drivecleaner/winantivirus popup - help!

wiggz · 2006/09/13

I have been getting pop-ups from drivecleaner, winantivirus, and winantivirus 2006. I have scanned my computer with McAfee VirusScan 2006 and Ad-Aware SE Personal, Vundo Removal Tool & many more. None have been able to remove these pop-ups. Also i see my desktop flash quickly every now and then also. One other problem is sometimes this random audio starts playing, some gossip radio thing. I have run combofix and here is my log:

Earganic - 06-09-13 1:21:02.60
ComboFix 06.09.11B - Running from: C:\Documents and Settings\Earganic\Desktop

Microsoft Windows XP [Version 5.1.2600]

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\NetworkService\Application Data\NetMon

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Earganic\Application Data\MANTEC~1
C:\QooBox\Purity\Documents and Settings\Earganic\My Documents\SMANTE~1
C:\QooBox\Purity\WINDOWS\MANTEC~1
C:\QooBox\Purity\WINDOWS\SSTEM~1

((((((((((((((((((((((((((((((( Files Created from 2006-08-13 to 2006-09-13 ))))))))))))))))))))))))))))))))))

2006-09-13 00:25 57,384 --a------ C:\WINDOWS\system32\avsda.dll
2006-08-26 05:58 176,128 --a------ C:\WINDOWS\system32\nvuaudio.exe
2006-08-26 04:59 36,864 --------- C:\WINDOWS\system32\wbsys.dll
2006-08-26 04:59 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2006-08-26 02:21 1,224,704 --a------ C:\WINDOWS\system32\multimedia.dll
2006-08-21 14:42 299,520 --a------ C:\WINDOWS\uninst.exe
2006-08-17 01:01 19,456 --a------ C:\WINDOWS\system32\asapi.dll
2006-08-17 01:00 1,052,672 --a------ C:\WINDOWS\system32\CDDBControl.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-13 01:11 -------- d-------- C:\Program Files\Windows Media Player
2006-09-13 00:53 -------- d-------- C:\Program Files\Windows Defender
2006-09-13 00:39 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-13 00:25 -------- d-------- C:\Program Files\AntiVir PersonalEdition Classic
2006-09-12 23:44 -------- d-------- C:\Program Files\Lavasoft
2006-09-12 23:44 -------- d-------- C:\Documents and Settings\Earganic\Application Data\Lavasoft
2006-09-12 23:36 -------- d-------- C:\Program Files\eMule
2006-09-12 01:19 -------- d-------- C:\Program Files\Common Files
2006-09-11 19:39 -------- d-------- C:\Program Files\GameSpy Arcade
2006-09-11 14:41 -------- d-------- C:\Program Files\Messenger
2006-09-11 14:05 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-30 22:25 -------- d-------- C:\Program Files\mIRC
2006-08-30 21:53 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-30 21:42 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-30 21:39 -------- d-------- C:\Program Files\ASUS
2006-08-30 21:38 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-30 21:20 -------- d-------- C:\Documents and Settings\Earganic\Application Data\PC Tools
2006-08-30 21:16 -------- d-------- C:\Program Files\Garritan Jazz Big Band
2006-08-30 12:36 -------- d-------- C:\Documents and Settings\Earganic\Application Data\Canon
2006-08-27 02:10 -------- d-------- C:\Program Files\Common Files\fkrz
2006-08-26 05:58 -------- d-------- C:\Program Files\NVIDIA Corporation
2006-08-26 05:58 -------- d-------- C:\Program Files\Common Files\NVIDIA Shared
2006-08-26 04:59 -------- d-------- C:\Program Files\Stardock
2006-08-26 04:13 -------- d-------- C:\Program Files\Waves
2006-08-26 04:13 -------- d-------- C:\Documents and Settings\Earganic\Application Data\Waves Audio
2006-08-26 02:01 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-08-23 21:47 -------- d-------- C:\Program Files\TCWorks
2006-08-20 18:40 -------- d-------- C:\Program Files\East West
2006-08-20 17:44 -------- d-------- C:\Program Files\Monkey's Audio
2006-08-17 01:01 -------- d-------- C:\Program Files\VOB
2006-08-17 01:00 -------- d-------- C:\Program Files\Steinberg
2006-08-14 03:00 -------- d-------- C:\Program Files\Internet Explorer
2006-08-10 16:49 -------- d-------- C:\Program Files\FriendBot
2006-08-05 23:30 -------- d-------- C:\Program Files\Muon Software Ltd
2006-07-28 19:43 -------- d---s---- C:\Documents and Settings\Earganic\Application Data\Microsoft
2006-07-28 19:36 2508 --a------ C:\Documents and Settings\Earganic\Application Data\$_hpcst$.hpc
2006-07-28 19:31 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-25 23:06 -------- d-------- C:\Program Files\Ã dobe
2006-07-25 18:43 -------- d-------- C:\Program Files\Adware Away
2006-07-25 15:45 -------- d-------- C:\Program Files\Enigma Software Group
2006-07-24 18:18 -------- d-------- C:\Program Files\CCleaner
2006-07-24 17:49 -------- d-------- C:\Program Files\Tweak-XP Pro 4
2006-07-24 17:49 -------- d-------- C:\Program Files\PerSono
2006-07-24 17:49 -------- d-------- C:\Program Files\MicModDX
2006-07-24 17:49 -------- d-------- C:\Program Files\LimeWire
2006-07-24 17:15 -------- d-------- C:\Program Files\Windows NT
2006-07-23 13:55 -------- d-------- C:\Program Files\DAEMON Tools
2006-07-23 02:52 289 --a------ C:\WINDOWS\xtffr.dll
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-15 03:39 -------- d-------- C:\Program Files\Logitech
2006-07-15 03:39 -------- d-------- C:\Program Files\Common Files\Logitech
2006-06-26 16:13 129832 --a------ C:\WINDOWS\system32\rapi.dll
2006-06-26 16:12 20264 --a------ C:\WINDOWS\system32\ceutil.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector "= "\ "C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R "
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"H/PC Connection Agent "= "\ "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher "= "C:\\Program Files\\Logitech\\iTouch\\iTouch.exe "
"ViewMgr "= "C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"SoundMan "= "SOUNDMAN.EXE "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"PHIME2002ASync "= "C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC "
"PHIME2002A "= "C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName "
"nwiz "= "nwiz.exe /install "
"NvMediaCenter "= "RunDLL32.exe NvMCTray.dll,NvTaskbarInit "
"NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup "
"NeroFilterCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"MSPY2002 "= "C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC "
"IMJPMIG8.1 "= "\ "C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32 "
"H2O "= "C:\\Program Files\\SyncroSoft\\Pos\\H2O\\cledx.exe "
"DAEMON Tools "= "\ "C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033 "
"CTxfiHlp "= "CTXFIHLP.EXE "
"FirefaceTray "= "fireface.exe "
"FirefaceMixTray "= "firefacemix.exe "
"NVMixerTray "= "\ "C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\" "
"avgnt "= "\ "C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min "
"Windows Defender "= "\ "C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "C:\\Program Files\\Windows Media Player\\kyzerejog.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "= "C:\\Program Files\\Messenger\\howyp.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "= "Microsoft AntiMalware ShellExecuteHook "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "
"UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "=" "
"hkey "= "HKLM "
"command "=" "
"inimapping "= "0 "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Wed 09/13/2006 1:22:31.68
ComboFix.txt

I would greatly appreciate any help. Thanks!

TeMerc · 2006/09/13

Hello wigz and welcome to WindowsBBS Forums.

ComboFix is but one of many tools we use. We also use HijackThis!

Could you please also download it, install as instructed below and we'll get a fix working for you ASAP.

HiJackThis v:1.99.1zip
DL the zip file to your desktop, then create a new folder on your C drive, called 'HJT' or 'HijackThis'. Then unzip the files to the new folder. When you run HijackThis.exe from C:\HJT folder and are instructed to have it "Fixed checked," it will create a backup file of modifications to use if restore is necessary which is easily accessible.

Run the program, and press Scan. You will notice the Scan button will turn into a "Save Log" button. Save the log and Post that log onto this topic. DO NOT DELETE or modify anything yet, as some of it is needed to keep your system in proper working order.

wiggz · 2006/09/13

Here is my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 12:29:18 PM, on 9/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\fireface.exe
C:\WINDOWS\system32\firefacemix.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\HJT\HijackThis.exe

O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [FirefaceTray] fireface.exe
O4 - HKLM\..\Run: [FirefaceMixTray] firefacemix.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe "
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\msiexec.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

TeMerc · 2006/09/13

OK, looks like we got a couple of remnants and registry keys to delete.

I would recommend to you that you remove any Enigma Software on your machine. Altho the company seems to have cleaned up it's act some, I am not one to trust quickly. But the decision is entire;y up to you.

SpyHunter -- at least in its current state -- cannot be recommended because of its mediocre performance as an anti-spyware scanner. Testing indicates that it does not recognize some well-known spyware installations and has difficulty removing critical spyware/adware files even from those it does recognize
Click to expand...

Rogue\suspect Anti-Spyware Applications

1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Program Files\Common Files\fkrz
C:\WINDOWS\xtffr.dll
C:\WINDOWS\system32\msiexec.dll

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

wiggz · 2006/09/13

Latest scans

OK i have removed SpyHunter & also removed ScanSpyware. Then i ran kill box to delete the three files you listed. here are my logs:

ComboFix:

Earganic - 06-09-13 1:21:02.60
ComboFix 06.09.11B - Running from: C:\Documents and Settings\Earganic\Desktop

Microsoft Windows XP [Version 5.1.2600]

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\NetworkService\Application Data\NetMon

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Earganic\Application Data\MANTEC~1
C:\QooBox\Purity\Documents and Settings\Earganic\My Documents\SMANTE~1
C:\QooBox\Purity\WINDOWS\MANTEC~1
C:\QooBox\Purity\WINDOWS\SSTEM~1

((((((((((((((((((((((((((((((( Files Created from 2006-08-13 to 2006-09-13 ))))))))))))))))))))))))))))))))))

2006-09-13 00:25 57,384 --a------ C:\WINDOWS\system32\avsda.dll
2006-08-26 05:58 176,128 --a------ C:\WINDOWS\system32\nvuaudio.exe
2006-08-26 04:59 36,864 --------- C:\WINDOWS\system32\wbsys.dll
2006-08-26 04:59 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2006-08-26 02:21 1,224,704 --a------ C:\WINDOWS\system32\multimedia.dll
2006-08-21 14:42 299,520 --a------ C:\WINDOWS\uninst.exe
2006-08-17 01:01 19,456 --a------ C:\WINDOWS\system32\asapi.dll
2006-08-17 01:00 1,052,672 --a------ C:\WINDOWS\system32\CDDBControl.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-13 01:11 -------- d-------- C:\Program Files\Windows Media Player
2006-09-13 00:53 -------- d-------- C:\Program Files\Windows Defender
2006-09-13 00:39 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-13 00:25 -------- d-------- C:\Program Files\AntiVir PersonalEdition Classic
2006-09-12 23:44 -------- d-------- C:\Program Files\Lavasoft
2006-09-12 23:44 -------- d-------- C:\Documents and Settings\Earganic\Application Data\Lavasoft
2006-09-12 23:36 -------- d-------- C:\Program Files\eMule
2006-09-12 01:19 -------- d-------- C:\Program Files\Common Files
2006-09-11 19:39 -------- d-------- C:\Program Files\GameSpy Arcade
2006-09-11 14:41 -------- d-------- C:\Program Files\Messenger
2006-09-11 14:05 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-30 22:25 -------- d-------- C:\Program Files\mIRC
2006-08-30 21:53 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-30 21:42 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-30 21:39 -------- d-------- C:\Program Files\ASUS
2006-08-30 21:38 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-30 21:20 -------- d-------- C:\Documents and Settings\Earganic\Application Data\PC Tools
2006-08-30 21:16 -------- d-------- C:\Program Files\Garritan Jazz Big Band
2006-08-30 12:36 -------- d-------- C:\Documents and Settings\Earganic\Application Data\Canon
2006-08-27 02:10 -------- d-------- C:\Program Files\Common Files\fkrz
2006-08-26 05:58 -------- d-------- C:\Program Files\NVIDIA Corporation
2006-08-26 05:58 -------- d-------- C:\Program Files\Common Files\NVIDIA Shared
2006-08-26 04:59 -------- d-------- C:\Program Files\Stardock
2006-08-26 04:13 -------- d-------- C:\Program Files\Waves
2006-08-26 04:13 -------- d-------- C:\Documents and Settings\Earganic\Application Data\Waves Audio
2006-08-26 02:01 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-08-23 21:47 -------- d-------- C:\Program Files\TCWorks
2006-08-20 18:40 -------- d-------- C:\Program Files\East West
2006-08-20 17:44 -------- d-------- C:\Program Files\Monkey's Audio
2006-08-17 01:01 -------- d-------- C:\Program Files\VOB
2006-08-17 01:00 -------- d-------- C:\Program Files\Steinberg
2006-08-14 03:00 -------- d-------- C:\Program Files\Internet Explorer
2006-08-10 16:49 -------- d-------- C:\Program Files\FriendBot
2006-08-05 23:30 -------- d-------- C:\Program Files\Muon Software Ltd
2006-07-28 19:43 -------- d---s---- C:\Documents and Settings\Earganic\Application Data\Microsoft
2006-07-28 19:36 2508 --a------ C:\Documents and Settings\Earganic\Application Data\$_hpcst$.hpc
2006-07-28 19:31 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-25 23:06 -------- d-------- C:\Program Files\Ã dobe
2006-07-25 18:43 -------- d-------- C:\Program Files\Adware Away
2006-07-25 15:45 -------- d-------- C:\Program Files\Enigma Software Group
2006-07-24 18:18 -------- d-------- C:\Program Files\CCleaner
2006-07-24 17:49 -------- d-------- C:\Program Files\Tweak-XP Pro 4
2006-07-24 17:49 -------- d-------- C:\Program Files\PerSono
2006-07-24 17:49 -------- d-------- C:\Program Files\MicModDX
2006-07-24 17:49 -------- d-------- C:\Program Files\LimeWire
2006-07-24 17:15 -------- d-------- C:\Program Files\Windows NT
2006-07-23 13:55 -------- d-------- C:\Program Files\DAEMON Tools
2006-07-23 02:52 289 --a------ C:\WINDOWS\xtffr.dll
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-15 03:39 -------- d-------- C:\Program Files\Logitech
2006-07-15 03:39 -------- d-------- C:\Program Files\Common Files\Logitech
2006-06-26 16:13 129832 --a------ C:\WINDOWS\system32\rapi.dll
2006-06-26 16:12 20264 --a------ C:\WINDOWS\system32\ceutil.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector "= "\ "C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R "
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"H/PC Connection Agent "= "\ "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher "= "C:\\Program Files\\Logitech\\iTouch\\iTouch.exe "
"ViewMgr "= "C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"SoundMan "= "SOUNDMAN.EXE "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"PHIME2002ASync "= "C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC "
"PHIME2002A "= "C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName "
"nwiz "= "nwiz.exe /install "
"NvMediaCenter "= "RunDLL32.exe NvMCTray.dll,NvTaskbarInit "
"NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup "
"NeroFilterCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"MSPY2002 "= "C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC "
"IMJPMIG8.1 "= "\ "C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32 "
"H2O "= "C:\\Program Files\\SyncroSoft\\Pos\\H2O\\cledx.exe "
"DAEMON Tools "= "\ "C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033 "
"CTxfiHlp "= "CTXFIHLP.EXE "
"FirefaceTray "= "fireface.exe "
"FirefaceMixTray "= "firefacemix.exe "
"NVMixerTray "= "\ "C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\" "
"avgnt "= "\ "C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min "
"Windows Defender "= "\ "C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "C:\\Program Files\\Windows Media Player\\kyzerejog.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "= "C:\\Program Files\\Messenger\\howyp.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "= "Microsoft AntiMalware ShellExecuteHook "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "
"UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "=" "
"hkey "= "HKLM "
"command "=" "
"inimapping "= "0 "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Wed 09/13/2006 1:22:31.68
ComboFix.txt

HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:03:00 PM, on 9/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\fireface.exe
C:\WINDOWS\system32\firefacemix.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\PerSono\perstray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [FirefaceTray] fireface.exe
O4 - HKLM\..\Run: [FirefaceMixTray] firefacemix.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\msiexec.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

wiggz · 2006/09/13

couple other things

I just ran ad-aware se and it found this : Diaremover. When i ran it yesterday it also found this same thing and i removed it...but its back. Just thought i would note that in case it helps you diagnos my problem.

Also not sure if this will make sense but for a while now when i click and drag on my desktop the little lasso selection box that shows freezes on my screen and doesnt go away unless i drag a window over it. This seemed to start happening when i got that other spyware/virus. Its still happening. Any ideas on that?

Thanks a million for your help thus far!!!!

TeMerc · 2006/09/13

OK, Killbox didn't get them in normal mode, please run KB in safe mode using the same files.

Lets get those two reg keys as well.

But lets first back up your registry.

Click the 'Start' button, seleect 'Run', hit 'Enter'.

When box appears, type 'regedit', hit 'Enter'.

Navigate to the following key, by unticking the '+' next to each subkey:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0

In the right hand side of the window, look for:
Source

Right-click it, and select 'Modify' When box opens, delete 'kyzerejog.html'.

Do the same with this key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1

And look for:
howyp.html

And delete it.
Reboot, run Combofix, then HJT and place logs here.

Update Ad-Aware, there have been several false\positives and an update was pushed out this morning.

wiggz · 2006/09/13

latest

Ok..I first backed up my registry then went in and deleted those two registry values. Then i rebooted into safe mode and tried to use killbox to delete those files. I rebooted again in safe mode and they were still there. Killbox confuses me because when i selected all three of the files you listed and copied them and then went to killbox, file>paste from clipboard ..only one of the entries showed up. I did have the "All Files" box checked also. I just decided to go in manualy and delete them. I believe they are gone. I rebooted back into regular mode and ran ComboBox and HJT. Here are the logs:

ComboFix

Earganic - 06-09-13 18:05:59.67
ComboFix 06.09.11B - Running from: C:\Documents and Settings\Earganic\Desktop

Microsoft Windows XP [Version 5.1.2600]

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Earganic\Application Data\MANTEC~1
C:\QooBox\Purity\Documents and Settings\Earganic\My Documents\SMANTE~1
C:\QooBox\Purity\WINDOWS\MANTEC~1
C:\QooBox\Purity\WINDOWS\SSTEM~1

((((((((((((((((((((((((((((((( Files Created from 2006-08-13 to 2006-09-13 ))))))))))))))))))))))))))))))))))

2006-08-26 05:58 176,128 --a------ C:\WINDOWS\system32\nvuaudio.exe
2006-08-26 04:59 36,864 --------- C:\WINDOWS\system32\wbsys.dll
2006-08-26 04:59 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2006-08-26 02:21 1,224,704 --a------ C:\WINDOWS\system32\multimedia.dll
2006-08-21 14:42 299,520 --a------ C:\WINDOWS\uninst.exe
2006-08-17 01:01 19,456 --a------ C:\WINDOWS\system32\asapi.dll
2006-08-17 01:00 1,052,672 --a------ C:\WINDOWS\system32\CDDBControl.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-13 18:03 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-13 17:50 -------- d-------- C:\Program Files\Common Files
2006-09-13 16:54 -------- d-------- C:\Program Files\ScanSpyware v3.8.0.1
2006-09-13 15:02 -------- d-------- C:\Program Files\eMule
2006-09-13 14:38 96256 --a------ C:\WINDOWS\system32\drivers\sptd1341.sys
2006-09-13 01:11 -------- d-------- C:\Program Files\Windows Media Player
2006-09-13 00:53 -------- d-------- C:\Program Files\Windows Defender
2006-09-12 23:44 -------- d-------- C:\Program Files\Lavasoft
2006-09-12 23:44 -------- d-------- C:\Documents and Settings\Earganic\Application Data\Lavasoft
2006-09-11 19:39 -------- d-------- C:\Program Files\GameSpy Arcade
2006-09-11 14:41 -------- d-------- C:\Program Files\Messenger
2006-09-11 14:05 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-30 22:25 -------- d-------- C:\Program Files\mIRC
2006-08-30 21:53 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-30 21:42 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-30 21:39 -------- d-------- C:\Program Files\ASUS
2006-08-30 21:38 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-30 21:20 -------- d-------- C:\Documents and Settings\Earganic\Application Data\PC Tools
2006-08-30 21:16 -------- d-------- C:\Program Files\Garritan Jazz Big Band
2006-08-30 12:36 -------- d-------- C:\Documents and Settings\Earganic\Application Data\Canon
2006-08-26 05:58 -------- d-------- C:\Program Files\NVIDIA Corporation
2006-08-26 05:58 -------- d-------- C:\Program Files\Common Files\NVIDIA Shared
2006-08-26 04:59 -------- d-------- C:\Program Files\Stardock
2006-08-26 04:13 -------- d-------- C:\Program Files\Waves
2006-08-26 04:13 -------- d-------- C:\Documents and Settings\Earganic\Application Data\Waves Audio
2006-08-26 02:01 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-08-23 21:47 -------- d-------- C:\Program Files\TCWorks
2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 02:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-20 18:40 -------- d-------- C:\Program Files\East West
2006-08-17 01:01 -------- d-------- C:\Program Files\VOB
2006-08-17 01:00 -------- d-------- C:\Program Files\Steinberg
2006-08-14 03:00 -------- d-------- C:\Program Files\Internet Explorer
2006-08-10 16:49 -------- d-------- C:\Program Files\FriendBot
2006-08-05 23:30 -------- d-------- C:\Program Files\Muon Software Ltd
2006-07-28 19:43 -------- d---s---- C:\Documents and Settings\Earganic\Application Data\Microsoft
2006-07-28 19:36 2508 --a------ C:\Documents and Settings\Earganic\Application Data\$_hpcst$.hpc
2006-07-28 19:31 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-25 23:06 -------- d-------- C:\Program Files\Ã dobe
2006-07-25 15:45 -------- d-------- C:\Program Files\Enigma Software Group
2006-07-24 18:18 -------- d-------- C:\Program Files\CCleaner
2006-07-24 17:49 -------- d-------- C:\Program Files\Tweak-XP Pro 4
2006-07-24 17:49 -------- d-------- C:\Program Files\PerSono
2006-07-24 17:49 -------- d-------- C:\Program Files\MicModDX
2006-07-24 17:49 -------- d-------- C:\Program Files\LimeWire
2006-07-24 17:15 -------- d-------- C:\Program Files\Windows NT
2006-07-23 13:55 -------- d-------- C:\Program Files\DAEMON Tools
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-15 03:39 -------- d-------- C:\Program Files\Logitech
2006-07-15 03:39 -------- d-------- C:\Program Files\Common Files\Logitech
2006-07-13 01:48 202240 --a------ C:\WINDOWS\system32\drivers\rmcast.sys
2006-06-26 16:13 129832 --a------ C:\WINDOWS\system32\rapi.dll
2006-06-26 16:12 20264 --a------ C:\WINDOWS\system32\ceutil.dll
2006-06-21 22:06 69120 --a------ C:\WINDOWS\system32\ciodm.dll
2006-06-21 22:06 1435648 --a------ C:\WINDOWS\system32\query.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector "= "\ "C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R "
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"H/PC Connection Agent "= "\ "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher "= "C:\\Program Files\\Logitech\\iTouch\\iTouch.exe "
"ViewMgr "= "C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"SoundMan "= "SOUNDMAN.EXE "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"PHIME2002ASync "= "C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC "
"PHIME2002A "= "C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName "
"nwiz "= "nwiz.exe /install "
"NvMediaCenter "= "RunDLL32.exe NvMCTray.dll,NvTaskbarInit "
"NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup "
"NeroFilterCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"MSPY2002 "= "C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC "
"IMJPMIG8.1 "= "\ "C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32 "
"H2O "= "C:\\Program Files\\SyncroSoft\\Pos\\H2O\\cledx.exe "
"DAEMON Tools "= "\ "C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033 "
"CTxfiHlp "= "CTXFIHLP.EXE "
"FirefaceTray "= "fireface.exe "
"FirefaceMixTray "= "firefacemix.exe "
"NVMixerTray "= "\ "C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\" "
"Windows Defender "= "\ "C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "=" "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=hex:01,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "=" "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=hex:01,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "= "Microsoft AntiMalware ShellExecuteHook "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "
"UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "=" "
"hkey "= "HKLM "
"command "=" "
"inimapping "= "0 "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-09-13 18:06:40.00
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 18:07, on 06-09-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\fireface.exe
C:\WINDOWS\system32\firefacemix.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [FirefaceTray] fireface.exe
O4 - HKLM\..\Run: [FirefaceMixTray] firefacemix.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\msiexec.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

TeMerc · 2006/09/13

OK,if you manually deleted them, this one line in HJT should fix easy enough:
O20 - AppInit_DLLs: C:\WINDOWS\system32\msiexec.dll

After fixing, reboot, run HJT, let me know if it is there. If it is, then that means there is something hooking onto it and we'll need to look in other places.

wiggz · 2006/09/13

deleted it and rebooted. It wasnt there.

Anything else i should do at this point?

TeMerc · 2006/09/13

deleted it and rebooted. It wasnt there.

Anything else i should do at this point?
Click to expand...

Just some finishing clean up is all.

Firstly you can delete any tools and their respective folders, quarentine ones too. If you're ever to need them again, it's more than likely a newer version will be out.

We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.1.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

Log in or Sign up

drivecleaner/winantivirus popup - help!

wiggz Inactive Thread Starter

TeMerc Inactive Alumni

wiggz Inactive Thread Starter

TeMerc Inactive Alumni

wiggz Inactive Thread Starter

wiggz Inactive Thread Starter

TeMerc Inactive Alumni

wiggz Inactive Thread Starter

TeMerc Inactive Alumni

wiggz Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Log in or Sign up

drivecleaner/winantivirus popup - help!

wiggz Inactive Thread Starter

TeMerc Inactive Alumni

wiggz Inactive Thread Starter

TeMerc Inactive Alumni

wiggz Inactive Thread Starter

wiggz Inactive Thread Starter

TeMerc Inactive Alumni

wiggz Inactive Thread Starter

TeMerc Inactive Alumni

wiggz Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Useful Searches