Virus problem

bison8125 · Feb 19, 2008

It looks like this virus may have been posted before, but I'm not sure what fix will work properly for me, so I'm asking for help (seewi1, I'm pretty sure you've dealt with this already).

I've got a virus, here is what's been happening:
I've got a new icon (down by the clock) that I've never had before (yellow triangle with a black exclamation mark). I can't find the process (in windows task manager) that will get rid of it. The icon also pops up with these "error" messages:
"Windows Security System: Zlob.PornAdvertiser.ba
Adaware Zlob.PornAdvertiser.ba detected. This program advertises sites with explicit content. Please be attentive bcause advertised content could be illegal"
Since the icon appeared, I've also gotten these other pop ups:
"Windows Security System has detected spyware infection!
Spyware may compromise your privacy or damage your computer. It is
recommended to use antispyware tool to prevent data loss and privacy
information exposure. Click OK to proceed."
"Windows Alert Critical System Warning! Your system is probably infected with version of Spyware.IEMonster.b. Spyware.IEMonster.b is spyware that attempts to steal paswords from Internet Explorer, Mozilla Firefox, Outlook and other programs, including logins and passwords from online banking sessions, eBay, PayPal. It may also create special tracking files to log your activity and compromise your Internet privacy. Spyware.IEMonster then sends stolen passwords and other sensitive information to a php script at a pre-specified website where the stolen details are logged. Click here to protect your computer (recommended)"
Since the icon appeared, I've also gotten 2 files put on my desktop (which I certaintly didn't put there). Both files are internet pages called "BDSM galleries" and "Uncensored porn".

Since I've been reading the other posts, I think you might need some more information, so I've included the log file from HiJackThis (see next post), and a log file from Combofix (see third post).

bison8125 · Feb 19, 2008

HJT Log File

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:04 AM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://hcmail1.co.hennepin.mn.us/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181780980500
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6602 bytes

bison8125 · Feb 19, 2008

Combofix Log File

ComboFix 08-02-19.2 - Dylan 2008-02-19 0:51:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.480 [GMT -6:00]
Running from: C:\Documents and Settings\Dylan\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\winupdates
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\nsprs.dll
C:\WINDOWS\system32\serauth1.dll
C:\WINDOWS\system32\serauth2.dll
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\trayicons.exe
C:\WINDOWS\windisk.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NTLOAD
-------\nm
-------\ntload

((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-18 23:04 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-18 23:03 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\qbphsfchiqga.sys
2008-02-18 22:53 . 2008-02-19 00:12 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-18 22:53 . 2008-02-18 22:53 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-18 22:53 . 2008-02-18 22:53 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-18 22:53 . 2008-02-18 22:53 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-18 19:20 . 2008-02-18 19:20 0 --a------ C:\WINDOWS\system32\wscmp.dll.tmp
2008-02-18 19:19 . 2008-02-18 19:19 0 --a------ C:\WINDOWS\system32\update32.exe.tmp
2008-02-18 19:16 . 2008-02-18 19:16 0 --a------ C:\WINDOWS\system32\sex2.ico.tmp
2008-02-18 19:15 . 2008-02-18 19:15 0 --a------ C:\WINDOWS\system32\sex1.ico.tmp
2008-02-18 19:11 . 2008-02-18 19:11 87,040 --a------ C:\WINDOWS\e01.exe
2008-02-18 19:11 . 2008-02-18 19:11 23,040 --a------ C:\info.exe
2008-02-16 10:01 . 2008-02-18 02:11 <DIR> d-------- C:\Westwood
2008-02-14 14:44 . 2008-02-14 14:44 15,042 --a------ C:\AirlineHistory.zip
2008-02-13 22:27 . 2008-02-13 22:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-02-13 22:25 . 2008-02-13 22:25 <DIR> d-------- C:\Documents and Settings\Dylan\Application Data\NCH Software
2008-02-13 22:25 . 2008-02-13 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-01-26 18:24 . 2008-01-26 18:24 <DIR> d-------- C:\Program Files\CCleaner
2008-01-24 15:01 . 2008-02-15 19:42 <DIR> d-------- C:\AirlineStudentHistory
2008-01-24 15:01 . 2008-02-15 19:41 <DIR> d-------- C:\AirlineHistory
2008-01-20 11:20 . 2008-01-20 11:20 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-19 08:52 . 2008-01-19 08:52 <DIR> d-------- C:\Program Files\EA GAMES

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 05:52 --------- d-----w C:\Program Files\MSN Messenger
2008-02-19 05:40 --------- d-----w C:\Program Files\AIM6
2008-02-19 01:30 --------- d-----w C:\Documents and Settings\Dylan\Application Data\AVG7
2008-02-19 01:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-19 00:58 --------- d-----w C:\Program Files\Maxis
2008-02-17 18:13 --------- d-----w C:\Program Files\Viewpoint
2008-02-17 18:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-17 18:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-16 15:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-15 07:25 --------- d-----w C:\Documents and Settings\Dylan\Application Data\U3
2008-02-15 04:29 --------- d-----w C:\Documents and Settings\Dylan\Application Data\BitTorrent
2008-02-14 04:25 --------- d-----w C:\Program Files\NCH Software
2008-02-12 19:00 --------- d-----w C:\Program Files\Diablo II
2008-01-31 05:54 --------- d-----w C:\Documents and Settings\Dylan\Application Data\WeatherBug
2008-01-22 06:03 --------- d-----w C:\Program Files\Hero Editor
2008-01-22 06:02 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-01-22 06:02 249,856 ------w C:\WINDOWS\Setup1.exe
2008-01-19 14:48 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-21 19:44 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-21 19:11 --------- d-----w C:\Program Files\WON
2007-12-21 18:53 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2007-12-21 18:53 --------- d-----w C:\Program Files\Starcraft
2007-12-21 06:22 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-21 06:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-21 05:59 --------- d-----w C:\Documents and Settings\Dylan\Application Data\Nero
2006-11-11 12:16 1,740 ----a-w C:\Documents and Settings\Dylan\HISCORES.DAT
1997-05-13 23:26 3,206,344 ----a-w C:\Documents and Settings\Dylan\HOSPPAT.EXE
1994-06-01 03:00 265,396 ----a-w C:\Documents and Settings\Dylan\DOS4GW.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 10:15 50528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Freebie Notes"="C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe" [2006-05-23 22:05 982016]
"SVCHOST.EXE"="C:\WINDOWS\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 13:51 774233]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-17 21:21 185784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-29 14:31 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-06-23 21:39 145920]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dylan^Start Menu^Programs^Startup^Qwest QuickNetworking.lnk]
path=C:\Documents and Settings\Dylan\Start Menu\Programs\Startup\Qwest QuickNetworking.lnk
backup=C:\WINDOWS\pss\Qwest QuickNetworking.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-06-28 20:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2007-06-23 21:39 416256 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-11-15 18:14 588080 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CircleVirtualCD]
--a------ 2003-07-14 11:15 61440 C:\Program Files\Circle\VirtualCD\HvcdUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0630 STISvc]
-ra------ 2005-06-05 11:01 36864 C:\WINDOWS\system32\P0630Pin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
C:\WINDOWS\system32\PRISMSVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartUp]
C:\WINDOWS\trayicons.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
C:\Program Files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2006-05-19 13:52 86105 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2007-01-04 15:38 112336 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a------ 2006-04-07 14:02 1343488 C:\Program Files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
--a------ 2003-08-01 18:28 474624 C:\Program Files\TightVNC\WinVNC.exe

R1 HekkoVirtualCD;Hekko Virtual CD Driver;C:\WINDOWS\system32\Drivers\hvcd.sys [2003-07-14 10:46]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R2 X4HSX32;X4HSX32;C:\Program Files\EXEtender\X4HSX32.Sys [2005-05-31 18:26]
S3 cisaspi0;Cistone ASPI Driver;C:\WINDOWS\system32\Drivers\cisaspi0.sys []
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-05 19:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8da80ab2-afd1-11db-a9b4-000ae4f3f14f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1f21ac5-9354-11da-a8f4-00032532c61c}]
\Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A5CDF7EC-751B-46aa-AD69-4005FE080DE8}]
C:\WINDOWS\system32\sinmax.exe s
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 00:57:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-02-19 1:03:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-19 07:03:55
.
2008-02-14 21:54:11 --- E O F ---

Vizy · Feb 19, 2008

i don't see combofix but if even if you did post it, i wouldn't be able to help...ceewi or gamemaster are good at this. for the time being, there aint any need to look at inappropriate websites...if you are...if you're not...thats good.

EDIT: lol i just saw the combofix right now.

ceewi1 · Feb 19, 2008

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

You may wish to print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site.

Please then reboot your computer in Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the list).

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

bison8125 · Feb 19, 2008

SDFix Log

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\update32.exe.tmp - Deleted
C:\WINDOWS\system32\wscmp.dll.tmp - Deleted

Removing Temp Files...

ADS Check:

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 11:45:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:f38c5b09
"s2"=dword:ed259484
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:30,62,1b,16,eb,c0,79,66,0e,64,74,5d,4c,39,b3,8d,40,4f,45,b1,83,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6F80AA49-7202-4FE8-99AA-07F3A8F133C7}]
"LeaseObtainedTime"=dword:47bb158d
"T1"=dword:47bb1c95
"T2"=dword:47bb21db
"LeaseTerminatesTime"=dword:47bb239d
"DhcpRetryTime"=dword:00000706
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{6F80AA49-7202-4FE8-99AA-07F3A8F133C7}\Parameters\Tcpip]
"LeaseObtainedTime"=dword:47bb158d
"T1"=dword:47bb1c95
"T2"=dword:47bb21db
"LeaseTerminatesTime"=dword:47bb239d
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NetBT\Parameters\Interfaces\Tcpip_{D17E4E7A-E488-48D5-B635-3F329F975E84}]
"DhcpNameServerList"=str(7):"134.129.111.178\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Epoch]
"Epoch"=dword:00002cd5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:30,62,1b,16,eb,c0,79,66,0e,64,74,5d,4c,39,b3,8d,40,4f,45,b1,83,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]
"DhcpDomain"="nodak.edu"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{6F80AA49-7202-4FE8-99AA-07F3A8F133C7}]
"NTEContextList"=str(7):""
"DhcpServer"="255.255.255.255"
"LeaseObtainedTime"=dword:47b5f28e
"T1"=dword:47b5f996
"T2"=dword:47b5fedc
"LeaseTerminatesTime"=dword:47b6009e
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="255.0.0.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{D17E4E7A-E488-48D5-B635-3F329F975E84}]
"NTEContextList"=str(7):"0x00000002\0"
"LeaseObtainedTime"=dword:47ba7dc6
"T1"=dword:47ba84ce
"T2"=dword:47ba8a14
"LeaseTerminatesTime"=dword:47ba8bd6
"DhcpRetryTime"=dword:00000705
"DhcpRetryStatus"=dword:00000000
"DhcpNameServer"="134.129.111.111 134.129.201.29"
"DhcpDefaultGateway"=str(7):"134.129.60.100\0"
"DhcpDomain"="nodak.edu"
"DhcpSubnetMaskOpt"=str(7):"255.255.254.0\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\{6F80AA49-7202-4FE8-99AA-07F3A8F133C7}\Parameters\Tcpip]
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="255.0.0.0"
"DhcpServer"="255.255.255.255"
"LeaseObtainedTime"=dword:47b5f28e
"T1"=dword:47b5f996
"T2"=dword:47b5fedc
"LeaseTerminatesTime"=dword:47b6009e
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\{D17E4E7A-E488-48D5-B635-3F329F975E84}\Parameters\Tcpip]
"LeaseObtainedTime"=dword:47ba7dc6
"T1"=dword:47ba84ce
"T2"=dword:47ba8a14
"LeaseTerminatesTime"=dword:47ba8bd6
"DhcpDefaultGateway"=str(7):"134.129.60.100\0"
"DhcpSubnetMaskOpt"=str(7):"255.255.254.0\0"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\24\xe1\21]
"DisplayName"="\xd008\x36c\xd008\x36c\1"
"DeviceDesc"="\xd008\x36c\xd008\x36c\1"
"ProviderName"="\xfed4\21\xee18\x7c90\xff44\21\b"
"MFG"="\x588"
"ReinstallString"="C:\WINDOWS\System32\ReinstallBackups\\xe114\21\x80\xc010\DriverFiles\.INF"
"DeviceInstanceIds"=str(7):"c:\cabs\9533116\smbus\smbusati.inf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19]
"RefCount"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 4 Aug 2004 93,184 A.SH. --- "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Thu 21 Sep 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 20 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 20 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 30 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Thu 3 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\12bb35ec2265dce083ec92c86f1e1ffc\BITEC.tmp"
Wed 19 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1db9e52f9e862450a2af87f2f5a16dbc\BIT6.tmp"
Thu 3 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BITEE.tmp"
Thu 3 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BITED.tmp"

Finished!

bison8125 · Feb 19, 2008

Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:03 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://hcmail1.co.hennepin.mn.us/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181780980500
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6530 bytes

ceewi1 · Feb 20, 2008

Excellent, we're making progress.

Your logfile shows signs of Viewpoint Manager.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything bad. It is known to be intrusive, but there is some possibility that it is now being used by those companies to give them info about your habits. It is not considered spyware since this is not clear, but I would not tolerate it on my machine if I didn't install it.

Your logfile also shows signs of Weatherbug
Weatherbug is often installed as a secondary application along with other popular programs. It gives you information about local weather conditions, however also displays ads. If you're looking for a free alternative that doesn't display ads, you may want to try WeatherPulse.

I suggest you remove both. To do so, click on Start -> Control Panel -> Add or Remove Programs.
To remove Viewpoint Manager, Click on Viewpoint Manager and click Remove.
To remove Weatherbug, click on Weatherbug in the list and click Remove

Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File::
C:\WINDOWS\system32\sex2.ico.tmp
C:\WINDOWS\system32\sex1.ico.tmp
C:\WINDOWS\e01.exe
C:\info.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A5CDF7EC-751B-46aa-AD69-4005FE080DE8}]

Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entries:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab

If you chose to remove Viewpoint Manager, place a check next to the following entry (if still present):

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

If you chose to remove Weatherbug, place a check next to the following entry:

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/mini...ansporter.cab?

Please close all open windows except for HijackThis and choose Fix checked

Please reboot and post a new HijackThis log. How is your system running now?

bison8125 · Feb 20, 2008

Combofix Log

"DhcpNameServerList"=str(7):"134.129.111.178\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Epoch]
"Epoch"=dword:00002cd5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:30,62,1b,16,eb,c0,79,66,0e,64,74,5d,4c,39,b3,8d,40,4f,45,b1,83,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]
"DhcpDomain"="nodak.edu"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{6F80AA49-7202-4FE8-99AA-07F3A8F133C7}]
"NTEContextList"=str(7):""
"DhcpServer"="255.255.255.255"
"LeaseObtainedTime"=dword:47b5f28e
"T1"=dword:47b5f996
"T2"=dword:47b5fedc
"LeaseTerminatesTime"=dword:47b6009e
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="255.0.0.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{D17E4E7A-E488-48D5-B635-3F329F975E84}]
"NTEContextList"=str(7):"0x00000002\0"
"LeaseObtainedTime"=dword:47ba7dc6
"T1"=dword:47ba84ce
"T2"=dword:47ba8a14
"LeaseTerminatesTime"=dword:47ba8bd6
"DhcpRetryTime"=dword:00000705
"DhcpRetryStatus"=dword:00000000
"DhcpNameServer"="134.129.111.111 134.129.201.29"
"DhcpDefaultGateway"=str(7):"134.129.60.100\0"
"DhcpDomain"="nodak.edu"
"DhcpSubnetMaskOpt"=str(7):"255.255.254.0\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\{6F80AA49-7202-4FE8-99AA-07F3A8F133C7}\Parameters\Tcpip]
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="255.0.0.0"
"DhcpServer"="255.255.255.255"
"LeaseObtainedTime"=dword:47b5f28e
"T1"=dword:47b5f996
"T2"=dword:47b5fedc
"LeaseTerminatesTime"=dword:47b6009e
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\{D17E4E7A-E488-48D5-B635-3F329F975E84}\Parameters\Tcpip]
"LeaseObtainedTime"=dword:47ba7dc6
"T1"=dword:47ba84ce
"T2"=dword:47ba8a14
"LeaseTerminatesTime"=dword:47ba8bd6
"DhcpDefaultGateway"=str(7):"134.129.60.100\0"
"DhcpSubnetMaskOpt"=str(7):"255.255.254.0\0"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\24\xe1\21]
"DisplayName"="\xd008\x36c\xd008\x36c\1"
"DeviceDesc"="\xd008\x36c\xd008\x36c\1"
"ProviderName"="\xfed4\21\xee18\x7c90\xff44\21\b"
"MFG"="\x588"
"ReinstallString"="C:\WINDOWS\System32\ReinstallBackups\\xe114\21\x80\xc010\DriverFiles\.INF"
"DeviceInstanceIds"=str(7):"c:\cabs\9533116\smbus\smbusati.inf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19]
"RefCount"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 4 Aug 2004 93,184 A.SH. --- "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Thu 21 Sep 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 20 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 20 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 30 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Thu 3 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\12bb35ec2265dce083ec92c86f1e1ffc\BITEC.tmp"
Wed 19 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1db9e52f9e862450a2af87f2f5a16dbc\BIT6.tmp"
Thu 3 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BITEE.tmp"
Thu 3 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BITED.tmp"

Finished!

bison8125 · Feb 20, 2008

Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:25 AM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://hcmail1.co.hennepin.mn.us/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181780980500
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5682 bytes

bison8125 · Feb 20, 2008

Update

Ok, well we have a couple of issues. First off, I went into the control panel, then to add/remove programs to remove Viewpoint Manager. In the add/remove programs window, the list is severely limited, and I have no option to remove any programs listed (the list is about 1/4 as long as it is normally and Viewpoint Manager is not listed at all). I want to remove Viewpoint, but not remove Weatherbug (I know it comes with other ad software, but I've monitored it, to keep it in check). Is there another program I can run to scan for general viruses (I have Ad-Aware, AVG, and McAfee at my disposal, but on another post you told someone not to run another virus scanner because it screws you up). What should I do?

ceewi1 · Feb 20, 2008

It's not a good idea to run two anti-virus scanners in resident mode. You can have two installed, but the real-time scanning feature of one should be turned off. Alternatively, there are a number of online antivirus scanners available, but I suggest we work through the process of cleaning the system first, and you can run those afterwards to find anything leftover.

The log in your previous post appears to be from SDFix rather than ComboFix. Please ensure that you are dragging CFScript into ComboFix and not SDFix.

With regards to the uninstall problem, I'd like to an export of your Uninstall key, to see if there are any problems there that could be causing this.

Please run Notepad and copy the contents of the codebox below into a new Notepad document. Please do not include the word Code:

Code:

regedit.exe /e uninstall.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Save the file as C:\uninstall.bat and make sure the Save as type field says All files. Navigate to your C:\ drive and double click on uninstall.bat. This should create a file C:\uninstall.txt (you may need to refresh your screen to see it - press F5 to do so).

Please post the contents of C:\uninstall.txt

bison8125 · Feb 20, 2008

ComboFix Log

ComboFix 08-02-19.2 - Dylan 2008-02-20 2:11:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.550 [GMT -6:00]
Running from: C:\Documents and Settings\Dylan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dylan\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\info.exe
C:\WINDOWS\e01.exe
C:\WINDOWS\system32\sex1.ico.tmp
C:\WINDOWS\system32\sex2.ico.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\info.exe
C:\WINDOWS\e01.exe
C:\WINDOWS\system32\sex1.ico.tmp
C:\WINDOWS\system32\sex2.ico.tmp

.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-19 10:44 . 2008-02-19 10:45 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-19 10:37 . 2008-02-19 11:57 <DIR> d-------- C:\SDFix
2008-02-19 01:10 . 2008-02-19 01:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-18 23:04 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-18 23:03 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\qbphsfchiqga.sys
2008-02-18 22:53 . 2008-02-19 00:12 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-18 22:53 . 2008-02-18 22:53 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-18 22:53 . 2008-02-18 22:53 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-18 22:53 . 2008-02-18 22:53 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 10:01 . 2008-02-18 02:11 <DIR> d-------- C:\Westwood
2008-02-14 14:44 . 2008-02-14 14:44 15,042 --a------ C:\AirlineHistory.zip
2008-02-13 22:27 . 2008-02-13 22:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-02-13 22:25 . 2008-02-13 22:25 <DIR> d-------- C:\Documents and Settings\Dylan\Application Data\NCH Software
2008-02-13 22:25 . 2008-02-13 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-01-26 18:24 . 2008-01-26 18:24 <DIR> d-------- C:\Program Files\CCleaner
2008-01-24 15:01 . 2008-02-20 01:59 <DIR> d-------- C:\AirlineStudentHistory
2008-01-24 15:01 . 2008-02-20 01:58 <DIR> d-------- C:\AirlineHistory
2008-01-20 11:20 . 2008-01-20 11:20 552 --a------ C:\WINDOWS\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 05:52 --------- d-----w C:\Program Files\MSN Messenger
2008-02-19 05:40 --------- d-----w C:\Program Files\AIM6
2008-02-19 01:30 --------- d-----w C:\Documents and Settings\Dylan\Application Data\AVG7
2008-02-19 01:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-19 00:58 --------- d-----w C:\Program Files\Maxis
2008-02-17 18:13 --------- d-----w C:\Program Files\Viewpoint
2008-02-17 18:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-17 18:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-16 15:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-15 07:25 --------- d-----w C:\Documents and Settings\Dylan\Application Data\U3
2008-02-15 04:29 --------- d-----w C:\Documents and Settings\Dylan\Application Data\BitTorrent
2008-02-14 04:25 --------- d-----w C:\Program Files\NCH Software
2008-02-12 19:58 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-02-12 19:00 --------- d-----w C:\Program Files\Diablo II
2008-01-31 05:54 --------- d-----w C:\Documents and Settings\Dylan\Application Data\WeatherBug
2008-01-22 06:03 --------- d-----w C:\Program Files\Hero Editor
2008-01-22 06:02 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-01-22 06:02 249,856 ------w C:\WINDOWS\Setup1.exe
2008-01-19 14:52 --------- d-----w C:\Program Files\EA GAMES
2008-01-19 14:48 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-21 19:44 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-21 19:11 --------- d-----w C:\Program Files\WON
2007-12-21 18:53 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2007-12-21 18:53 --------- d-----w C:\Program Files\Starcraft
2007-12-21 06:22 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-21 06:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-21 05:59 --------- d-----w C:\Documents and Settings\Dylan\Application Data\Nero
2007-12-07 00:44 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-02 04:57 52,338 ----a-w C:\WINDOWS\system32\RadLightOggUninstall.exe
2007-11-24 05:19 57,344 ----a-w C:\WINDOWS\system32\COMMTB32.DLL
2007-11-24 05:19 28,672 ----a-w C:\WINDOWS\system32\HLP95EN.DLL
2007-11-24 05:19 169,984 ----a-w C:\WINDOWS\system32\P2D.DLL
2007-11-24 05:19 161,552 ----a-w C:\WINDOWS\system32\ASYCPICT.DLL
2006-11-11 12:16 1,740 ----a-w C:\Documents and Settings\Dylan\HISCORES.DAT
1997-05-13 23:26 3,206,344 ----a-w C:\Documents and Settings\Dylan\HOSPPAT.EXE
1994-06-01 03:00 265,396 ----a-w C:\Documents and Settings\Dylan\DOS4GW.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 10:15 50528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 13:51 774233]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-06-23 21:39 145920]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dylan^Start Menu^Programs^Startup^Qwest QuickNetworking.lnk]
path=C:\Documents and Settings\Dylan\Start Menu\Programs\Startup\Qwest QuickNetworking.lnk
backup=C:\WINDOWS\pss\Qwest QuickNetworking.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-06-28 20:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2007-06-23 21:39 416256 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-11-15 18:14 588080 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CircleVirtualCD]
--a------ 2003-07-14 11:15 61440 C:\Program Files\Circle\VirtualCD\HvcdUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0630 STISvc]
-ra------ 2005-06-05 11:01 36864 C:\WINDOWS\system32\P0630Pin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
C:\WINDOWS\system32\PRISMSVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartUp]
C:\WINDOWS\trayicons.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
C:\Program Files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2006-05-19 13:52 86105 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2007-01-04 15:38 112336 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a------ 2006-04-07 14:02 1343488 C:\Program Files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
--a------ 2003-08-01 18:28 474624 C:\Program Files\TightVNC\WinVNC.exe

R1 HekkoVirtualCD;Hekko Virtual CD Driver;C:\WINDOWS\system32\Drivers\hvcd.sys [2003-07-14 10:46]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R2 X4HSX32;X4HSX32;C:\Program Files\EXEtender\X4HSX32.Sys [2005-05-31 18:26]
S3 cisaspi0;Cistone ASPI Driver;C:\WINDOWS\system32\Drivers\cisaspi0.sys []
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-05 19:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8da80ab2-afd1-11db-a9b4-000ae4f3f14f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1f21ac5-9354-11da-a8f4-00032532c61c}]
\Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 02:14:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-20 2:15:31
ComboFix-quarantined-files.txt 2008-02-20 08:15:11
ComboFix2.txt 2008-02-19 07:03:59
.
2008-02-14 21:54:11 --- E O F ---

bison8125 · Feb 20, 2008

Uninstall Registry

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis]
"DisplayName"="HijackThis 2.0.2"
"UninstallString"="\"C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe\" /uninstall"
"DisplayIcon"="C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe"
"DisplayVersion"="2.0.2"
"Publisher"="TrendMicro"

ceewi1 · Feb 21, 2008

That's unusual, there should be a lot more than that under that key.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

bison8125 · Feb 21, 2008

Main.txt

Deckard's System Scanner v20071014.68
Run by Dylan on 2008-02-21 10:52:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
101: 2008-02-21 16:52:14 UTC - RP573 - Deckard's System Scanner Restore Point
100: 2008-02-21 08:27:26 UTC - RP572 - System Checkpoint
99: 2008-02-20 08:10:46 UTC - RP571 - ComboFix created restore point
98: 2008-02-20 07:16:10 UTC - RP570 - System Checkpoint
97: 2008-02-19 06:51:27 UTC - RP569 - ComboFix created restore point

-- First Restore Point --
1: 2007-11-24 02:32:56 UTC - RP473 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Dylan.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:04 AM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Documents and Settings\Dylan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Dylan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoomail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://hcmail1.co.hennepin.mn.us/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181780980500
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5722 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080220-022140-115 O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
backup-20080220-022140-197 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20080220-022140-883 O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 HekkoVirtualCD (Hekko Virtual CD Driver) - c:\windows\system32\drivers\hvcd.sys <Not Verified; Circle of One Software; Hekko Virtual CD>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R2 X4HSX32 - c:\program files\exetender\x4hsx32.sys <Not Verified; Exent Technologies Ltd.; Exent EXETender® for Win2K>

S3 catchme - c:\docume~1\dylan\locals~1\temp\catchme.sys (file missing)
S3 cisaspi0 (Cistone ASPI Driver) - c:\windows\system32\drivers\cisaspi0.sys (file missing)
S3 EMCFILT (Alcor Micro Corp for Emachine- 9361) - c:\windows\system32\drivers\emcfilt.sys <Not Verified; Alcor Micro Corp.; emcfilt>
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 winvnc (VNC Server) - "c:\program files\tightvnc\winvnc.exe" -service <Not Verified; Constantin Kaplinsky; TightVNC Win32 Server>

S3 IDriverT (InstallDriver Table Manager) - "c:\program files\common files\installshield\driver\11\intel 32\idrivert.exe" (file missing)
S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4351&SUBSYS_0506107B&REV_10\4&2EA2911C&0&0030
Manufacturer: Marvell
Name: Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4351&SUBSYS_0506107B&REV_10\4&2EA2911C&0&0030
Service: yukonwxp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\5000CE5F32521
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\5000CE5F32521
Service: NIC1394

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_0506107B&REV_02\3&13C0B0C5&0&A6
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_0506107B&REV_02\3&13C0B0C5&0&A6
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

-- Files created between 2008-01-21 and 2008-02-21 -----------------------------

2008-02-20 10:11:49 99 --a------ C:\uninstall.bat
2008-02-19 10:44:57 0 d-------- C:\WINDOWS\ERUNT
2008-02-19 01:10:44 0 d-------- C:\Program Files\Trend Micro
2008-02-19 00:51:01 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-19 00:51:01 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-19 00:51:01 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-19 00:51:01 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-18 23:04:09 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-02-18 23:03:37 8576 --a------ C:\WINDOWS\system32\drivers\qbphsfchiqga.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-02-18 22:53:01 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-18 19:24:02 0 dr-h----- C:\Documents and Settings\Dylan\Recent
2008-02-16 10:01:14 0 d-------- C:\Westwood
2008-02-13 22:27:10 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-02-13 22:25:49 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-02-13 22:25:32 0 d-------- C:\Documents and Settings\Dylan\Application Data\NCH Software
2008-01-26 18:24:15 0 d-------- C:\Program Files\CCleaner
2008-01-24 15:01:29 0 d-------- C:\AirlineStudentHistory
2008-01-24 15:01:21 0 d-------- C:\AirlineHistory
2008-01-24 15:01:11 0 d-------- C:\Airline

-- Find3M Report ---------------------------------------------------------------

2008-02-18 23:52:59 0 d-------- C:\Program Files\MSN Messenger
2008-02-18 23:40:10 0 d-------- C:\Program Files\AIM6
2008-02-18 19:30:15 0 d-------- C:\Documents and Settings\Dylan\Application Data\AVG7
2008-02-18 19:19:47 984 --a------ C:\WINDOWS\eReg.dat
2008-02-18 19:17:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-18 18:58:11 0 d-------- C:\Program Files\Maxis
2008-02-17 12:13:31 0 d-------- C:\Program Files\Viewpoint
2008-02-15 01:25:20 0 d-------- C:\Documents and Settings\Dylan\Application Data\U3
2008-02-14 22:29:16 0 d-------- C:\Documents and Settings\Dylan\Application Data\BitTorrent
2008-02-13 22:25:32 0 d-------- C:\Program Files\NCH Software
2008-02-12 13:58:08 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-02-12 13:00:42 0 d-------- C:\Program Files\Diablo II
2008-01-31 13:17:04 0 d-------- C:\Documents and Settings\Dylan\Application Data\Adobe
2008-01-30 23:54:15 0 d-------- C:\Documents and Settings\Dylan\Application Data\WeatherBug
2008-01-22 00:03:00 0 d-------- C:\Program Files\Hero Editor
2008-01-22 00:02:03 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-01-21 23:51:12 37076 --a------ C:\WINDOWS\DIIUnin.dat
2008-01-20 11:20:12 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-19 09:28:13 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-19 08:52:23 0 d-------- C:\Program Files\EA GAMES
2008-01-19 08:48:21 0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-21 13:11:02 0 d-------- C:\Program Files\WON
2007-12-21 12:53:51 34410 --a------ C:\WINDOWS\scunin.dat
2007-12-21 12:53:51 0 d-------- C:\Program Files\Starcraft
2007-12-21 12:53:45 967 --a------ C:\WINDOWS\ScUnin.pif
2007-12-21 12:53:45 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2007-12-21 00:22:34 0 d-------- C:\Program Files\Common Files\Nero
2007-12-01 22:57:31 52338 --a------ C:\WINDOWS\system32\RadLightOggUninstall.exe <Not Verified; RadLight, LLC.; RadLight Ogg Media DirectShow filters>
2007-11-27 19:18:03 1025 --a------ C:\WINDOWS\system32\sysprs7.dll
2007-11-27 13:44:49 1024 --a------ C:\WINDOWS\system32\clauth2.dll
2007-11-27 13:44:49 1024 --a------ C:\WINDOWS\system32\clauth1.dll
2007-11-23 23:19:57 169984 --a------ C:\WINDOWS\system32\P2D.DLL <Not Verified; Microsoft Corporation; Microsoft® HTML Layout Support Module>
2007-11-23 23:19:57 28672 --a------ C:\WINDOWS\system32\HLP95EN.DLL <Not Verified; Microsoft Corporation; Microsoft Office>
2007-11-23 23:19:57 57344 --a------ C:\WINDOWS\system32\COMMTB32.DLL <Not Verified; Microsoft Corporation; Microsoft Button Editor>
2007-11-23 23:19:57 161552 --a------ C:\WINDOWS\system32\ASYCPICT.DLL <Not Verified; Microsoft Corporation; Microsoft® Forms>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [05/19/2006 01:51 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [11/30/2006 09:49 PM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [01/03/2008 10:15 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dylan^Start Menu^Programs^Startup^Qwest QuickNetworking.lnk]
path=C:\Documents and Settings\Dylan\Start Menu\Programs\Startup\Qwest QuickNetworking.lnk
backup=C:\WINDOWS\pss\Qwest QuickNetworking.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CircleVirtualCD]
C:\Program Files\Circle\VirtualCD\HvcdUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0630 STISvc]
RunDLL32.exe P0630Pin.dll,RunDLL32EP 513

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
"C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartUp]
C:\WINDOWS\trayicons.exe /optimize speed

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
C:\Program Files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
"C:\Program Files\TightVNC\WinVNC.exe" -servicehelper

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09f90cc2-832b-11da-a8db-806d6172696f}]
AutoRun\command- D:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8da80ab2-afd1-11db-a9b4-000ae4f3f14f}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1f21ac5-9354-11da-a8f4-00032532c61c}]
AutoRun\command- E:\JDSecure\Windows\JDSecure31.exe

*Newly Created Service* - VSDATANT

-- End of Deckard's System Scanner: finished at 2008-02-21 10:53:42 ------------

bison8125 · Feb 21, 2008

Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Mobile AMD Athlon(tm) 64 Processor 4000+
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 1022.11 MiB / 432.02 MiB
Pagefile Memory (total/avail): 2460.23 MiB / 2059.77 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.01 MiB

C: is Fixed (NTFS) - 93.15 GiB total, 22.05 GiB free.
D: is CDROM (CDFS)
Z: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2100AT PL - 93.16 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 93.15 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntivirusOverride is set.
FirewallOverride is set.

AV: AVG 7.5.486 v7.5.486 (GRISOFT) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Dylan\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NDSU-BAEC1AE553
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Dylan
LOGONSERVER=\\NDSU-BAEC1AE553
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2402
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Dylan\LOCALS~1\Temp
TMP=C:\DOCUME~1\Dylan\LOCALS~1\Temp
USERDOMAIN=NDSU-BAEC1AE553
USERNAME=Dylan
USERPROFILE=C:\Documents and Settings\Dylan
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Dylan (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

BitTorrent 6.0 --> C:\Program Files\BitTorrent\uninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall

-- Application Event Log -------------------------------------------------------

Event Record #/Type18547 / Success
Event Submitted/Written: 02/20/2008 02:23:57 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type18530 / Success
Event Submitted/Written: 02/20/2008 02:05:39 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type18523 / Success
Event Submitted/Written: 02/20/2008 00:52:09 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type18509 / Success
Event Submitted/Written: 02/19/2008 00:07:54 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type18508 / Success
Event Submitted/Written: 02/19/2008 00:07:45 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type54961 / Warning
Event Submitted/Written: 02/21/2008 05:55:24 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type54957 / Error
Event Submitted/Written: 02/20/2008 06:45:29 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

Event Record #/Type54949 / Warning
Event Submitted/Written: 02/20/2008 04:10:14 PM
Event ID/Source: 2504 / Server
Event Description:
The server could not bind to the transport \Device\NetBT_Tcpip_{6F80AA49-7202-4FE8-99AA-07F3A8F133C7}.

Event Record #/Type54948 / Warning
Event Submitted/Written: 02/20/2008 04:10:05 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 0014A5423B40. The IP address being used is 169.254.10.189.

Event Record #/Type54943 / Warning
Event Submitted/Written: 02/20/2008 04:10:02 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0014A5423B40. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

-- End of Deckard's System Scanner: finished at 2008-02-21 10:53:42 ------------

bison8125 · Feb 21, 2008

Update

Ok, I'm not sure if you need to know this information, but let me tell you a little more about my computer. I live on a college campus (meaning I have to go through an existing network from ITS department). I do not have any virus scanner/adaware scanner to constantly run (I run them about every week). There is no real-time scanner etc... If you want to know anything else about my computer, just ask (I'm assuming those reports told you my hardware etc...)

ceewi1 · Feb 22, 2008

I notice you have AVG installed on your computer, is it possible to enable the real-time scanning feature of it? Real-time antivirus protection is an important element of PC security.

With regards to the uninstall problem, it looks like that registry key has been damaged. I suspect the damage predates the removal steps we've taken here, but I would like to confirm that. Please download MiTeC Windows Registry File Viewer and extract RFV.exe to your Desktop.

Please run RFV.exe and choose File -> Open. Open up C:\Windows\erdnt\Hiv-backup\software.

Click on File -> Export to REGEDIT4 format. You will be asked to "Enter the key prefix or root key for export". Enter the contents of the codebox below:

Code:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Tick the Only selected key box and click OK. Save the file to your Desktop and attach or post the contents here.

bison8125 · Feb 22, 2008

Registry Error

I run the program, open up the software file, when I try to export, it gives me the error "No key selected". Do I need to select one of those files in the left column (I won't get an error if I select one).

Virus problem

New Member

New Member

New Member

New Member

VIP Member

New Member

New Member

VIP Member

New Member

New Member

New Member

VIP Member

New Member

New Member

VIP Member

New Member

New Member

New Member

VIP Member

New Member