Jump to content

Change Mode

Help...I know I have a virus...


Recommended Posts

This is a no brainer....I have used this forums once and I have highly recommeneded it to my peers and I to this day I still do. I have 100% faith that you guys can fix this computer.

THis is my friend's moms computer and I tried to fix her computer but she has this virus called XP AntiVirus, I goggled it and I tried to take it down the easy way with FixXPAV.reg but I know I'm doing something wrong. So please help me...I would of been helpful and already posted up a HIJACK log but I haven't used this forum for myself since last year. So I just posted this so I can use the lastest HIJACK edition. THANK YOU :D

Link to post
Share on other sites

We need to obtain the most recent and comprehensive ‘picture’ of the system to conduct a malware analysis.

 

Please download Deckard's System Scanner (DSS)

Save it to the Desktop

Close all other windows before proceeding.

  • Double-click on dss.exe and follow the prompts.
  • If your firewall offers a warning, allow the program to run
  • When finished, DSS opens two Notepad files: main.txt <- this one is maximized and extra.txt <-this one is minimized

    (A copy of these files is also found in C:\Deckard\System Scanner)

Please post the contents of main.txt and extra.txt in your reply.

 

It may take more than one post to provide these logs. If so, please do consecutive posts (one after the other).

Link to post
Share on other sites

Deckard's System Scanner v20071014.68

Run by mary ellen doty on 2008-05-28 03:28:34

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

-- System Restore --------------------------------------------------------------

 

Successfully created a Deckard's System Scanner Restore Point.

 

 

-- Last 5 Restore Point(s) --

87: 2008-05-28 11:30:03 UTC - RP698 - Deckard's System Scanner Restore Point

86: 2008-05-27 02:13:14 UTC - RP697 - Removed Windows Live Favorites for Windows Live Toolbar

85: 2008-05-27 02:08:28 UTC - RP696 - Removed Rhapsody Player Engine

84: 2008-05-26 13:16:43 UTC - RP695 - Last known good configuration

83: 2008-05-26 13:16:21 UTC - RP694 - System Checkpoint

 

 

-- First Restore Point --

1: 2008-05-26 13:15:57 UTC - RP612 - System Checkpoint

 

 

Backed up registry hives.

Performed disk cleanup.

 

Total Physical Memory: 254 MiB (512 MiB recommended).

 

 

-- HijackThis Clone ------------------------------------------------------------

 

 

Emulating logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2008-05-28 03:37:09

Platform: Windows XP Service Pack 2 (5.01.2600)

MSIE: Internet Explorer (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\SYSTEM32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\SYSTEM32\services.exe

C:\WINDOWS\SYSTEM32\lsass.exe

C:\WINDOWS\SYSTEM32\svchost.exe

C:\WINDOWS\SYSTEM32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\SYSTEM32\spoolsv.exe

C:\WINDOWS\SYSTEM32\LVCOMSX.EXE

C:\WINDOWS\SYSTEM32\ctfmona.exe

C:\Program Files\Grisoft\AVG7\avgamsvr.exe

C:\Program Files\AXPFixer\AXPFixer.exe

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

C:\WINDOWS\SYSTEM32\ctfmon.exe

C:\Program Files\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\Grisoft\AVG7\avgemc.exe

C:\Program Files\Common Files\AOL\Loader\aolload.exe

C:\WINDOWS\SYSTEM32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\SYSTEM32\fxssvc.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\SYSTEM32\wscntfy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\SYSTEM32\taskmgr.exe

C:\Documents and Settings\mary ellen doty\Desktop\dss.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?wl=true

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll

O2 - BHO: e404 helper - {2C566C34-7D72-4DC1-9BBE-1121A76698F8} - C:\Program Files\Helper\1203454679.dll (file missing)

O2 - BHO: (no name) - {4C07133D-218E-49F7-9C92-7F5DA8E19FFF} - C:\WINDOWS\SYSTEM32\byXQJYoP.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: QXK Olive - {B33B96B9-E0C2-4648-9819-A38DDCAFA33C} - C:\WINDOWS\boqnrwdmstg.dll (file missing)

O2 - BHO: (no name) - {BCBEB0EB-744A-4F05-99A5-636B721C318E} - C:\WINDOWS\SYSTEM32\yayvsppn.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [salestart] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=http://avsystemcare.com; ad=http://avsystemcare.com

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe

O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe

O4 - HKLM\..\Run: [a4421a12] rundll32.exe "C:\WINDOWS\system32\yuoketgo.dll",b

O4 - HKLM\..\Run: [AXPFixer] C:\Program Files\AXPFixer\AXPFixer.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [69468080750546892607076787857284] C:\Program Files\XP Antivirus\xpa.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [desktop] C:\WINDOWS\System32\desktop.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll

O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} () - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} () - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{491C72C4-4D5E-4E81-9511-011791E11B0A}: NameServer = 209.193.4.7,209.193.4.8

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll

O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll

O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll

O18 - Filter: text/html - {47A961F3-90B4-4AF4-9A6B-CC4A7056F61D} - C:\WINDOWS\System32\fbao.dll (file missing)

O18 - Filter: text/plain - {47A961F3-90B4-4AF4-9A6B-CC4A7056F61D} - C:\WINDOWS\System32\fbao.dll (file missing)

O20 - AppInit_DLLs: murka.dat

O20 - Winlogon Notify: yayvsppn - C:\WINDOWS\system32\yayvsppn.dll

O21 - SSODL: vregfwlx - {BDC0AFF7-BA1C-43A0-81FD-83048F115396} - C:\WINDOWS\vregfwlx.dll (file missing)

O21 - SSODL: vltdfabw - {21BAAA6A-9A9C-46CD-B170-11BF5D9D25B8} - C:\WINDOWS\vltdfabw.dll (file missing)

O21 - SSODL: RomMon - {70bb7e36-a663-4e20-afe3-9592dc190d9a} - C:\WINDOWS\Resources\RomMon.dll

O22 - SharedTaskScheduler: arborize - {d9f6ce57-0718-4bd1-916f-5fb1f86911c2} - C:\WINDOWS\system32\txdkfh.dll (file missing)

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe

O23 - Service: DDE helper service (ddesvr) - Unknown owner - C:\:ddesvr

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Documents and Settings\mary ellen doty\My Documents\iPod\bin\iPodService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

 

--

End of file - 10799 bytes

 

-- File Associations -----------------------------------------------------------

 

All associations okay.

 

 

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

 

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

 

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys (file missing)

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)

S3 LSWLNDS (Instant Wireless Driver) - c:\windows\system32\drivers\lswlnds.sys <Not Verified; The Linksys Group, Inc.; Instant Wireless>

S3 PCANDIS5 (PCANDIS5 Protocol Driver) - c:\windows\system32\pcandis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S3 SDDMI2 - c:\windows\system32\ddmi2.sys (file missing)

S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

 

 

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

 

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

 

S2 ddesvr (DDE helper service) - c:\:ddesvr (file missing)

 

 

-- Device Manager: Disabled ----------------------------------------------------

 

No disabled devices found.

 

 

-- Scheduled Tasks -------------------------------------------------------------

 

2008-05-28 03:13:01 274 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job

2003-11-08 21:22:04 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job

 

 

-- Files created between 2008-04-28 and 2008-05-28 -----------------------------

 

2008-05-28 03:13:09 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\cs

2008-05-28 02:54:27 95744 --a------ C:\WINDOWS\system32\xugbvkpl.dll

2008-05-26 19:45:56 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\Application Data

2008-05-26 19:05:15 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\Documents and Settings <DOCUME~1>

2008-05-26 19:04:27 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\mary ellen doty <MARYEL~1>

2008-05-26 17:05:40 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\report

2008-05-26 16:59:59 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\AXPFixer

2008-05-26 16:33:56 0 d-------- C:\Documents and Settings\friends\Application Data\friends

2008-05-26 16:33:55 0 d-------- C:\friends

2008-05-26 16:33:55 0 d-------- C:\Documents and Settings\friends\cs

2008-05-26 16:33:54 0 d-------- C:\Documents and Settings\friends\ShoppingReport

2008-05-26 16:32:45 0 d-------- C:\Program Files\AXPFixer

2008-05-26 16:32:16 0 d-------- C:\Documents and Settings\friends\friends

2008-05-26 16:32:16 0 d-------- C:\Documents and Settings\friends\Documents and Settings <DOCUME~1>

2008-05-26 13:39:22 0 d-------- C:\report

2008-05-26 13:39:21 0 d-------- C:\ShoppingReport

2008-05-26 13:39:21 0 d-------- C:\mary ellen doty <MARYEL~1>

2008-05-26 12:49:22 466 --ahs---- C:\WINDOWS\system32\ogtekouy.ini2

2008-05-26 12:12:57 90112 --a------ C:\WINDOWS\system32\yuoketgo.dll

2008-05-26 11:29:45 0 d-------- C:\Documents and Settings\mary ellen doty\mary ellen doty <MARYEL~1>

2008-05-26 11:26:16 0 d-------- C:\cs

2008-05-26 11:21:12 0 d-------- C:\Documents and Settings\mary ellen doty\Documents and Settings <DOCUME~1>

2008-05-26 11:11:09 0 d-------- C:\Documents and Settings\mary ellen doty\ShoppingReport

2008-05-26 11:11:09 0 d-------- C:\Documents and Settings\mary ellen doty\report

2008-05-26 11:11:09 0 d-------- C:\Documents and Settings\mary ellen doty\cs

2008-05-26 11:11:08 0 d-------- C:\Application Data

2008-05-26 11:10:29 9728 --a------ C:\Program Files\tmp2.exe

2008-05-26 11:10:29 9728 --a------ C:\Program Files\tmp1.exe

2008-05-26 11:10:29 9728 --a------ C:\Program Files\tmp0.exe

2008-05-26 11:10:26 18432 --a------ C:\Program Files\bho.exe

2008-05-26 11:10:26 9728 --a------ C:\Program Files\antiviirus.exe

2008-05-26 06:52:00 0 d-------- C:\Documents and Settings\friends\Application Data\TmpRecentIcons

2008-05-26 05:17:29 90112 --a------ C:\WINDOWS\system32\cwibvbsw.dll

2008-05-26 05:15:45 605759 --ahs---- C:\WINDOWS\system32\PoYJQXyb.ini2

2008-05-26 05:15:40 318848 --a------ C:\WINDOWS\system32\byXQJYoP.dll

2008-05-26 05:10:27 29824 --a------ C:\WINDOWS\system32\yayvsppn.dll

2008-05-26 05:10:12 159744 --a------ C:\WINDOWS\edwf.exe

2008-05-26 05:09:52 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>

2008-05-26 05:09:28 96256 --a------ C:\WINDOWS\system32\ctfmona.exe

2008-05-25 16:50:00 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport

2008-05-25 16:13:27 0 d-------- C:\Documents and Settings\friends\Application Data\AdobeUM

2008-05-24 14:13:06 0 d-------- C:\Documents and Settings\friends\Application Data\ShoppingReport

2008-05-24 14:12:59 0 d-------- C:\Program Files\ShoppingReport

2008-05-23 11:22:53 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\Viewpoint

2008-05-22 17:52:48 0 d-------- C:\Documents and Settings\friends\Application Data\acccore

2008-05-08 17:08:45 0 d-------- C:\Documents and Settings\friends\Application Data\Apple Computer

2008-05-06 04:10:29 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\acccore

2008-05-06 04:07:42 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP

2008-05-06 04:06:55 0 d-------- C:\Program Files\AIM6

2008-05-04 20:33:24 53248 -ra------ C:\WINDOWS\system32\InstMed.exe

2008-05-04 20:32:59 0 d-------- C:\Program Files\Common Files\Logitech

 

 

-- Find3M Report ---------------------------------------------------------------

 

2008-05-26 18:33:34 0 d-------- C:\Program Files\VirusHeat 4.3

2008-05-26 18:07:53 0 d-------- C:\Program Files\Common Files\Real

2008-05-26 18:07:00 0 d-------- C:\Program Files\Common Files

2008-05-26 18:05:26 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\Real

2008-05-26 18:03:36 0 d-------- C:\Program Files\Google

2008-05-26 15:31:53 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\AVG7

2008-05-06 04:08:06 0 d-------- C:\Program Files\Viewpoint

2008-05-06 04:07:17 0 d-------- C:\Program Files\Common Files\AOL

2008-04-29 19:49:05 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\AdobeUM

 

 

-- Registry Dump ---------------------------------------------------------------

 

*Note* empty entries & legit default entries are not shown

 

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{100EB1FD-D03E-47FD-81F3-EE91287F9465}]

02/06/2008 04:13 AM 1173024 --a------ C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C566C34-7D72-4DC1-9BBE-1121A76698F8}]

C:\Program Files\Helper\1203454679.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C07133D-218E-49F7-9C92-7F5DA8E19FFF}]

05/26/2008 05:15 AM 318848 --a------ C:\WINDOWS\system32\byXQJYoP.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B33B96B9-E0C2-4648-9819-A38DDCAFA33C}]

C:\WINDOWS\boqnrwdmstg.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCBEB0EB-744A-4F05-99A5-636B721C318E}]

05/26/2008 05:10 AM 29824 --a------ C:\WINDOWS\system32\yayvsppn.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Salestart"="C:\Program Files\Common Files\AVSystemCare\bm.exe" []

"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [10/08/2004 11:52 AM]

"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [05/26/2008 05:09 AM]

"antiviirus"="C:\Program Files\antiviirus.exe" [05/26/2008 11:10 AM]

"a4421a12"="C:\WINDOWS\system32\yuoketgo.dll" [05/26/2008 12:12 PM]

"AXPFixer"="C:\Program Files\AXPFixer\AXPFixer.exe" [05/19/2008 10:03 AM]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 03:19 PM]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" []

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]

"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/25/2008 12:21 PM]

"69468080750546892607076787857284"="C:\Program Files\XP Antivirus\xpa.exe" []

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"ntddetect"=C:\WINDOWS\System32\ntddetect.exe

 

C:\Documents and Settings\mary ellen doty\Start Menu\Programs\Startup\

DESKTOP.INI [9/3/2002 7:00:00 AM]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

DESKTOP.INI [9/3/2002 7:00:00 AM]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=1 (0x1)

"DisableTaskMgr"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{d9f6ce57-0718-4bd1-916f-5fb1f86911c2}"= C:\WINDOWS\system32\txdkfh.dll [ ]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{BCBEB0EB-744A-4F05-99A5-636B721C318E}"= C:\WINDOWS\system32\yayvsppn.dll [05/26/2008 05:10 AM 29824]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"vregfwlx"= {BDC0AFF7-BA1C-43A0-81FD-83048F115396} - C:\WINDOWS\vregfwlx.dll [ ]

"vltdfabw"= {21BAAA6A-9A9C-46CD-B170-11BF5D9D25B8} - C:\WINDOWS\vltdfabw.dll [ ]

"RomMon"= {70bb7e36-a663-4e20-afe3-9592dc190d9a} - C:\WINDOWS\Resources\RomMon.dll [05/26/2008 11:10 AM 14886]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvsppn]

yayvsppn.dll 05/26/2008 05:10 AM 29824 C:\WINDOWS\SYSTEM32\yayvsppn.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=murka.dat

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXQJYoP

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ddesvr]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

@="Volume shadow copy"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless PCI Card Config Utility.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless PCI Card Config Utility.lnk

backup=C:\WINDOWS\pss\Wireless PCI Card Config Utility.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmsound]

c:\windows\msmsgnce.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

"C:\Program Files\Dell Support\DSAgnt.exe" /startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\desktop]

C:\WINDOWS\System32\desktop.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lass]

C:\WINDOWS\System32\lass.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntddetect]

C:\WINDOWS\System32\ntddetect.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

"C:\Program Files\Dell\Media Experience\PCMService.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Host]

C:\WINDOWS\System32\Services\{51D07C35-3779-44E5-A620-764660DE6251}\SVCHOST.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sp]

rundll32 C:\DOCUME~1\NOAHMC~1.MAR\LOCALS~1\Temp\se.dll,DllInstall

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sr64]

C:\Documents and Settings\mary ellen doty\Application Data\Microsoft\sr64\jmidbmec.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]

"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]

C:\PROGRA~1\Toolbar\TBPS.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]

C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"TBPSSvc"=2 (0x2)

 

 

 

 

-- Hosts -----------------------------------------------------------------------

 

127.0.0.1 coolwwwsearch.com

127.0.0.1 coolwebsearch.com

127.0.0.1 hi.studioaperto.net

127.0.0.1 www.webbrowser.tv

127.0.0.1 www.wazzupnet.com

127.0.0.1 gueb.com

127.0.0.1 kabex.com

127.0.0.1 www.hityou.com

127.0.0.1 miosearch.com

127.0.0.1 wazzupnet.com

 

1013 more entries in hosts file.

 

 

-- End of Deckard's System Scanner: finished at 2008-05-28 03:47:45 ------------

Link to post
Share on other sites

Deckard's System Scanner v20071014.68

Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

 

-- System Information ----------------------------------------------------------

 

Microsoft Windows XP Home Edition (build 2600) SP 2.0

Architecture: X86; Language: English

 

CPU 0: Intel® Pentium® 4 CPU 2.20GHz

Percentage of Memory in Use: 91%

Physical Memory (total/avail): 254 MiB / 22.06 MiB

Pagefile Memory (total/avail): 753.04 MiB / 177.69 MiB

Virtual Memory (total/avail): 2047.88 MiB / 1945.66 MiB

 

A: is Removable (No Media)

C: is Fixed (NTFS) - 37.21 GiB total, 23.12 GiB free.

D: is CDROM (No Media)

E: is CDROM (No Media)

F: is Removable (No Media)

 

\\.\PHYSICALDRIVE0 - WDC WD400BB-75DEA0 - 37.25 GiB - 2 partitions

\PARTITION0 - Unknown - 31.35 MiB

\PARTITION1 (bootable) - Installable File System - 37.21 GiB - C:

 

\\.\PHYSICALDRIVE1 - Canon iP6700DStorage USB Device

 

 

 

-- Security Center -------------------------------------------------------------

 

AUOptions is scheduled to auto-install.

Windows Internal Firewall is enabled.

 

AV: AVG 7.5.524 v7.5.524 (Grisoft)

AV: avast! antivirus 4.8.1201 [VPS 080528-0] v4.8.1201 (ALWIL Software)

 

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

 

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"

"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"

"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"

"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Disabled:TaskPanl"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"C:\\Documents and Settings\\mary ellen doty\\Desktop\\CPE200 Locator.exe"="C:\\Documents and Settings\\mary ellen doty\\Desktop\\CPE200 Locator.exe:*:Enabled:CPE200 Locator"

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

"C:\\Program Files\\Yahoo! Games\\Bejeweled 2 Deluxe\\WinBej2.exe"="C:\\Program Files\\Yahoo! Games\\Bejeweled 2 Deluxe\\WinBej2.exe:*:Enabled:Bejeweled2"

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"

"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"

 

 

-- Environment Variables -------------------------------------------------------

 

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\mary ellen doty\Application Data

CLASSPATH=.;C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip

CLIENTNAME=Console

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=MARYELLEN

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\mary ellen doty

LOGONSERVER=\\MARYELLEN

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel

PROCESSOR_LEVEL=15

PROCESSOR_REVISION=0209

ProgramFiles=C:\Program Files

PROMPT=$P$G

QTJAVA=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip

SESSIONNAME=Console

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\MARYEL~1\LOCALS~1\Temp

TMP=C:\DOCUME~1\MARYEL~1\LOCALS~1\Temp

USERDOMAIN=MARYELLEN

USERNAME=mary ellen doty

USERPROFILE=C:\Documents and Settings\mary ellen doty

windir=C:\WINDOWS

 

 

-- User Profiles ---------------------------------------------------------------

 

mary ellen doty (admin)

friends (admin)

Administrator (admin)

 

 

-- Add/Remove Programs ---------------------------------------------------------

 

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu

--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature

--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}

--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG

Adobe Download Manager 1.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"

Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q

Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}

AIM 6 --> C:\Program Files\AIM6\uninst.exe

avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup

AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL

AXPFixer --> "C:\Program Files\AXPFixer\uninstall.exe"

Broadcom Management Programs --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033

Canon iP6700D --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP6700D\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP6700D /L0x0009

Canon iP6700D Memory Card Utility --> "C:\Program Files\Canon\Memory Card Utility\iP6700D\Maint.exe" /UninstallRemove C:\Program Files\Canon\Memory Card Utility\iP6700D\uninst.ini

Canon iP6700D User Registration --> C:\Program Files\Canon\IJEREG\iP6700D\UNINST.EXE

Canon My Printer --> C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini

Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini

Conexant SmartHSFi V92 56K DF PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2702\HXFSETUP.EXE -U -IDel8d8xk.INF

DAO --> MsiExec.exe /I{64116298-93C5-401D-B06C-39D8E3338508}

Dell Media Experience --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall

Dell Picture Studio - Dell Image Expert --> MsiExec.exe /I{151C555A-A9E7-4A2E-B6D7-165D04A3C956}

Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}

Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText

DS21Patch --> MsiExec.exe /I{9B79DCB0-AAD7-456B-8D07-433C936FA24B}

Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"

Highlight Viewer (Windows Live Toolbar) --> MsiExec.exe /X{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}

HijackThis 1.98.2 --> C:\Documents and Settings\mary ellen doty\Desktop\HijackThis.exe /uninstall

Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562

iPod for Windows 2006-06-28 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BD57EA4D-026E-4F08-9B93-080E282B81FE} /l1033

iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{54C0D94A-F467-4ABC-9D02-6E58748668D4} /l1033

Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}

Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT

Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}

Microsoft Encarta Encyclopedia Standard 2004 --> MsiExec.exe /I{04410044-9149-45C6-A806-F2BF9CFCE762}

Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}

Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}

Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}

Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel

MUSICMATCH Jukebox --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll

NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText

Paint Shop Pro 7 --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}

Pegasus 3.0 --> C:\PEGASUS3\UNWISE.EXE C:\PEGASUS3\INSTALL.LOG

QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033

Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"

Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"

Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log

ShopperReports --> C:\Program Files\ShoppingReport\Uninst.exe

Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}

Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}

Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}

Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}

Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u

Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"

Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}

Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}

Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}

Windows Live Photo Gallery --> MsiExec.exe /X{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}

Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}

Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}

Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}

Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}

Windows Safety Alert --> C:\Documents and Settings\friends\Local Settings\Temp\laf2.exe /del

Winds 2.4 --> RunDll32 "C:\WINDOWS\winsx.dll",Uninstall

Wireless PCI Card Configuration Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FADC8AB-5575-4D87-8870-EE527D86163F}\Setup.EXE"

WordPerfect Office 11 --> MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921}

 

 

-- Application Event Log -------------------------------------------------------

 

Event Record #/Type3592 / Error

Event Submitted/Written: 05/28/2008 03:39:38 AM

Event ID/Source: 11 / crypt32

Event Description:

Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.

 

Event Record #/Type3581 / Error

Event Submitted/Written: 05/26/2008 07:46:54 PM

Event ID/Source: 100 / AVG7

Event Description:

2008-05-27 03:46:54,843 MARYELLEN [000196:000220] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(2108) call failed with WIN32 error 87, returning session id is 0

 

Event Record #/Type3580 / Error

Event Submitted/Written: 05/26/2008 07:46:52 PM

Event ID/Source: 100 / AVG7

Event Description:

2008-05-27 03:46:52,687 MARYELLEN [000196:000220] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(2052) call failed with WIN32 error 87, returning session id is 0

 

Event Record #/Type3579 / Error

Event Submitted/Written: 05/26/2008 07:46:49 PM

Event ID/Source: 100 / AVG7

Event Description:

2008-05-27 03:46:49,328 MARYELLEN [000196:000220] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(2080) call failed with WIN32 error 87, returning session id is 0

 

Event Record #/Type3578 / Error

Event Submitted/Written: 05/26/2008 07:46:45 PM

Event ID/Source: 100 / AVG7

Event Description:

2008-05-27 03:46:45,593 MARYELLEN [000196:000220] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(724) call failed with WIN32 error 87, returning session id is 0

 

 

 

-- Security Event Log ----------------------------------------------------------

 

No Errors/Warnings found.

 

 

-- System Event Log ------------------------------------------------------------

 

Event Record #/Type34652 / Error

Event Submitted/Written: 05/28/2008 03:15:25 AM

Event ID/Source: 7000 / Service Control Manager

Event Description:

The IMAPI CD-Burning COM Service service failed to start due to the following error:

%%1053

 

Event Record #/Type34651 / Error

Event Submitted/Written: 05/28/2008 03:15:15 AM

Event ID/Source: 7009 / Service Control Manager

Event Description:

Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.

 

Event Record #/Type34650 / Error

Event Submitted/Written: 05/28/2008 02:51:44 AM

Event ID/Source: 10010 / DCOM

Event Description:

The server {CD79C623-E1B7-47CF-A685-2E8A882BA3F8} did not register with DCOM within the required timeout.

 

Event Record #/Type34648 / Error

Event Submitted/Written: 05/28/2008 02:49:23 AM

Event ID/Source: 7034 / Service Control Manager

Event Description:

The avast! Web Scanner service terminated unexpectedly. It has done this 1 time(s).

 

Event Record #/Type34644 / Error

Event Submitted/Written: 05/28/2008 02:48:33 AM

Event ID/Source: 7000 / Service Control Manager

Event Description:

The avast! Web Scanner service failed to start due to the following error:

%%1053

 

 

 

-- End of Deckard's System Scanner: finished at 2008-05-28 03:47:45 ------------

Link to post
Share on other sites

Thanks for helping me out once again Aaflac. The first post is the MAIN and then the second one is the EXTRA. I also noticed that the computer has been running slower than usual. I plan to get rid of AVG since its a terrible program. I installed AVAST, before I made this topic two days ago, and it has been notifing me that there are TROJANS on the computer, which is pretty obvious. Hope to hear from you soon. Thanks again :D

Link to post
Share on other sites

It looks as if AVG and Avast! are both installed. Not a good idea!! Please decide wgich AntiVirus program you are going to keep, and uninstall the other one. Use Control Panel

  • Double-click Add or Remove Programs:
  • A list of programs installed is populated.
  • In this list please find the AV program you do not want to keep, and click Change or Change/Remove
~~~~

Next, do the following:

 

Please go to Start > Run, and in the Open area copy/paste the following command contained inside the code box:

 

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\system /v DisableRegedit /t REG_DWORD /d 0 /f

Click: OK

 

~~~~

Run HijackThis, Scan

Check box for:

 

O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll

O2 - BHO: e404 helper - {2C566C34-7D72-4DC1-9BBE-1121A76698F8} - C:\Program Files\Helper\1203454679.dll (file missing)

O2 - BHO: (no name) - {4C07133D-218E-49F7-9C92-7F5DA8E19FFF} - C:\WINDOWS\SYSTEM32\byXQJYoP.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: QXK Olive - {B33B96B9-E0C2-4648-9819-A38DDCAFA33C} - C:\WINDOWS\boqnrwdmstg.dll (file missing)

O2 - BHO: (no name) - {BCBEB0EB-744A-4F05-99A5-636B721C318E} - C:\WINDOWS\SYSTEM32\yayvsppn.dll

 

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

 

O4 - HKLM\..\Run: [salestart] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=http://avsystemcare.com; ad=http://avsystemcare.com

O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe

O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe

O4 - HKLM\..\Run: [a4421a12] rundll32.exe "C:\WINDOWS\system32\yuoketgo.dll",b

O4 - HKLM\..\Run: [AXPFixer] C:\Program Files\AXPFixer\AXPFixer.exe

O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe

O4 - HKCU\..\Run: [69468080750546892607076787857284] C:\Program Files\XP Antivirus\xpa.exe

O4 - HKUS\S-1-5-20\..\Run: [desktop] C:\WINDOWS\System32\desktop.exe (User 'NETWORK SERVICE')

 

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

 

O18 - Filter: text/html - {47A961F3-90B4-4AF4-9A6B-CC4A7056F61D} - C:\WINDOWS\System32\fbao.dll (file missing)

O18 - Filter: text/plain - {47A961F3-90B4-4AF4-9A6B-CC4A7056F61D} - C:\WINDOWS\System32\fbao.dll (file missing)

 

O20 - AppInit_DLLs: murka.dat

 

O20 - Winlogon Notify: yayvsppn - C:\WINDOWS\system32\yayvsppn.dll

 

O21 - SSODL: vregfwlx - {BDC0AFF7-BA1C-43A0-81FD-83048F115396} - C:\WINDOWS\vregfwlx.dll (file missing)

O21 - SSODL: vltdfabw - {21BAAA6A-9A9C-46CD-B170-11BF5D9D25B8} - C:\WINDOWS\vltdfabw.dll (file missing)

 

O22 - SharedTaskScheduler: arborize - {d9f6ce57-0718-4bd1-916f-5fb1f86911c2} - C:\WINDOWS\system32\txdkfh.dll (file missing)

 

O23 - Service: DDE helper service (ddesvr) - Unknown owner - C:\:ddesvr

 

Select: Fix checked

 

~~~~

Download SDFix

Save it to the Desktop

 

Now, reboot to Safe Mode

  • Restart your computer.
  • When the machine reboots, tap the F8 key before Windows starts
  • You are presented with a Windows XP Advanced Options menu.
  • Select the option for Safe Mode using the arrow keys.
  • Press Enter to boot into Safe Mode.
In Safe Mode, double-click SDFix.exe icon on the Desktop
  • Allow the program to extract to it's own folder (C:\SDFix)
  • Double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot.
  • Press any key to restart the PC.
  • When the PC restarts the SDFix will run again and complete the removal process
  • It then displays Finished
  • Press any key to end the script and load the Desktop icons.
  • Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt.
~~~~

Next, download Malwarebytes' Anti-Malware (MBAM)

Save the program to the Desktop

Close all Windows, including this one. (Print the instructions first)

 

On the Desktop, double-click mbam-setup.exe to install the program, and follow the prompts

  • If an update is found, MBAM will download and install the latest.
  • Click OK
At the main program window
  • Make sure the following is checked: Perform Quick Scan
  • Click: Scan (The scan may take some time to finish, so please be patient.)
  • When the scan completes, a message box appears as shown in the image below:

    Posted Image

  • Click OK
At the main Scanner screen:
  • Click on: Show Results
  • A screen displaying the malware found shows as seen in the image below. (Results may be different.)

    Posted Image

  • Make sure everything found is checked, and click: Remove Selected
  • When the disinfection is complete, you may be prompted to Restart. Please do so.
  • When MBAM finishes removing the malware, a log opens in Notepad
  • The log is automatically saved and can be viewed by clicking the Logs tab.
~~~~

Run Deckard’s System Scanner once again.

 

~~~~

Please provide the following in your reply:

The contents of the SDFix Report.txt

The MBAM report

The contents of the new DSS main.txt

Link to post
Share on other sites

SDFix: Version 1.187

Run by mary ellen doty on Fri 05/30/2008 at 12:33 PM

 

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Restoring Default Desktop Wallpaper

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\WINDOWS\Resources\RomMon.dll - Deleted

C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted

C:\Program Files\tmp0.exe - Deleted

C:\Program Files\tmp1.exe - Deleted

C:\Program Files\tmp2.exe - Deleted

C:\Documents and Settings\mary ellen doty\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk - Deleted

C:\Documents and Settings\mary ellen doty\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk - Deleted

C:\Documents and Settings\friends\Desktop\Error Cleaner.url - Deleted

C:\Documents and Settings\friends\Favorites\Error Cleaner.url - Deleted

C:\Documents and Settings\friends\Desktop\Privacy Protector.url - Deleted

C:\Documents and Settings\friends\Favorites\Privacy Protector.url - Deleted

C:\Documents and Settings\friends\Desktop\Spyware&Malware Protection.url - Deleted

C:\Documents and Settings\friends\Favorites\Spyware&Malware Protection.url - Deleted

C:\WINDOWS\emdat.tm - Deleted

C:\WINDOWS\emdat.tmp - Deleted

C:\Program Files\antiviirus.exe - Deleted

C:\WINDOWS\system32\ctfmona.exe - Deleted

 

 

 

Folder C:\Documents and Settings\mary ellen doty\Start Menu\XP Antivirus 2008 - Removed

Folder C:\Program Files\Helper - Removed

Folder C:\Program Files\NetProject - Removed

Folder C:\Program Files\Video Add-on - Removed

Folder C:\Program Files\VirusHeat 4.3 - Removed

Folder C:\WINDOWS\system32\services - Removed

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-30 12:42:55

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

C:\WINDOWS\KB932823-v3.log 3307 bytes

C:\WINDOWS\LastGood

C:\WINDOWS\LastGood\INF

C:\WINDOWS\LastGood\INF\oem44.inf 0 bytes

C:\WINDOWS\LastGood\INF\oem44.PNF 0 bytes

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 5

 

 

Remaining Services :

 

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Disabled:TaskPanl"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"C:\\Documents and Settings\\mary ellen doty\\Desktop\\CPE200 Locator.exe"="C:\\Documents and Settings\\mary ellen doty\\Desktop\\CPE200 Locator.exe:*:Enabled:CPE200 Locator"

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

"C:\\Program Files\\Yahoo! Games\\Bejeweled 2 Deluxe\\WinBej2.exe"="C:\\Program Files\\Yahoo! Games\\Bejeweled 2 Deluxe\\WinBej2.exe:*:Enabled:Bejeweled2"

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"

"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

 

Remaining Files :

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Mon 26 May 2008 1,163,193 A.SH. --- "C:\WINDOWS\SYSTEM32\ogtekouy.tmp"

Tue 7 Feb 2006 299,008 A..H. --- "C:\Program Files\Canon\Memory Card Utility\iP6700D\Maint.exe"

Fri 10 Feb 2006 61,440 A..H. --- "C:\Program Files\Canon\Memory Card Utility\iP6700D\uinstrsc.dll"

Wed 14 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"

Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\003bb8bbe9f41a593f54050bf67fed75\BITDC.tmp"

Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT6.tmp"

Sun 17 Apr 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Sun 17 Apr 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"

Sun 17 Apr 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"

Sun 17 Apr 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

 

Finished!

 

----------------------------------------------------------------------------------------------------------------

 

Malwarebytes' Anti-Malware 1.14

Database version: 805

 

1:03:15 PM 5/30/2008

mbam-log-5-30-2008 (13-03-15).txt

 

Scan type: Quick Scan

Objects scanned: 42595

Time elapsed: 8 minute(s), 35 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 60

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 45

Files Infected: 38

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

C:\WINDOWS\SYSTEM32\yayvsppn.dll (Trojan.Vundo) -> Unloaded module successfully.

 

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{14a9da84-0c80-4520-8452-f5c7c911a003} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{3177b0aa-7c67-46b4-ba02-574d7e368d4f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e94eb13e-d78f-0857-7734-5e67a49ffff1} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{e343edfc-1e6c-4cb5-aa29-e9c922641c80} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{be2b2900-fc91-4a07-ba4e-1b9f6a769894} (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{fd4cf969-c3b8-4d5a-a892-7d039fe3f2ad} (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{14383b20-6fbb-47d3-a8cd-0986b9d8ca90} (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{0ec085a8-9818-43b7-b975-ec7555eda4d2} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{1a74c41c-0837-4fbe-ba50-621eb70f01ce} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{25297614-1b76-4c2c-82c6-62738aa0e8f0} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{37f89457-1208-4670-9245-58c62bd6d870} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{45477032-abd0-454d-9ce4-ea34c10322f8} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{69e34747-0b27-4b30-ae20-1023bf29e246} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{79be5b3b-80b2-4b77-a042-efc90f6e0de7} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{7c0ec6bf-81b9-4fe0-9447-4ed29a36bf5d} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{7ebb34cf-1728-4136-a968-48f231dad1b4} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{88daa291-b413-4c46-b378-3be66f65369e} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{936a2f4a-53f8-4d2f-92aa-2f9de889841c} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{afcc3fa7-82a9-42d5-a405-78711e97a5d6} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{cc05a4a3-7b28-488f-ab02-6aaedb86accf} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{e80114aa-6653-4952-9e97-5f1dc63bee0f} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{f9109a2a-432b-4add-a6fa-06ba22dcd2d9} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{fca3958a-8d38-4d14-8b81-ccd7f68a8a01} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{cbd02e9b-37ef-47d2-96b0-3abbb2eb92bf} (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shoppingreport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{bcbeb0eb-744a-4f05-99a5-636b721c318e} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bcbeb0eb-744a-4f05-99a5-636b721c318e} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\software\Seekmo (Adware.Seekmo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\AVSystemCare (Rogue.AVSystemcare) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bcbeb0eb-744a-4f05-99a5-636b721c318e} (Trojan.Vundo) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

C:\UGA6P (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\UGA6P\Quar (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Program Files\ShoppingReport\Bin\2.5.0 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Program Files\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\Application Data (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\Documents and Settings (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\mary ellen doty (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs\Application Data (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs\Documents and Settings (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs\mary ellen doty (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs\res2 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\friends\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\friends\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\friends\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\friends\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\friends\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\friends\Application Data\ShoppingReport\cs\res2 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\SalesMonitor (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\SalesMonitor\Data (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AVSystemCare (Rogue.AVSystemcare) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AVSystemCare\Logs (Rogue.AVSystemcare) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AXPFixer\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AXPFixer\AXPFixer\Quarantine (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AXPFixer\AXPFixer\Quarantine\BrowserObjects (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AXPFixer\AXPFixer\Quarantine\Packages (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuAllUsers (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuCurrentUser (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU\RunOnce (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM\RunOnce (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\alot (Adware.BHO) -> Quarantined and deleted successfully.

 

Files Infected:

C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\96.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\nnnmlllK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\friends\Local Settings\Temp\.tt251.tmp (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\friends\Local Settings\Temp\.tt6.tmp (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Local Settings\Temporary Internet Files\Content.IE5\W4INO9PX\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Program Files\ShoppingReport\Uninst.exe (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Program Files\AXPFixer\AXPFixer.exe (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Program Files\AXPFixer\AXPFixer.exe.local (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Program Files\AXPFixer\AXPFixerSkin.dll (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Program Files\AXPFixer\database.dat (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Program Files\AXPFixer\license.txt (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Program Files\AXPFixer\MFC71.dll (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Program Files\AXPFixer\MFC71ENU.DLL (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Program Files\AXPFixer\msvcp71.dll (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Program Files\AXPFixer\msvcr71.dll (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\ShoppingReport\cs\res2\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\friends\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\friends\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\friends\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\friends\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\friends\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\friends\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\friends\Application Data\ShoppingReport\cs\res2\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AVSystemCare\avtasks.dat (Rogue.AVSystemcare) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AVSystemCare\Logs\av.log (Rogue.AVSystemcare) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AVSystemCare\Logs\ga6Support.log (Rogue.AVSystemcare) -> Quarantined and deleted successfully.

C:\Documents and Settings\mary ellen doty\Application Data\AVSystemCare\Logs\update.log (Rogue.AVSystemcare) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\yayvsppn.dll (Trojan.Vundo) -> Delete on reboot.

C:\Documents and Settings\friends\Application Data\Microsoft\Internet Explorer\Quick Launch\AXPFixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

C:\Documents and Settings\friends\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

 

----------------------------------------------------------------------------------------------------------------------

 

Deckard's System Scanner v20071014.68

Run by mary ellen doty on 2008-05-30 13:11:28

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

Total Physical Memory: 254 MiB (512 MiB recommended).

 

 

-- HijackThis (run as mary ellen doty.exe) -------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:11:48 PM, on 5/30/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\mary ellen doty\Desktop\dss.exe

C:\DOCUME~1\MARYEL~1\Desktop\mary ellen doty.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{491C72C4-4D5E-4E81-9511-011791E11B0A}: NameServer = 209.193.4.7,209.193.4.8

O17 - HKLM\System\CS1\Services\Tcpip\..\{491C72C4-4D5E-4E81-9511-011791E11B0A}: NameServer = 209.193.4.7,209.193.4.8

O17 - HKLM\System\CS2\Services\Tcpip\..\{491C72C4-4D5E-4E81-9511-011791E11B0A}: NameServer = 209.193.4.7,209.193.4.8

O18 - Filter hijack: text/html - {47A961F3-90B4-4AF4-9A6B-CC4A7056F61D} - C:\WINDOWS\System32\fbao.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: DDE helper service (ddesvr) - Unknown owner - C:\:ddesvr (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Documents and Settings\mary ellen doty\My Documents\iPod\bin\iPodService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

--

End of file - 5810 bytes

 

-- Files created between 2008-04-30 and 2008-05-30 -----------------------------

 

2008-05-30 12:51:47 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\Malwarebytes

2008-05-30 12:51:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-05-30 12:51:37 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-05-30 12:28:50 0 d-------- C:\WINDOWS\ERUNT

2008-05-30 12:04:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7

2008-05-28 03:13:09 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\cs

2008-05-28 02:54:27 0 --a------ C:\WINDOWS\system32\xugbvkpl.dll

2008-05-26 19:45:56 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\Application Data <APPLIC~1>

2008-05-26 19:05:15 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\Documents and Settings <DOCUME~1>

2008-05-26 19:04:27 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\mary ellen doty <MARYEL~1>

2008-05-26 17:05:40 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\report

2008-05-26 16:33:56 0 d-------- C:\Documents and Settings\friends\Application Data\friends

2008-05-26 16:33:55 0 d-------- C:\friends

2008-05-26 16:33:55 0 d-------- C:\Documents and Settings\friends\cs

2008-05-26 16:33:54 0 d-------- C:\Documents and Settings\friends\ShoppingReport

2008-05-26 16:32:16 0 d-------- C:\Documents and Settings\friends\friends

2008-05-26 16:32:16 0 d-------- C:\Documents and Settings\friends\Documents and Settings <DOCUME~1>

2008-05-26 13:39:22 0 d-------- C:\report

2008-05-26 13:39:21 0 d-------- C:\ShoppingReport

2008-05-26 13:39:21 0 d-------- C:\mary ellen doty <MARYEL~1>

2008-05-26 12:49:22 466 --ahs---- C:\WINDOWS\system32\ogtekouy.ini2

2008-05-26 12:12:57 0 --a------ C:\WINDOWS\system32\yuoketgo.dll

2008-05-26 11:29:45 0 d-------- C:\Documents and Settings\mary ellen doty\mary ellen doty <MARYEL~1>

2008-05-26 11:26:16 0 d-------- C:\cs

2008-05-26 11:21:12 0 d-------- C:\Documents and Settings\mary ellen doty\Documents and Settings <DOCUME~1>

2008-05-26 11:11:09 0 d-------- C:\Documents and Settings\mary ellen doty\ShoppingReport

2008-05-26 11:11:09 0 d-------- C:\Documents and Settings\mary ellen doty\report

2008-05-26 11:11:09 0 d-------- C:\Documents and Settings\mary ellen doty\cs

2008-05-26 11:11:08 0 d-------- C:\Application Data <APPLIC~1>

2008-05-26 06:52:00 0 d-------- C:\Documents and Settings\friends\Application Data\TmpRecentIcons

2008-05-26 05:17:29 0 --a------ C:\WINDOWS\system32\cwibvbsw.dll

2008-05-26 05:15:45 605759 --ahs---- C:\WINDOWS\system32\PoYJQXyb.ini2

2008-05-25 16:13:27 0 d-------- C:\Documents and Settings\friends\Application Data\AdobeUM

2008-05-23 11:22:53 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\Viewpoint

2008-05-22 17:52:48 0 d-------- C:\Documents and Settings\friends\Application Data\acccore

2008-05-08 17:08:45 0 d-------- C:\Documents and Settings\friends\Application Data\Apple Computer

2008-05-06 04:10:29 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\acccore

2008-05-06 04:07:42 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP

2008-05-06 04:06:55 0 d-------- C:\Program Files\AIM6

2008-05-04 20:33:24 53248 -ra------ C:\WINDOWS\system32\InstMed.exe

2008-05-04 20:32:59 0 d-------- C:\Program Files\Common Files\Logitech

 

 

-- Find3M Report ---------------------------------------------------------------

 

2008-05-26 18:07:53 0 d-------- C:\Program Files\Common Files\Real

2008-05-26 18:07:00 0 d-------- C:\Program Files\Common Files

2008-05-26 18:05:26 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\Real

2008-05-26 18:03:36 0 d-------- C:\Program Files\Google

2008-05-06 04:08:06 0 d-------- C:\Program Files\Viewpoint

2008-05-06 04:07:17 0 d-------- C:\Program Files\Common Files\AOL

2008-04-29 19:49:05 0 d-------- C:\Documents and Settings\mary ellen doty\Application Data\AdobeUM

 

 

-- Registry Dump ---------------------------------------------------------------

 

*Note* empty entries & legit default entries are not shown

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [10/08/2004 11:52 AM]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 03:19 PM]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" []

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]

"Aim6"="" []

 

C:\Documents and Settings\mary ellen doty\Start Menu\Programs\Startup\

DESKTOP.INI [9/3/2002 7:00:00 AM]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

DESKTOP.INI [9/3/2002 7:00:00 AM]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableRegedit"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXQJYoP

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ddesvr]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

@="Volume shadow copy"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless PCI Card Config Utility.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless PCI Card Config Utility.lnk

backup=C:\WINDOWS\pss\Wireless PCI Card Config Utility.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmsound]

c:\windows\msmsgnce.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

"C:\Program Files\Dell Support\DSAgnt.exe" /startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\desktop]

C:\WINDOWS\System32\desktop.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lass]

C:\WINDOWS\System32\lass.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntddetect]

C:\WINDOWS\System32\ntddetect.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

"C:\Program Files\Dell\Media Experience\PCMService.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Host]

C:\WINDOWS\System32\Services\{51D07C35-3779-44E5-A620-764660DE6251}\SVCHOST.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sp]

rundll32 C:\DOCUME~1\NOAHMC~1.MAR\LOCALS~1\Temp\se.dll,DllInstall

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sr64]

C:\Documents and Settings\mary ellen doty\Application Data\Microsoft\sr64\jmidbmec.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]

"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]

C:\PROGRA~1\Toolbar\TBPS.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]

C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"TBPSSvc"=2 (0x2)

 

 

 

 

-- End of Deckard's System Scanner: finished at 2008-05-30 13:12:49 ------------

Link to post
Share on other sites

Please download ComboFix

Save to the Desktop <<< Important!!

 

Information on the program - A Guide on using ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

It includes the opportunity to install the Windows Recovery Console.

 

Before running ComboFix, close or disable all AntiVirus and AntiMalware programs so that they do not interfere with the running of ComboFix.

 

Double-click combofix.exe to run the program

Follow the prompts.

(Don't click on the window while the program is running, it may cause your system to stall.)

 

When finished, a log, ComboFix.txt, is produced. Please provide it in your reply.

Link to post
Share on other sites
×
×
  • Create New...