	C:\temp\MTGOInstall
2008-08-28 01:52 . 2008-08-28 02:02 d--------	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\Wizards of the Coast
2008-08-28 01:50 . 2008-08-28 01:50 d--------	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\InstallShield
2008-08-25 17:18 . 2008-08-25 17:18 d--------	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\.frugoo_file_store_32
2008-08-23 14:08 . 2008-08-23 14:09 d--------	C:\Program Files\Kaiba Corp VDS
2008-08-20 11:36 . 2008-08-20 11:44 d--------	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\.SunDownloadManager
2008-08-19 18:40 . 2008-08-19 18:40 d--------	C:\Program Files\American Systems
2008-08-19 18:40 . 2008-07-01 13:24	302,184	--a------	C:\WINDOWS\amuninst.exe
2008-08-19 18:40 . 2008-08-19 18:40	555	--a------	C:\WINDOWS\unezmac.ini
2008-08-19 18:40 . 2008-08-19 18:40	36	--a------	C:\WINDOWS\ezmacros.INI
2008-08-17 20:00 . 2008-09-02 00:16	38,528	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 20:00 . 2008-09-02 00:16	17,200	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-13 21:39 . 2008-05-01 10:30	331,776	-----c---	C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 01:00	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\mIRC
2008-09-07 00:05	---------	d-----w	C:\Program Files\mIRC
2008-09-06 21:52	---------	d-----w	C:\Program Files\Malwarebytes' Anti-Malware
2008-09-06 16:44	---------	d-----w	C:\Program Files\LimeWire
2008-09-06 16:44	---------	d-----w	C:\Program Files\Hamachi
2008-09-06 07:19	1,838	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
2008-09-06 06:04	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\Hamachi
2008-08-28 05:50	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-08-28 05:50	---------	d-----w	C:\Program Files\Wizards of the Coast
2008-08-28 00:12	---------	d-----w	C:\Program Files\iHabbix Ltd
2008-08-23 19:20	25,280	----a-w	C:\WINDOWS\system32\drivers\hamachi.sys
2008-08-20 05:57	---------	d-----w	C:\Program Files\Cartoon Network
2008-07-26 08:39	0	----a-w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\jagex_runescape_preferences.dat
2008-07-23 04:22	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\zweitgeist
2008-07-21 18:56	88	--sh--r	C:\Documents and Settings\All Users.WINDOWS\Application Data\0B328F544C.sys
2008-07-21 18:56	1,734	--sha-w	C:\Documents and Settings\All Users.WINDOWS\Application Data\KGyGaAvL.sys
2008-07-20 19:36	---------	d-----w	C:\Program Files\YVD
2008-07-20 19:32	---------	d-----w	C:\Program Files\PlaneShift Steel Blue
2008-07-20 19:18	---------	d-----w	C:\Program Files\HaCKeR
2008-07-20 16:23	---------	d---a-w	C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-07-20 16:18	---------	d-----w	C:\Program Files\SpywareBlaster
2008-07-20 15:49	---------	d-----w	C:\Program Files\NCH Swift Sound
2008-07-20 15:13	---------	d-----w	C:\Program Files\BitTorrent
2008-07-20 13:25	---------	d-----w	C:\Program Files\SUPERAntiSpyware
2008-07-20 13:25	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\SUPERAntiSpyware.com
2008-07-19 02:10	94,920	----a-w	C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10	53,448	----a-w	C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10	45,768	----a-w	C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10	36,552	----a-w	C:\WINDOWS\system32\wups.dll
2008-07-19 02:09	563,912	----a-w	C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09	325,832	----a-w	C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09	205,000	----a-w	C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09	1,811,656	----a-w	C:\WINDOWS\system32\wuaueng.dll
2008-07-17 17:36	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\BYOND
2008-07-15 19:49	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\PowerChallenge
2008-07-14 12:06	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\Character Creator
2008-07-12 21:18	---------	d-----w	C:\Program Files\ICQ6
2008-07-12 21:18	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\ICQ
2008-07-10 03:47	---------	d-----w	C:\Program Files\Microsoft Games
2008-07-09 06:58	72,192	----a-w	C:\WINDOWS\cadkasdeinst01e.exe
2008-07-07 20:32	253,952	----a-w	C:\WINDOWS\system32\es.dll
2008-07-07 07:45	73,216	----a-w	C:\WINDOWS\ST6UNST.EXE
2008-07-07 07:45	286,720	------w	C:\WINDOWS\Setup1.exe
2008-07-04 15:26	30,814,311	----a-w	C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-27 16:59	434,688	----a-w	C:\WINDOWS\system32\ss2uinst.exe
2008-06-24 16:23	74,240	----a-w	C:\WINDOWS\system32\mscms.dll
2008-06-23 16:12	667,136	----a-w	C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41	245,248	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-03-12 19:07	6,605	----a-w	C:\Program Files\INSTALL.LOG
2007-07-18 23:06	9	-c--a-w	C:\Program Files\install_log.dat
2006-01-10 22:25	32	-c--a-r	C:\Documents and Settings\All Users\hash.dat
2005-08-27 01:11	4	----a-w	C:\Program Files\Common Files\Cvtaqlog.dat
2005-02-02 07:30	487,424	----a-w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\chatlnk.exe
2008-04-24 18:31	56	--sh--r	C:\WINDOWS\system32\00EA860D08.sys
.

((((((((((((((((((((((((((((( [email protected]_20.06.35.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-11 19:12:48	1,468,968	----a-w	C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22:06:36	1,480,232	----a-w	C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-09-06 22:42:25	16,384	----atw	C:\WINDOWS\Temp\Perflib_Perfdata_3d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-08-01 191488]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 79224]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 5058560]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\GBA\Spyware Doctor\swdoctor.exe" [2005-12-13 1976544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=xeptcs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"aux"= ctwdm32.dll
"vidc.ir32"= C:\WINDOWS\system32\ir32_32.dll
"vidc.ir31"= C:\WINDOWS\system32\ir32_32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=C:\WINDOWS\pss\Photo Loader supervisory.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ShortKeys 2.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ShortKeys 2.lnk
backup=C:\WINDOWS\pss\ShortKeys 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^hamachi.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2008-05-18 12:30 172280 C:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-06-16 06:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 05:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"90:TCP"= 90:TCP:Kinger's Hotel

S3 dump_wmimmc;dump_wmimmc;C:\AAAAAA\ENGLISH\Gunbound Revolution\GameGuard\dump_wmimmc.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\Mozilla\Firefox\Profiles\Dad\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aesoponline.com/login.asp
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-06 21:11:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?? [email protected][email protected]?? [email protected][email protected][email protected][email protected][email protected]?? [email protected]???????????????????B?????L????????????????????`????????B

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-06 21:29:44
ComboFix-quarantined-files.txt 2008-09-07 01:29:38
ComboFix2.txt 2008-09-06 00:07:31
ComboFix3.txt 2008-08-16 15:06:35

Pre-Run: 25,824,251,904 bytes free
Post-Run: 25,963,237,376 bytes free

193	--- E O F ---	2008-08-19 02:36:57


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:38 PM, on 9/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O20 - AppInit_DLLs: xeptcs.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://tn3-1.deviantart.com/fs5/300W/i/2004/276/6/c/Naruto_vs_Sasuke_by_martegodpopo.jpg
O24 - Desktop Component 1: (no name) - http://artimpressive.com/wp-content/uploads/2007/07/379858.jpg
O24 - Desktop Component 2: (no name) - http://charas-project.net/resources/Titles/6579_1171637130_small.png
O24 - Desktop Component 3: (no name) - http://upload.wikimedia.org/wikipedia/en/f/f3/SSBB_Cover.jpg
O24 - Desktop Component 4: (no name) - http://i177.photobucket.com/albums/w222/ss021447/kirby_bg.jpg
O24 - Desktop Component 5: (no name) - http://i185.photobucket.com/albums/x275/kakairu14/naruto/narutoshippuudenepisodewallpaper.jpg
O24 - Desktop Component 6: (no name) - http://images.elfwood.com/fanq/s/p/spitaelsd2/redeyesblackdragon.jpg

--
End of file - 9917 bytes


----------



## Cookiegal (Aug 27, 2003)

Can you tell me what this is?

*C:\Program Files\HaCKeR*

Open Notepad and copy and paste the text in the code box below into it:


```
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## xintrop (Dec 5, 2007)

"Can you tell me what this is?
C:\Program Files\HaCKeR" 

No i can't. Asking my son "Probably some stupid thing that didn't work".

I would like to get rid of it whatever it is/


----------



## xintrop (Dec 5, 2007)

ComboFix 08-09-04.09 - Jude 2008-09-07 15:04:27.12 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.680 [GMT -4:00]
Running from: C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
.

2008-09-06 16:14 . 2008-09-06 16:14 d--------	C:\New Folder (2)
2008-09-03 19:27 . 2008-09-03 19:40 d--------	C:\Program Files\One Piece Online
2008-08-29 04:26 . 2008-08-29 04:26 d--------	C:\Program Files\Apprentice
2008-08-28 02:01 . 2005-05-26 15:34	2,297,552	--a------	C:\WINDOWS\system32\d3dx9_26.dll
2008-08-28 02:00 . 2008-08-28 02:00 d--------	C:\temp\MTGOInstall
2008-08-28 01:52 . 2008-08-28 02:02 d--------	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\Wizards of the Coast
2008-08-28 01:50 . 2008-08-28 01:50 d--------	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\InstallShield
2008-08-25 17:18 . 2008-08-25 17:18 d--------	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\.frugoo_file_store_32
2008-08-23 14:08 . 2008-08-23 14:09 d--------	C:\Program Files\Kaiba Corp VDS
2008-08-20 11:36 . 2008-08-20 11:44 d--------	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\.SunDownloadManager
2008-08-19 18:40 . 2008-08-19 18:40 d--------	C:\Program Files\American Systems
2008-08-19 18:40 . 2008-07-01 13:24	302,184	--a------	C:\WINDOWS\amuninst.exe
2008-08-19 18:40 . 2008-08-19 18:40	555	--a------	C:\WINDOWS\unezmac.ini
2008-08-19 18:40 . 2008-08-19 18:40	36	--a------	C:\WINDOWS\ezmacros.INI
2008-08-17 20:00 . 2008-09-02 00:16	38,528	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 20:00 . 2008-09-02 00:16	17,200	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-13 21:39 . 2008-05-01 10:30	331,776	-----c---	C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 18:59	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\mIRC
2008-09-07 17:32	---------	d-----w	C:\Program Files\mIRC
2008-09-06 21:52	---------	d-----w	C:\Program Files\Malwarebytes' Anti-Malware
2008-09-06 16:44	---------	d-----w	C:\Program Files\LimeWire
2008-09-06 16:44	---------	d-----w	C:\Program Files\Hamachi
2008-09-06 07:19	1,838	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
2008-09-06 06:04	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\Hamachi
2008-08-28 05:50	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-08-28 05:50	---------	d-----w	C:\Program Files\Wizards of the Coast
2008-08-28 00:12	---------	d-----w	C:\Program Files\iHabbix Ltd
2008-08-23 19:20	25,280	----a-w	C:\WINDOWS\system32\drivers\hamachi.sys
2008-08-20 05:57	---------	d-----w	C:\Program Files\Cartoon Network
2008-07-26 08:39	0	----a-w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\jagex_runescape_preferences.dat
2008-07-23 04:22	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\zweitgeist
2008-07-21 18:56	88	--sh--r	C:\Documents and Settings\All Users.WINDOWS\Application Data\0B328F544C.sys
2008-07-21 18:56	1,734	--sha-w	C:\Documents and Settings\All Users.WINDOWS\Application Data\KGyGaAvL.sys
2008-07-20 19:36	---------	d-----w	C:\Program Files\YVD
2008-07-20 19:32	---------	d-----w	C:\Program Files\PlaneShift Steel Blue
2008-07-20 19:18	---------	d-----w	C:\Program Files\HaCKeR
2008-07-20 16:23	---------	d---a-w	C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-07-20 16:18	---------	d-----w	C:\Program Files\SpywareBlaster
2008-07-20 15:49	---------	d-----w	C:\Program Files\NCH Swift Sound
2008-07-20 15:13	---------	d-----w	C:\Program Files\BitTorrent
2008-07-20 13:25	---------	d-----w	C:\Program Files\SUPERAntiSpyware
2008-07-20 13:25	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\SUPERAntiSpyware.com
2008-07-19 02:10	94,920	----a-w	C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10	53,448	----a-w	C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10	45,768	----a-w	C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10	36,552	----a-w	C:\WINDOWS\system32\wups.dll
2008-07-19 02:09	563,912	----a-w	C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09	325,832	----a-w	C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09	205,000	----a-w	C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09	1,811,656	----a-w	C:\WINDOWS\system32\wuaueng.dll
2008-07-17 17:36	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\BYOND
2008-07-15 19:49	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\PowerChallenge
2008-07-14 12:06	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\Character Creator
2008-07-12 21:18	---------	d-----w	C:\Program Files\ICQ6
2008-07-12 21:18	---------	d-----w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Application Data\ICQ
2008-07-10 03:47	---------	d-----w	C:\Program Files\Microsoft Games
2008-07-09 06:58	72,192	----a-w	C:\WINDOWS\cadkasdeinst01e.exe
2008-07-07 20:32	253,952	----a-w	C:\WINDOWS\system32\es.dll
2008-07-07 07:45	73,216	----a-w	C:\WINDOWS\ST6UNST.EXE
2008-07-07 07:45	286,720	------w	C:\WINDOWS\Setup1.exe
2008-07-04 15:26	30,814,311	----a-w	C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-27 16:59	434,688	----a-w	C:\WINDOWS\system32\ss2uinst.exe
2008-06-24 16:23	74,240	----a-w	C:\WINDOWS\system32\mscms.dll
2008-06-23 16:12	667,136	----a-w	C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41	245,248	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-03-12 19:07	6,605	----a-w	C:\Program Files\INSTALL.LOG
2007-07-18 23:06	9	-c--a-w	C:\Program Files\install_log.dat
2006-01-10 22:25	32	-c--a-r	C:\Documents and Settings\All Users\hash.dat
2005-08-27 01:11	4	----a-w	C:\Program Files\Common Files\Cvtaqlog.dat
2005-02-02 07:30	487,424	----a-w	C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\chatlnk.exe
2008-04-24 18:31	56	--sh--r	C:\WINDOWS\system32\00EA860D08.sys
.

((((((((((((((((((((((((((((( [email protected]_20.06.35.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 07:56:42	1,028,096	-c--a-w	C:\WINDOWS\system32\dllcache\mfc42.dll
- 2007-10-11 19:12:48	1,468,968	----a-w	C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22:06:36	1,480,232	----a-w	C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-09-06 22:42:25	16,384	----atw	C:\WINDOWS\Temp\Perflib_Perfdata_3d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-08-01 191488]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 79224]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 5058560]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\GBA\Spyware Doctor\swdoctor.exe" [2005-12-13 1976544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"aux"= ctwdm32.dll
"vidc.ir32"= C:\WINDOWS\system32\ir32_32.dll
"vidc.ir31"= C:\WINDOWS\system32\ir32_32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Photo Loader supervisory.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
backup=C:\WINDOWS\pss\Photo Loader supervisory.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ShortKeys 2.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ShortKeys 2.lnk
backup=C:\WINDOWS\pss\ShortKeys 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^hamachi.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jude.JUDE-5PCD8SABXZ^Start Menu^Programs^Startup^IMVU.lnk]
path=C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\Startup\IMVU.lnk
backup=C:\WINDOWS\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2008-05-18 12:30 172280 C:\Program Files\ICQ6\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-06-16 06:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 05:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-10-06 15:16 741376 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"90:TCP"= 90:TCP:Kinger's Hotel

S3 dump_wmimmc;dump_wmimmc;C:\AAAAAA\ENGLISH\Gunbound Revolution\GameGuard\dump_wmimmc.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 15:10:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???>???????????? C?????Disc Detector?B???A???????A?? [email protected][email protected]?? [email protected][email protected]?B???A???????A? [email protected][email protected]?? [email protected]?U?????????????????B?????,?????????????????????????????B

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-07 15:31:34
ComboFix-quarantined-files.txt 2008-09-07 19:31:28
ComboFix2.txt 2008-09-07 01:29:47
ComboFix3.txt 2008-09-06 00:07:31
ComboFix4.txt 2008-08-16 15:06:35

Pre-Run: 26,787,184,640 bytes free
Post-Run: 26,778,398,720 bytes free

188	--- E O F ---	2008-08-19 02:36:57


----------



## xintrop (Dec 5, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:32 PM, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\GBA\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\GBA\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\GBA\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\GBA\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jude.JUDE-5PCD8SABXZ\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab?s6
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\GBA\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://tn3-1.deviantart.com/fs5/300W/i/2004/276/6/c/Naruto_vs_Sasuke_by_martegodpopo.jpg
O24 - Desktop Component 1: (no name) - http://artimpressive.com/wp-content/uploads/2007/07/379858.jpg
O24 - Desktop Component 2: (no name) - http://charas-project.net/resources/Titles/6579_1171637130_small.png
O24 - Desktop Component 3: (no name) - http://upload.wikimedia.org/wikipedia/en/f/f3/SSBB_Cover.jpg
O24 - Desktop Component 4: (no name) - http://i177.photobucket.com/albums/w222/ss021447/kirby_bg.jpg
O24 - Desktop Component 5: (no name) - http://i185.photobucket.com/albums/x275/kakairu14/naruto/narutoshippuudenepisodewallpaper.jpg
O24 - Desktop Component 6: (no name) - http://images.elfwood.com/fanq/s/p/spitaelsd2/redeyesblackdragon.jpg

--
End of file - 9842 bytes


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## xintrop (Dec 5, 2007)

ABC Amber Audio Converter
Ad-Aware SE Personal
Adobe Acrobat 4.0, 5.0
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe SVG Viewer 3.0
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ArcSoft Media Card Companion
ArcSoft MediaConverter
ArcSoft PhotoImpression 5
ArtMoney SE v7.28
AssaultCube v0.93
Audio Flash 1.2
avast! Antivirus
Banner Maker Pro for Flash Version 1
Ben 10 Alien Force Bounty Hunters
bingohall
Bonjour
Build Your Own Net Dream (remove only)
CCleaner (remove only)
Cheat Engine 5.3
ConsumerUpdate
Creative Jukebox Driver
Creative NOMAD II Driver
Data Lifeguard Tools
DirectX Media Runtime 5.1
DivX Codec
DivX Content Uploader
DivX Player
DivX Web Player
EPSON Printer Software
EZ Macros
Flash2X Screensaver Builder version 2.1.0
Flash-Creator 1
Freelancer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
ICQ
ICQ6
iDraw3.32 Chara Maker
IGN Download Manager 2.2.2
iHabbix
ijji Auto Installer
iTunes
Java(TM) 6 Update 6
Kaiba Corp Virtual Duel System 1.4
Lernout & Hauspie TruVoice American English TTS Engine
Macromedia Flash MX
Magic Online III
Malwarebytes' Anti-Malware
MGI PhotoSuite 8.06 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Professional Edition
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
Midi Maker
mIRC
Mozilla Firefox (2.0.0.16)
Nero
NVIDIA Display Driver
One Piece Online
Opera 9.25
OTOY
OZ
Panicware Pop-Up Stopper
Photo Loader 2.1E
POL Map editor
PowerDVD
Project64 1.6
QuickShot 1.52
QuickTime
Reader Drivers and Utilities
RGSS-RTP Standard
RGSS-RTP Standard
RPG Maker 2000 1.05
RPG Maker 2003
RPG Maker 2003
RPG Maker 2003 v1.08
RPG Maker VX
RPG Maker VX RTP
RPG Maker XP
RPGcN[VX
RPGcN[VX Ì±Å
RPGToolkit, Version 3.1.0
RPGXP
RTP 1.32 Add-On for RM2k
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
SeeMePlayMe Client
Shockwave
Shoddy Battle (a FREE GNU licensed Online Pokemon Battle Simula
Sierra Utilities
Sound Blaster Live!
Sprite Builder 1.0
Spybot - Search & Destroy 1.4
SpywareBlaster 4.1
Super Smash Flash EXE Version 1.0
TeamSpeak 2 RC2
The Sims Deluxe Edition
thriXXX WebLaunch
Uninstall ESS Modem
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
War of Conquest
WavePad Uninstall
WCS Client
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinPatrol
WinRAR archiver
WinZip
Wuschel's ASIO4ALL
ZoneAlarm


----------



## Cookiegal (Aug 27, 2003)

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

*Upgrading Java*:


Download the latest version of *Java Runtime Environment (JRE) 6 Update 7*.
Scroll down to where it says * Java Runtime Environment (JRE) 6 Update7. The Java SE Runtime Environment (JRE) allows end-users to run Java applications* (the fifth one in the list).
Click the "*Download*" button to the right. A new page will open.
Select your platform and check the box that says: *I agree to the Java SE Runtime Environment 6 License Agreement*.
Click *Continue*.
Click on the link under *Windows Offline Installation* (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager.
Go to *Start* - *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on the download to install the newest version.

How are things now?


----------



## xintrop (Dec 5, 2007)

Upon clicking on "J2SE Environment 5.0 Update 6", there is no option to Change or Remove. It only says 
"Size 119.00MB
Used rarely"
Below that is "Java(TM) 6 Update 6" where it does give me option to Change or Remove.

There are also the Java Trade Mark before some games. "Call of Combat and Call of Combat lobby" which has the option to Change or Remove, but says it cannot remove when I try.
There are other games like that there which I haven't tried to delete yet.


----------



## ~Candy~ (Jan 27, 2001)

Right click on each one and see if you have the option to uninstall.


----------



## Cookiegal (Aug 27, 2003)

Try running the Microsoft Cleanup Utility. It should be able to remove those damaged installations.

http://support.microsoft.com/kb/290301

Let me know how it goes please.


----------



## xintrop (Dec 5, 2007)

Worked late tonight, not enough time to do this atm.
"Java(TM) 6 Update 6" <--- Is that the new version that I am going to install or is it the out of date version? It does give me the option to uninstall it. Also in my control panel where "Internet Options, Network Connections, User Accounts, etc, there is a "Java" Logo all by itself there. Upon holding cursor over it, it says "Java(TM) Control Panel"


----------



## ~Candy~ (Jan 27, 2001)

The newest version is update 7.


----------



## xintrop (Dec 5, 2007)

Ok, then I can delete "Java(TM) 6 Update 6" and go from there?


----------



## Cookiegal (Aug 27, 2003)

Yes. You need to disregard the Java log in the Control Panel. That is needed.


----------



## xintrop (Dec 5, 2007)

ABC Amber Audio Converter
Ad-Aware SE Personal
Adobe Acrobat 4.0, 5.0
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe SVG Viewer 3.0
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ArcSoft Media Card Companion
ArcSoft MediaConverter
ArcSoft PhotoImpression 5
ArtMoney SE v7.28
AssaultCube v0.93
Audio Flash 1.2
avast! Antivirus
Banner Maker Pro for Flash Version 1
Ben 10 Alien Force Bounty Hunters
bingohall
Bonjour
Build Your Own Net Dream (remove only)
CCleaner (remove only)
Cheat Engine 5.3
ConsumerUpdate
Creative Jukebox Driver
Creative NOMAD II Driver
Data Lifeguard Tools
DirectX Media Runtime 5.1
DivX Codec
DivX Content Uploader
DivX Player
DivX Web Player
EPSON Printer Software
EZ Macros
Flash2X Screensaver Builder version 2.1.0
Flash-Creator 1
Freelancer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ICQ
ICQ6
iDraw3.32 Chara Maker
IGN Download Manager 2.2.2
iHabbix
ijji Auto Installer
iTunes
Java(TM) 6 Update 7 
Kaiba Corp Virtual Duel System 1.4
Lernout & Hauspie TruVoice American English TTS Engine
Macromedia Flash MX
Magic Online III
Malwarebytes' Anti-Malware
MGI PhotoSuite 8.06 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Professional Edition
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
Midi Maker
mIRC
Mozilla Firefox (2.0.0.16)
Nero
NVIDIA Display Driver
One Piece Online
Opera 9.25
OTOY
OZ
Panicware Pop-Up Stopper
Photo Loader 2.1E
POL Map editor
PowerDVD
Project64 1.6
QuickShot 1.52
QuickTime
Reader Drivers and Utilities
RGSS-RTP Standard
RGSS-RTP Standard
RPG Maker 2000 1.05
RPG Maker 2003
RPG Maker 2003
RPG Maker 2003 v1.08
RPG Maker VX
RPG Maker VX RTP
RPG Maker XP
RPGcN[VX
RPGcN[VX Ì±Å
RPGToolkit, Version 3.1.0
RPGXP
RTP 1.32 Add-On for RM2k
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
SeeMePlayMe Client
Shockwave
Shoddy Battle (a FREE GNU licensed Online Pokemon Battle Simula
Sierra Utilities
Sound Blaster Live!
Sprite Builder 1.0
Spybot - Search & Destroy 1.4
SpywareBlaster 4.1
Super Smash Flash EXE Version 1.0
TeamSpeak 2 RC2
The Sims Deluxe Edition
thriXXX WebLaunch
Uninstall ESS Modem
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
War of Conquest
WavePad Uninstall
WCS Client
Windows Genuine Advantage v1.3.0254.0
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinPatrol
WinRAR archiver
WinZip
Wuschel's ASIO4ALL
ZoneAlarm


----------



## Cookiegal (Aug 27, 2003)

OK, you've got the correct version.

Are there any problems remaining now?


----------



## xintrop (Dec 5, 2007)

Not that I can see, although I haven't been on it much. 
Double trouble in one thread.... Dang.
Thanks so much AGAIN! Dunno what I am going to do about the "Disk Cleanup" problem I am having.


----------



## ~Candy~ (Jan 27, 2001)

The thread is getting rather long. Can you describe the disk clean up problem again?


----------



## Cookiegal (Aug 27, 2003)

I remember that it would start to run but wouldn't complete.

I found this regfix that may work.

Please save it to your desktop, double-click the file to run it and allow it to merge into the registry. Then reboot the computer and try running the Disk cleanup again.

http://www.kellys-korner-xp.com/regs_edits/desktopcleanuprestore.reg


----------

