long time reader but need some assistance

simonp1 · 23-06-2008 3:13pm #1

Hi Actorseeksjob

I've been reading must of your threads but seem to run into a brick wall with this person's machine. I have followed the "I think I have a virus" sticky and here are the results of Superantispyware and Hijackthis. The pc has improved but still cannot connect to the internet.

Thanks in advance

Simon

PS I know the definitions are not up to date with superantispyware but this machine cannot connect to internet.

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:58:15, on 23/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_02\bin\ssv.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111094126812
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Express Customer\86\g2ax_winlogon.dll
O20 - Winlogon Notify: regmsvc - C:\WINDOWS\system\regmsvc.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist Express Customer - Unknown owner - C:\Program Files\Citrix\GoToAssist Express Customer\86\g2ax_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9007 bytes

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/23/2008 at 12:50 PM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 00:58:45

Memory items scanned : 369
Memory threats detected : 0
Registry items scanned : 5382
Registry threats detected : 93
File items scanned : 52559
File threats detected : 66

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{1557B435-8242-4686-9AA3-9265BF7525A4}
HKCR\CLSID\{1557B435-8242-4686-9AA3-9265BF7525A4}
HKCR\CLSID\{1557B435-8242-4686-9AA3-9265BF7525A4}\InprocServer32
HKCR\CLSID\{1557B435-8242-4686-9AA3-9265BF7525A4}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\LLGOXEQB.DLL
HKLM\Software\Classes\CLSID\{55DB983C-BDBF-426f-86F0-187B02DDA39B}
HKCR\CLSID\{55DB983C-BDBF-426F-86F0-187B02DDA39B}
HKCR\CLSID\{55DB983C-BDBF-426F-86F0-187B02DDA39B}\InprocServer32
HKCR\CLSID\{55DB983C-BDBF-426F-86F0-187B02DDA39B}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\FXUNDLYC.DLL
HKLM\Software\Classes\CLSID\{67C55A8D-E808-4caa-9EA7-F77102DE0BB6}
HKCR\CLSID\{67C55A8D-E808-4CAA-9EA7-F77102DE0BB6}
HKCR\CLSID\{67C55A8D-E808-4CAA-9EA7-F77102DE0BB6}\InprocServer32
HKCR\CLSID\{67C55A8D-E808-4CAA-9EA7-F77102DE0BB6}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\BPIVTIIM.DLL
HKLM\Software\Classes\CLSID\{D651AFF4-9590-424d-BD1E-8E33E090DFB3}
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}\InprocServer32
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GFNMUXYS.DLL
HKLM\Software\Classes\CLSID\{E12BFF69-38A7-406e-A8EF-2738107A7831}
HKCR\CLSID\{E12BFF69-38A7-406E-A8EF-2738107A7831}
HKCR\CLSID\{E12BFF69-38A7-406E-A8EF-2738107A7831}\InprocServer32
HKCR\CLSID\{E12BFF69-38A7-406E-A8EF-2738107A7831}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\EMXFBOHR.DLL
HKLM\Software\Classes\CLSID\{E2EE5C44-C66D-499d-BEAE-A2A79189A63A}
HKCR\CLSID\{E2EE5C44-C66D-499D-BEAE-A2A79189A63A}
HKCR\CLSID\{E2EE5C44-C66D-499D-BEAE-A2A79189A63A}\InprocServer32
HKCR\CLSID\{E2EE5C44-C66D-499D-BEAE-A2A79189A63A}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\HVQLYUUE.DLL
HKCR\CLSID\{1557B435-8242-4686-9AA3-9265BF7525A4}
HKCR\CLSID\{55DB983C-BDBF-426F-86F0-187B02DDA39B}
HKCR\CLSID\{67C55A8D-E808-4CAA-9EA7-F77102DE0BB6}
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}
HKCR\CLSID\{E12BFF69-38A7-406E-A8EF-2738107A7831}
HKCR\CLSID\{E2EE5C44-C66D-499D-BEAE-A2A79189A63A}

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}
HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}\InprocServer32
HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\IOXOUOMG.DLL
HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}

Trojan.ConHook
HKLM\Software\Classes\CLSID\{D38439EC-4A7F-42b4-90C2-D810D7778FDD}
HKCR\CLSID\{D38439EC-4A7F-42B4-90C2-D810D7778FDD}
HKCR\CLSID\{D38439EC-4A7F-42B4-90C2-D810D7778FDD}\InprocServer32
HKCR\CLSID\{D38439EC-4A7F-42B4-90C2-D810D7778FDD}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DXDGYPQV.DLL
HKCR\CLSID\{D38439EC-4A7F-42B4-90C2-D810D7778FDD}

Trojan.Error Safe Free
C:\Program Files\ErrorSafe Free

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
HKU\S-1-5-21-2443442985-1936569407-477547094-500\Software\WinAntiVirus Pro 2007
HKCR\UWAP7.PCheck.1
HKCR\UWAP7.PCheck.1\CurVer
HKCR\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}
HKCR\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\InprocServer32
HKCR\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\InprocServer32#ThreadingModel
HKCR\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\ProgID
HKCR\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\Programmable
HKCR\CLSID\{2A5C2E6D-864B-4f2c-9542-8B272741D78B}\VersionIndependentProgID
HKCR\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}
HKCR\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0
HKCR\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0\0
HKCR\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0\0\win32
HKCR\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0\FLAGS
HKCR\TypeLib\{6F520BE0-9B54-4558-816F-224E67997DF3}\1.0\HELPDIR
HKCR\Interface\{459F4226-1AAB-43B6-9DC1-B6313EF83749}
HKCR\Interface\{459F4226-1AAB-43B6-9DC1-B6313EF83749}\ProxyStubClsid
HKCR\Interface\{459F4226-1AAB-43B6-9DC1-B6313EF83749}\ProxyStubClsid32
HKCR\Interface\{459F4226-1AAB-43B6-9DC1-B6313EF83749}\TypeLib
HKCR\Interface\{459F4226-1AAB-43B6-9DC1-B6313EF83749}\TypeLib#Version
C:\WINDOWS\system32\stera.job
C:\Program Files\Common Files\WinAntiVirus Pro 2007\err.log
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\Documents and Settings\Administrator\Application Data\WinAntiVirus Pro 2007\avtasks.dat
C:\Documents and Settings\Administrator\Application Data\WinAntiVirus Pro 2007\CookieList.dat
C:\Documents and Settings\Administrator\Application Data\WinAntiVirus Pro 2007\history.db
C:\Documents and Settings\Administrator\Application Data\WinAntiVirus Pro 2007\Logs\update.log
C:\Documents and Settings\Administrator\Application Data\WinAntiVirus Pro 2007\Logs\wa7Support.log
C:\Documents and Settings\Administrator\Application Data\WinAntiVirus Pro 2007\Logs\winav.log
C:\Documents and Settings\Administrator\Application Data\WinAntiVirus Pro 2007\Logs
C:\Documents and Settings\Administrator\Application Data\WinAntiVirus Pro 2007\PGE.dat
C:\Documents and Settings\Administrator\Application Data\WinAntiVirus Pro 2007
C:\UWA7P\Quar
C:\WINDOWS\..\UWA7P
C:\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\NI.UWA7P_0001_N99M3103\SETUP.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP1034\A0217850.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP1034\A0217862.EXE

Trojan.Anti-Virus Pro
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREDISK
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREDISK#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREDISK\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREDISK\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREDISK\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREDISK\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREDISK\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREDISK\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREDISK\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREDISK\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREDISK\0000\LogConf
C:\Program Files\Anti-Virus-Pro
C:\Documents and Settings\Administrator\Application Data\Anti-Virus-Pro\logs\1161471442.log
C:\Documents and Settings\Administrator\Application Data\Anti-Virus-Pro\logs
C:\Documents and Settings\Administrator\Application Data\Anti-Virus-Pro

Trojan.ErrorSafe
HKCR\TypeLib\{8A03D736-A5D7-4AEC-A940-2A54276038C9}
HKCR\TypeLib\{8A03D736-A5D7-4AEC-A940-2A54276038C9}\1.0
HKCR\TypeLib\{8A03D736-A5D7-4AEC-A940-2A54276038C9}\1.0\0
HKCR\TypeLib\{8A03D736-A5D7-4AEC-A940-2A54276038C9}\1.0\0\win32
HKCR\TypeLib\{8A03D736-A5D7-4AEC-A940-2A54276038C9}\1.0\FLAGS
HKCR\TypeLib\{8A03D736-A5D7-4AEC-A940-2A54276038C9}\1.0\HELPDIR
HKCR\TypeLib\{52E36B78-3664-49A9-85E1-AF030D075B8E}
HKCR\TypeLib\{52E36B78-3664-49A9-85E1-AF030D075B8E}\1.0
HKCR\TypeLib\{52E36B78-3664-49A9-85E1-AF030D075B8E}\1.0\0
HKCR\TypeLib\{52E36B78-3664-49A9-85E1-AF030D075B8E}\1.0\0\win32
HKCR\TypeLib\{52E36B78-3664-49A9-85E1-AF030D075B8E}\1.0\FLAGS
HKCR\TypeLib\{52E36B78-3664-49A9-85E1-AF030D075B8E}\1.0\HELPDIR
C:\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\NI.UERS_9999_N91S2507\SETUP.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP1034\A0217761.EXE

Trojan.WinAntiSpyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007
C:\Documents and Settings\Administrator\Application Data\WinAntiSpyware 2007\Logs\update.log
C:\Documents and Settings\Administrator\Application Data\WinAntiSpyware 2007\Logs
C:\Documents and Settings\Administrator\Application Data\WinAntiSpyware 2007
C:\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\WINANTISPYWARE2007SETUP.EXE

Malware.Ultimate Cleaner
HKLM\Software\Ultimate Cleaner
HKLM\Software\Ultimate Cleaner#info
HKLM\Software\Ultimate Cleaner#Version
HKLM\Software\Ultimate Cleaner#pstatus
HKLM\Software\Ultimate Cleaner#eMail
HKLM\Software\Ultimate Cleaner#code
C:\Program Files\Ultimate Cleaner\ucleaner.pkg
C:\Program Files\Ultimate Cleaner\Uninstall.exe
C:\Program Files\Ultimate Cleaner
C:\Documents and Settings\Administrator\Application Data\Ultimate Cleaner\backup
C:\Documents and Settings\Administrator\Application Data\Ultimate Cleaner\logs
C:\Documents and Settings\Administrator\Application Data\Ultimate Cleaner

Rootkit.Unclassified/KR_Done
C:\WINDOWS\system32\vx.tll

Rogue.AntiVirus 2008
HKU\S-1-5-21-2443442985-1936569407-477547094-500\Software\Microsoft\Windows\CurrentVersion\Run#Antivirus [ C:\Program Files\Antivirus2008\Antvrs.exe ]
C:\Documents and Settings\Administrator\Application Data\Antivirus\antvrs.exe
C:\Documents and Settings\Administrator\Application Data\Antivirus

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKU\S-1-5-21-2443442985-1936569407-477547094-500\Software\Microsoft\aldd
HKU\S-1-5-21-2443442985-1936569407-477547094-500\Software\Microsoft\rdfa
C:\WINDOWS\SYSTEM32\MCRH.TMP

Adware.Tracking Cookie
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@3.adbrite[1].txt
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@accounts[2].txt
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@ad.accelerator-media[2].txt
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@adrevolver[1].txt
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@ads.pointroll[2].txt
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@adserving.cpxinteractive[2].txt
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@aerlingus.122.2o7[1].txt
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@counter.hitslink[1].txt
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@ehg-twi.hitbox[1].txt
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@hotelscom.122.2o7[1].txt
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@jamesb007mi6.tripod[2].txt
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@media.hotels[1].txt
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@metacafe.122.2o7[1].txt
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@specificclick[2].txt
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@tripod[1].txt
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@videoegg.adbureau[2].txt
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\administrator@xiti[1].txt

Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP1029\A0216665.EXE

ActorSeeksJob · 23-06-2008 3:20pm

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_02\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O20 - Winlogon Notify: regmsvc - C:\WINDOWS\system\regmsvc.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt

simonp1 · 23-06-2008 4:11pm

Hi

Thanks for the speedy reply.

Simon

main.txt

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-23 16:56:20
Computer is in Normal Mode.

-- System Restore

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
81: 2008-06-23 15:56:29 UTC - RP1053 - Deckard's System Scanner Restore Point
80: 2008-06-23 14:27:41 UTC - RP1052 - ComboFix created restore point
79: 2008-06-23 13:43:22 UTC - RP1051 - Removed J2SE Runtime Environment 5.0 Update 2
78: 2008-06-23 13:41:59 UTC - RP1050 - Removed J2SE Runtime Environment 5.0 Update 6
77: 2008-06-23 13:37:06 UTC - RP1049 - Removed Java 2 Runtime Environment, SE v1.4.2_01

-- First Restore Point --
1: 2008-03-22 18:01:45 UTC - RP973 - System Checkpoint

Performed disk cleanup.

-- HijackThis (run as Administrator.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:57:03, on 23/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\Administrator\desktop\dss.exe
C:\DOCUME~1\ADMINI~1\Desktop\ADMINI~1.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111094126812
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Express Customer\86\g2ax_winlogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist Express Customer - Unknown owner - C:\Program Files\Citrix\GoToAssist Express Customer\86\g2ax_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 8134 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\ADMINI~1\Desktop\backups\)

backup-20080620-170245-188 O2 - BHO: (no name) - {92335157-984B-4692-8405-530335CA9F27} - C:\WINDOWS\system32\vbdaoxdk.dll (file missing)
backup-20080620-170245-291 O4 - HKLM\..\Run: [Ultimate Cleaner] C:\Program Files\Ultimate Cleaner\App.exe
backup-20080620-170245-398 O4 - HKCU\..\Run: [WinAntiSpyware 2007] "c:\program files\winantispyware 2007\was7.exe" /min
backup-20080620-170245-444 O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
backup-20080620-170245-707 O4 - HKLM\..\Run: [SystemDoctor Free] C:\Program Files\System Doctor Free\systemdoc.exe /min
backup-20080620-170245-793 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080620-170245-825 O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\ahwndtlp.dll (file missing)
backup-20080620-170245-953 O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
backup-20080620-170245-960 O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
backup-20080620-170245-968 O4 - HKCU\..\Run: [WinAntiSpyware 2007 Free] "c:\program files\winantispyware 2007\was7.exe" /min
backup-20080623-112056-698 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080623-112056-918 O2 - BHO: (no name) - {1F3E3626-F5DF-DF5D-8635-042D9551CB54} - C:\WINDOWS\system32\epooxgi.dll (file missing)
backup-20080623-112057-238 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080623-164800-628 O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
backup-20080623-164800-838 O20 - Winlogon Notify: regmsvc - C:\WINDOWS\system\regmsvc.dll (file missing)
backup-20080623-164800-849 O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
backup-20080623-164800-994 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_02\bin\ssv.dll (file missing)

-- File Associations

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

S2 kirjtkkd66ca-5e8 - c:\windows\system32\kirjtkkd66ca-5e8.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

-- Device Manager: Disabled

No disabled devices found.

-- Process Modules

C:\WINDOWS\system32\winlogon.exe (pid 648)
2007-04-19 13:41:36 294912 --a

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\explorer.exe (pid 1744)
2008-05-13 10:13:36 77824 --a

C:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>

-- Scheduled Tasks

2008-06-17 17:43:00 284 --a

C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-05-23 and 2008-06-23

2008-06-23 16:31:23 2192 --a

C:\WINDOWS\system32\tmp.reg
2008-06-23 15:27:22 68096 --a

C:\WINDOWS\zip.exe
2008-06-23 15:27:22 49152 --a

C:\WINDOWS\VFind.exe
2008-06-23 15:27:22 161792 --a

C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-23 15:27:22 98816 --a

C:\WINDOWS\sed.exe
2008-06-23 15:27:22 80412 --a

C:\WINDOWS\grep.exe
2008-06-23 15:27:22 89504 --a

C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-23 15:27:21 212480 --a

C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-23 15:27:21 136704 --a

C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-23 13:25:33 0 d

C:\WINDOWS\ERUNT
2008-06-23 11:47:56 0 d

C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-23 11:47:36 0 d

C:\Program Files\SUPERAntiSpyware
2008-06-23 11:47:36 0 d

C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-23 11:47:24 0 d

C:\Program Files\Common Files\Wise Installation Wizard
2008-06-20 15:02:25 0 d--h

C:\$AVG8.VAULT$
2008-06-20 14:45:01 0 d

C:\WINDOWS\system32\drivers\Avg
2008-06-20 14:41:03 0 d

C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-20 14:35:19 0 d

C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-06-20 14:35:11 0 d

C:\Program Files\AVG
2008-06-20 14:26:08 0 d

C:\WINDOWS\pss
2008-06-20 13:56:28 0 d--hs---- C:\WINDOWS\CSC
2008-06-11 21:15:36 0 d

C:\Program Files\Citrix
2008-06-05 14:13:26 8704 --a

C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-03 12:55:59 0 d

C:\Documents and Settings\Administrator\Application Data\System Doctor Free
2008-06-03 12:45:51 0 d

C:\Documents and Settings\All Users\Application Data\System Doctor Free

-- Find3M Report

2008-06-23 14:44:43 0 d

C:\Program Files\Java
2008-06-23 14:44:43 0 d

C:\Program Files\Common Files
2008-06-20 16:57:09 0 d

C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-06-20 13:53:02 0 d

C:\Program Files\Common Files\Download Manager
2008-06-12 09:00:35 0 d

C:\Program Files\NoAdware5.0
2008-06-12 09:00:16 0 d

C:\Program Files\BitLord
2008-06-11 20:42:35 0 d

C:\Program Files\LimeWire
2008-06-11 20:30:16 0 d

C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-16 23:00:58 0 d

C:\Program Files\USS
2008-05-16 12:09:12 0 d

C:\Documents and Settings\Administrator\Application Data\Adobe

-- Registry Dump

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
20/06/2008 14:45 2050816 --a

C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [24/07/2001 22:34]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [06/11/2003 14:22]
"CONNECTScheduler"="C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" [15/11/2005 03:54]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [24/11/2006 01:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [20/06/2008 14:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 09:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [13/03/2006 11:43]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [18/10/2006 20:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [28/05/2008 10:33]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [01/03/2006 19:54:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
C:\Program Files\Citrix\GoToAssist Express Customer\86\g2ax_winlogon.dll 11/06/2008 21:15 45368 C:\Program Files\Citrix\GoToAssist Express Customer\86\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

-- End of Deckard's System Scanner: finished at 2008-06-23 17:02:53

extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

-- System Information

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.80GHz
Percentage of Memory in Use: 32%
Physical Memory (total/avail): 1270.8 MiB / 861.58 MiB
Pagefile Memory (total/avail): 1498.25 MiB / 1170.84 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1911.23 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 54.53 GiB free.

is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380011A - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:

-- Security Center

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

-- Environment Variables

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HP_KAY
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA8
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\HP_KAY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=HP_KAY
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS

-- User Profiles

Administrator (admin)

-- Add/Remove Programs

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Bebo - Skype 2.0 --> "C:\Program Files\Skype\Phone\unins000.exe"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
CONNECT Auto Update --> C:\Program Files\Sony\CONNECTAutoUpdate\Uninstall.exe
CONNECT Player --> MsiExec.exe /X{EC62DAEB-05E7-46FF-8867-FEBE00DBD790}
CONNECT Player Language Pack --> MsiExec.exe /X{DC986B2B-DAE4-43E1-A00A-74044CFB6EA4}
Disc2Phone --> MsiExec.exe /I{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
ErrorSafe Additional Feature --> rundll32.exe C:\WINDOWS\system\regmsvc.dll,Uninstall
ERS_Update 1.0.4.2 --> "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-3HL13.tmp\ERS_Update\unins000.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
GoToAssist Express Customer 1.0.0.86 --> "C:\Program Files\Citrix\GoToAssist Express Customer\86\g2ax_uninstallercustomer.exe" /uninstall "/ResourceDll g2ax_customer_resource_win32_x86_en-us_86.dll"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Documents and Settings\Administrator\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel(R) Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
iPod for Windows 2005-10-12 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D9F4A9F8-92C5-4289-9D04-F0F8F02D580A} /l1033
iPod for Windows 2006-01-10 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3D047C15-C859-45F7-81CE-F2681778069B} /l1033
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP4 Converter 1.0 --> "C:\Program Files\MP4 Converter\unins000.exe"
MSN Toolbar --> C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\mtbs.exe c
OpenMG Secure Module 4.3.00 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{F5E4C38C-73BC-4D44-8BFC-969C2B4DABCA} UNINSTALL
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Sony Ericsson PC Suite --> MsiExec.exe /I{FC906D5C-91F9-4DA4-A765-6DCBB669F317}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.EXE"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
USS_USSPlugin 2.0.15.1 --> "C:\Program Files\USS\{20CF7FD9-6C26-450b-BC5B-B4AD67438A26}\unins000.exe"
USS_USSPlugin 2.0.15.1 --> "C:\Program Files\USS\unins000.exe"
VideoEgg Publisher --> C:\Documents and Settings\Administrator\Application Data\VideoEgg\Uninstall.exe
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe

-- Application Event Log

Event Record #/Type2540 / Error
Event Submitted/Written: 06/23/2008 05:02:39 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type2539 / Error
Event Submitted/Written: 06/23/2008 04:58:00 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type2538 / Error
Event Submitted/Written: 06/23/2008 04:58:00 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type2537 / Error
Event Submitted/Written: 06/23/2008 04:51:02 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type2536 / Error
Event Submitted/Written: 06/23/2008 04:50:30 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

-- Security Event Log

No Errors/Warnings found.

-- System Event Log

Event Record #/Type9211 / Error
Event Submitted/Written: 06/23/2008 04:36:13 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The kirjtkkd66ca-5e8 service failed to start due to the following error:
%%2

Event Record #/Type9206 / Error
Event Submitted/Written: 06/23/2008 04:35:12 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type9202 / Error
Event Submitted/Written: 06/23/2008 04:29:09 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AvgLdx86
AvgMfx86
Fips
intelppm
SASDIFSV
SASKUTIL

Event Record #/Type9201 / Error
Event Submitted/Written: 06/23/2008 04:28:19 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type9175 / Error
Event Submitted/Written: 06/23/2008 03:49:11 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The kirjtkkd66ca-5e8 service failed to start due to the following error:
%%2

-- End of Deckard's System Scanner: finished at 2008-06-23 17:02:53

ActorSeeksJob · 23-06-2008 4:28pm

You shouldn't run tools like ComboFix yourself, it is too dangerous

Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

ErrorSafe Additional Feature
ERS_Update 1.0.4.2
USS_USSPlugin 2.0.15.1

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[kill explorer]
C:\Program Files\Ultimate Cleaner
C:\Program Files\System Doctor Free
C:\Program Files\SpyNoMore
C:\Program Files\USS
c:\program files\winantispyware 2007
C:\Documents and Settings\Administrator\Application Data\System Doctor Free
C:\Documents and Settings\All Users\Application Data\System Doctor Free
C:\Program Files\NoAdware5.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kirjtkkd66ca-5e8
purity 
EmptyTemp
[start explorer]

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Reboot and post a new DSS log

simonp1 · 24-06-2008 8:55am

Hi Actorseeksjob

I know I shouldn't but you know yourself had to try!!

Anyway last instructions completed

[kill explorer]
C:\Program Files\Ultimate Cleaner
C:\Program Files\System Doctor Free
C:\Program Files\SpyNoMore
C:\Program Files\USS
c:\program files\winantispyware 2007
C:\Documents and Settings\Administrator\Application Data\System Doctor Free
C:\Documents and Settings\All Users\Application Data\System Doctor Free
C:\Program Files\NoAdware5.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kirjtkkd66ca-5e8
purity
EmptyTemp
[start explorer]

And DSS

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-24 09:49:41
Computer is in Normal Mode.

-- HijackThis (run as Administrator.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:49:43, on 24/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ADMINI~1\Desktop\ADMINI~1.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111094126812
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Express Customer\86\g2ax_winlogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist Express Customer - Unknown owner - C:\Program Files\Citrix\GoToAssist Express Customer\86\g2ax_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 8134 bytes

-- Files created between 2008-05-24 and 2008-06-24

2008-06-23 16:31:23 2192 --a

C:\WINDOWS\system32\tmp.reg
2008-06-23 15:27:22 68096 --a

C:\WINDOWS\zip.exe
2008-06-23 15:27:22 49152 --a

C:\WINDOWS\VFind.exe
2008-06-23 15:27:22 161792 --a

C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-23 15:27:22 98816 --a

C:\WINDOWS\sed.exe
2008-06-23 15:27:22 80412 --a

C:\WINDOWS\grep.exe
2008-06-23 15:27:22 89504 --a

C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-23 15:27:21 212480 --a

C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-23 15:27:21 136704 --a

C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-23 13:25:33 0 d

C:\WINDOWS\ERUNT
2008-06-23 11:47:56 0 d

C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-23 11:47:36 0 d

C:\Program Files\SUPERAntiSpyware
2008-06-23 11:47:36 0 d

C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-23 11:47:24 0 d

C:\Program Files\Common Files\Wise Installation Wizard
2008-06-20 15:02:25 0 d--h

C:\$AVG8.VAULT$
2008-06-20 14:45:01 0 d

C:\WINDOWS\system32\drivers\Avg
2008-06-20 14:41:03 0 d

C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-20 14:35:19 0 d

C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-06-20 14:35:11 0 d

C:\Program Files\AVG
2008-06-20 14:26:08 0 d

C:\WINDOWS\pss
2008-06-20 13:56:28 0 d--hs---- C:\WINDOWS\CSC
2008-06-11 21:15:36 0 d

C:\Program Files\Citrix
2008-06-05 14:13:26 8704 --a

C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

-- Find3M Report

2008-06-23 14:44:43 0 d

C:\Program Files\Java
2008-06-23 14:44:43 0 d

C:\Program Files\Common Files
2008-06-20 16:57:09 0 d

C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-06-20 13:53:02 0 d

C:\Program Files\Common Files\Download Manager
2008-06-12 09:00:16 0 d

C:\Program Files\BitLord
2008-06-11 20:42:35 0 d

C:\Program Files\LimeWire
2008-06-11 20:30:16 0 d

C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-16 12:09:12 0 d

C:\Documents and Settings\Administrator\Application Data\Adobe

-- Registry Dump

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
20/06/2008 14:45 2050816 --a

C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [24/07/2001 22:34]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [06/11/2003 14:22]
"CONNECTScheduler"="C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" [15/11/2005 03:54]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [24/11/2006 01:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [20/06/2008 14:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 09:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [13/03/2006 11:43]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [18/10/2006 20:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [28/05/2008 10:33]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [01/03/2006 19:54:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
C:\Program Files\Citrix\GoToAssist Express Customer\86\g2ax_winlogon.dll 11/06/2008 21:15 45368 C:\Program Files\Citrix\GoToAssist Express Customer\86\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

-- End of Deckard's System Scanner: finished at 2008-06-24 09:50:05

Regards

Simon

ActorSeeksJob · 24-06-2008 12:53pm

Do you have the ComboFix log ? Check C:\ComboFix for it

ComboFix will disconnect the machine from the internet, this prevents fresh malware from coming in.
The connection shall be restored once ComboFix gets to the Find3M stage.
In the event that ComboFix terminates prematurely you can manually restore the connection by ...
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"

Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

Tell me if that works

-annex- · 24-06-2008 1:57pm

Hey Simon,
If you still can't connect to the internet after repairing your connection it's likely you need to reset your TCP/IP stack and winsock.
To do this:
Click Start - Run
Type cmd and press enter
A command prompt will appear. Type in the following commands and press enter after each:

netsh int ip reset reset.txt

netsh winsock reset catalog

Now reboot your machine and your internet connection should be restored.

simonp1 · 24-06-2008 2:20pm

Thanks Actorseeksjob

I will try it and post back.

ComboFix 08-06-20.4 - Administrator 2008-06-24 15:14:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.878 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 )))))))))))))))))))))))))))))))
.

2008-06-24 09:36 . 2008-06-24 09:36 <DIR> d

C:\_OTMoveIt
2008-06-23 16:31 . 2008-06-23 16:31 2,192 --a

C:\WINDOWS\system32\tmp.reg
2008-06-23 15:49 . 2008-06-24 12:15 54,156 --ah

C:\WINDOWS\QTFont.qfn
2008-06-23 15:49 . 2008-06-23 15:49 1,409 --a

C:\WINDOWS\QTFont.for
2008-06-23 14:44 . 2008-06-23 14:44 0 --a

C:\WINDOWS\system32\REN2F.tmp
2008-06-23 14:44 . 2008-06-23 14:44 0 --a

C:\WINDOWS\system32\REN2E.tmp
2008-06-23 13:25 . 2008-06-23 13:25 <DIR> d

C:\WINDOWS\ERUNT
2008-06-23 13:17 . 2008-06-23 13:41 <DIR> d

C:\SDFix
2008-06-23 11:47 . 2008-06-23 11:47 <DIR> d

C:\Program Files\SUPERAntiSpyware
2008-06-23 11:47 . 2008-06-23 11:47 <DIR> d

C:\Program Files\Common Files\Wise Installation Wizard
2008-06-23 11:47 . 2008-06-23 11:47 <DIR> d

C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-23 11:47 . 2008-06-23 11:47 <DIR> d

C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-23 11:07 . 2008-06-23 11:07 <DIR> d

C:\Deckard
2008-06-20 15:02 . 2008-06-24 09:27 <DIR> d--h

C:\$AVG8.VAULT$
2008-06-20 14:45 . 2008-06-20 14:45 <DIR> d

C:\WINDOWS\system32\drivers\Avg
2008-06-20 14:45 . 2008-06-20 14:45 96,520 --a

C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-20 14:45 . 2008-06-20 14:45 10,520 --a

C:\WINDOWS\system32\avgrsstx.dll
2008-06-20 14:41 . 2008-06-20 14:44 <DIR> d

C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-20 14:35 . 2008-06-20 14:35 <DIR> d

C:\Program Files\AVG
2008-06-20 14:35 . 2008-06-20 14:35 <DIR> d

C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-06-12 00:17 . 2008-04-14 12:01 272,128

C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 00:17 . 2008-04-14 12:01 272,128

C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 21:15 . 2008-06-11 21:15 <DIR> d

C:\Program Files\Citrix
2008-06-11 21:14 . 2008-06-11 21:14 66,360

C:\Documents and Settings\Administrator\g2ax_customer_downloadhelper_win32_x86.exe
2008-06-05 14:13 . 2001-03-08 19:30 24,064 --a

C:\WINDOWS\system32\msxml3a.dll
2008-06-05 14:13 . 2004-10-07 14:39 8,704 --a

C:\WINDOWS\system32\SpOrder.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 13:44

d

w C:\Program Files\Java
2008-06-20 13:35

d

w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-20 12:53

d

w C:\Program Files\Common Files\Download Manager
2008-06-12 08:00

d

w C:\Program Files\BitLord
2008-06-11 19:42

d

w C:\Program Files\LimeWire
2008-06-11 19:30

d

w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752

w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680

w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 21:16 3,591,680

w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664

w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656

w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824

w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792

w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583

w C:\WINDOWS\system32\dllcache\msjint40.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-23_15.36.29.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-23 14:31:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-24 11:15:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-03-13 11:43 19548200]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 22:34 36864]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-06 14:22 524800]
"CONNECTScheduler"="C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" [2005-11-15 03:54 69632]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 01:06 487424]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-20 14:44 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-03-01 19:54:24 122880]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
C:\Program Files\Citrix\GoToAssist Express Customer\86\g2ax_winlogon.dll 2008-06-11 21:15 45368 C:\Program Files\Citrix\GoToAssist Express Customer\86\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-20 14:45]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-20 14:44]
S3 GoToAssist Express Customer;GoToAssist Express Customer;"C:\Program Files\Citrix\GoToAssist Express Customer\86\g2ax_service.exe" Start=service []
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys [2006-11-10 18:23]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys [2006-11-10 18:23]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys [2006-11-10 18:23]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys [2006-11-10 18:23]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se2End5.sys [2006-11-10 18:23]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Eobex.sys [2006-11-10 18:23]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se2Eunic.sys [2006-11-10 18:24]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-17 16:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 15:16:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

DLLs Loaded Under Running Processes

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Citrix\GoToAssist Express Customer\86\g2ax_winlogon.dll
.
Completion time: 2008-06-24 15:18:50
ComboFix-quarantined-files.txt 2008-06-24 14:18:34
ComboFix2.txt 2008-06-23 14:36:48

Pre-Run: 60,764,160,000 bytes free
Post-Run: 60,752,297,984 bytes free

137 --- E O F --- 2008-06-12 02:02:51

ActorSeeksJob · 24-06-2008 2:32pm

Ok let me know how it goes

I see you ran SDFix, can you post that log as well. It should be in C:\SDFix

simonp1 · 25-06-2008 11:38am

Hi, here is the sd report I just ran, for some reason internet still is not working.

Thanks
Simon

SDFix: Version 1.196
Run by Administrator on 25/06/2008 at 12:19

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 12:28:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

Files with Hidden Attributes :

Wed 23 Mar 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 23 Mar 2005 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Wed 4 Jul 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Fri 9 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT107.tmp"
Wed 23 Mar 2005 4,348 ...H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv1key.bak"
Sat 29 Jul 2006 401 A..H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 17 Mar 2005 312 A.SH. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv2key.bak"
Sun 27 May 2007 451 A.SH. --- "C:\Deckard\System Scanner\20080623131114\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ansqssoq.dll"
Sat 26 May 2007 451 A.SH. --- "C:\Deckard\System Scanner\20080623131114\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pjfqserw.dll"
Mon 28 May 2007 451 A.SH. --- "C:\Deckard\System Scanner\20080623131114\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\psxnplbi.dll"

Finished!

ActorSeeksJob · 25-06-2008 12:36pm

Did you try the two suggestions for fixing your net ?

Please download LSPFix from here.
Run the LSPFix.exe that you have just finished downloading.
Check the I know what I'm doing box.
When you are done click Finish>>.

simonp1 · 25-06-2008 8:24pm

Hi Actorseeksjob

Thanks for everything internet back online and machine cleaned, and not a reinstall cd insight. Although I was thinking about there for awhile.

Thanks again

Simon:)

long time reader but need some assistance

Comments