Computer Running Slow

JoeB · 2007/10/05

Hello All,

My computer is running slow and I am not sure why.

Here is my Log:
Logfile of HijackThis v1.99.1
Scan saved at 1:34:18 PM, on 10/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\Comodo\Comodo AntiVirus\UPSDBMaker.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Comodo\Comodo AntiVirus\CavApp.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\Comodo\Comodo AntiVirus\CAVSubmit.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A9DC8D82-161E-3B9F-1937-49C6543F3CC3} - C:\WINDOWS\System32\wzfz.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM32\hpztsb03.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe "
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe "
O4 - HKLM\..\Run: [cavUPSDBMaker] "C:\Program Files\Comodo\Comodo AntiVirus\UPSDBMaker.exe "
O4 - HKCU\..\Run: [Pvyl] C:\WINDOWS\System32\w?aclt.exe
O4 - HKCU\..\Run: [Ilru] C:\Program Files\srho\dset.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?75a5558db7b54cd6a347be3dab0cccd9
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?75a5558db7b54cd6a347be3dab0cccd9
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191558620217
O17 - HKLM\System\CCS\Services\Tcpip\..\{79CACFF6-2FC3-41E7-AD0F-081B9A8DF272}: NameServer = 66.82.4.8
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

noahdfear · 2007/10/05

Hi JoeB

If you still have Ewido installed, I recommend you uninstall it. It's been aquired by Grisoft and replaced with AVG Anti-Spyware. Download and install AVG Anti-Spyware (AVG-AS)

When installation completes, start AVG-AS then click the Update tab at the top. Under Manual Update click Start update.

After the update finishes (the status bar at the bottom will display "Update successful "), click on the Scanner tab at the top.

Click the "Settings" tab and change the recommended action to Quarantine.

Select Do Not Automatically Generate a Report after Every Scan.

Go back to the "Scan" tab and click "Complete System Scan ". This scan can take quite a while to run, so sit back and wait.

AVG-AS will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action.

Click the Apply all actions button. AVG-AS will display "All actions have been applied" on the right hand side.

Click on "Save Report ", then "Save Report As ". Save the report where you know you can find it again (like on the Desktop) and take note of the name.

Close AVG-AS and reboot.

Upon reboot, please download and install HijackThis version 2.0.2 as recommended in the following link. Download Deckard's System Scanner as well.

http://www.windowsbbs.com/announcement.php?f=41

Scan again with HijackThis and place a check next to the following entries, if present.

O2 - BHO: (no name) - {A9DC8D82-161E-3B9F-1937-49C6543F3CC3} - C:\WINDOWS\System32\wzfz.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O4 - HKCU\..\Run: [Pvyl] C:\WINDOWS\System32\w?aclt.exe
O4 - HKCU\..\Run: [Ilru] C:\Program Files\srho\dset.exe

Close all other windows and click Fix Checked. Close HijackThis.

Run a scan with Deckard's and post it's log, as well as the report from AVG-AS.

JoeB · 2007/10/06

Computer running slow-AVG & Deckard Logs

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:36:10 AM 10/6/2007

+ Scan result:

HKLM\SOFTWARE\Altnet -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\Dashboard -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\Dashboard\Messages -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SYSTEM\CurrentControlSet\Services\SvcProc -> Adware.BetterInternet : Cleaned with backup (quarantined).
HKLM\SYSTEM\CurrentControlSet\Services\SvcProc\Enum -> Adware.BetterInternet : Cleaned with backup (quarantined).
HKLM\SYSTEM\CurrentControlSet\Services\SvcProc\Security -> Adware.BetterInternet : Cleaned with backup (quarantined).
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\aurora -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\Program Files\Screensavers.com -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Screensavers.com\Installer -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Screensavers.com\Installer\bin -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Screensavers.com\Installer\bin\siuninst.exe -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{629B1E3A-D430-42B4-9239-3D8E27DEC5EB}\RP3\A0001713.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).
C:\Documents and Settings\DAVID BRAHLER\My Documents\sуstem32\sеrvices.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\pnfxnww.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\wzfz.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\70tovmto.ini -> Adware.Sahat : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Program Files\VirusBursters\vir.dat -> Adware.VirusBursters : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{629B1E3A-D430-42B4-9239-3D8E27DEC5EB}\RP3\A0001714.dll -> Adware.Winsta : Cleaned with backup (quarantined).
C:\Documents and Settings\Customer\Local Settings\Temp\laf10.tmp -> Not-A-Virus.Hoax.Win32.Renos.NAC : Cleaned with backup (quarantined).
C:\Documents and Settings\Chockula\Cookies\chockula@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Chockula\Cookies\chockula@usatoday1.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@shopping.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Customer\Local Settings\Temp\Cookies\customer@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Tiki\Cookies\tiki@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@www.adobe[1].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@www.adobe[1].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Customer\Local Settings\Temp\Cookies\customer@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Jo Jo\Cookies\jo jo@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@stat.dealtime[2].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@stat.dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned.
C:\Documents and Settings\Jo Jo\Cookies\jo jo@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@www.popuptraffic[2].txt -> TrackingCookie.Popuptraffic : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@real[1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Customer\Local Settings\Temp\Cookies\customer@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Jo Jo\Cookies\jo jo@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Chockula\Cookies\chockula@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@counter15.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@counter9.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Chockula\Cookies\chockula@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Chockula\Cookies\chockula@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Customer\Cookies\customer@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Customer\Local Settings\Temp\Cookies\customer@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\DAVID BRAHLER\Cookies\david brahler@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Jo Jo\Cookies\jo jo@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{629B1E3A-D430-42B4-9239-3D8E27DEC5EB}\RP3\A0001710.exe -> Trojan.Favadd.aj : Cleaned with backup (quarantined).
C:\!Submit\shnlog.exe -> Trojan.Puper.bh : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\wnsapicc.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Customer\My Documents\My Music\01 Track 1, black.wma -> Trojan.Wimad.a : Cleaned with backup (quarantined).
C:\Documents and Settings\DAVID BRAHLER\Shared\Steven Spielberg gets a hilarious prank phone call.wma -> Trojan.Wimad.a : Cleaned with backup (quarantined).

::Report end
Deckard's System Scanner v20070905.67
Run by Administrator on 2007-10-06 14:09:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 320 MiB (512 MiB recommended).

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:35 PM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM32\hpztsb03.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe "
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [Pvyl] C:\WINDOWS\System32\w?aclt.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ilru] C:\Program Files\srho\dset.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Pvyl] C:\WINDOWS\System32\w?aclt.exe (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?1c36bbcacf5e447baeadcd700de32f41
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?1c36bbcacf5e447baeadcd700de32f41
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191558620217
O17 - HKLM\System\CCS\Services\Tcpip\..\{79CACFF6-2FC3-41E7-AD0F-081B9A8DF272}: NameServer = 66.82.4.8
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--
End of file - 6010 bytes

-- Files created between 2007-09-06 and 2007-10-06 -----------------------------

2007-10-06 13:02:05 0 d-------- C:\Documents and Settings\Joosh\Application Data\Talkback
2007-10-06 13:01:58 0 d-------- C:\Documents and Settings\Joosh\Application Data\Mozilla
2007-10-06 12:25:13 0 d-------- C:\Documents and Settings\Joosh\Application Data\Comodo AntiVirus
2007-10-06 12:12:33 0 d-------- C:\Documents and Settings\Joosh\Application Data\Macromedia
2007-10-06 12:10:06 0 d-------- C:\Documents and Settings\Joosh\Application Data\Grisoft
2007-10-06 12:09:46 0 d-------- C:\Documents and Settings\Joosh\Application Data\Share-to-Web Upload Folder
2007-10-06 12:08:43 0 d-------- C:\Documents and Settings\Joosh\Application Data\Identities
2007-10-06 12:08:05 0 d--h----- C:\Documents and Settings\Joosh\Templates
2007-10-06 12:08:05 0 dr------- C:\Documents and Settings\Joosh\Start Menu
2007-10-06 12:08:05 0 dr-h----- C:\Documents and Settings\Joosh\SendTo
2007-10-06 12:08:05 0 dr-h----- C:\Documents and Settings\Joosh\Recent
2007-10-06 12:08:05 0 d--h----- C:\Documents and Settings\Joosh\PrintHood
2007-10-06 12:08:05 1310720 --ah----- C:\Documents and Settings\Joosh\NTUSER.DAT
2007-10-06 12:08:05 0 d--h----- C:\Documents and Settings\Joosh\NetHood
2007-10-06 12:08:05 0 dr------- C:\Documents and Settings\Joosh\My Documents
2007-10-06 12:08:05 0 d--h----- C:\Documents and Settings\Joosh\Local Settings
2007-10-06 12:08:05 0 dr------- C:\Documents and Settings\Joosh\Favorites
2007-10-06 12:08:05 0 d-------- C:\Documents and Settings\Joosh\Desktop
2007-10-06 12:08:05 0 d---s---- C:\Documents and Settings\Joosh\Cookies
2007-10-06 12:08:05 0 dr-h----- C:\Documents and Settings\Joosh\Application Data
2007-10-06 12:08:05 0 d---s---- C:\Documents and Settings\Joosh\Application Data\Microsoft
2007-10-06 01:23:58 0 d-------- C:\Program Files\Trend Micro
2007-10-06 01:05:03 57344 --a------ C:\WINDOWS\system32\dpcuninst.exe <Not Verified; Hughes Network Systems; DIRECWAY>
2007-10-05 21:18:51 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-05 21:18:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-05 20:16:11 139536 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-10-05 18:46:07 0 d-------- C:\Documents and Settings\DAVID BRAHLER\Application Data\MySpace
2007-10-05 18:45:50 0 d-------- C:\WINDOWS\system32\?icrosoft
2007-10-05 16:47:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\MySpace
2007-10-05 16:46:54 0 d-------- C:\Program Files\MySpace
2007-10-05 16:19:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-10-05 13:35:11 0 d-------- C:\Documents and Settings\Chockula\Application Data\Comodo AntiVirus
2007-10-05 13:22:48 0 d-------- C:\Documents and Settings\Chockula\Application Data\Macromedia
2007-10-05 12:57:15 0 d-------- C:\Documents and Settings\Tiki\Application Data\Share-to-Web Upload Folder
2007-10-05 07:35:21 0 d-------- C:\Documents and Settings\Tiki\Application Data\Identities
2007-10-05 07:34:41 0 dr------- C:\Documents and Settings\Tiki\Favorites
2007-10-05 07:34:41 0 d-------- C:\Documents and Settings\Tiki\Desktop
2007-10-05 07:34:41 0 d---s---- C:\Documents and Settings\Tiki\Cookies
2007-10-05 07:34:41 0 dr-h----- C:\Documents and Settings\Tiki\Application Data
2007-10-05 07:34:41 0 d---s---- C:\Documents and Settings\Tiki\Application Data\Microsoft
2007-10-05 07:34:40 0 d--h----- C:\Documents and Settings\Tiki\Templates
2007-10-05 07:34:40 0 dr------- C:\Documents and Settings\Tiki\Start Menu
2007-10-05 07:34:40 0 dr-h----- C:\Documents and Settings\Tiki\SendTo
2007-10-05 07:34:40 0 dr-h----- C:\Documents and Settings\Tiki\Recent
2007-10-05 07:34:40 0 d--h----- C:\Documents and Settings\Tiki\PrintHood
2007-10-05 07:34:40 1310720 --ah----- C:\Documents and Settings\Tiki\NTUSER.DAT
2007-10-05 07:34:40 0 d--h----- C:\Documents and Settings\Tiki\NetHood
2007-10-05 07:34:40 0 dr------- C:\Documents and Settings\Tiki\My Documents
2007-10-05 07:34:40 0 d--h----- C:\Documents and Settings\Tiki\Local Settings
2007-10-05 00:19:46 73728 --a------ C:\WINDOWS\system32\CavEmLSP.dll <Not Verified; COMODO; Comodo AntiVirus.>
2007-10-05 00:19:27 102400 --a------ C:\WINDOWS\system32\drivers\cavasm.sys <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
2007-10-05 00:19:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-10-05 00:19:07 216576 --a------ C:\WINDOWS\system32\monln.dll <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
2007-10-05 00:18:55 0 d-------- C:\Program Files\Comodo
2007-10-04 23:42:33 0 d-------- C:\Documents and Settings\Chockula\Application Data\Share-to-Web Upload Folder
2007-10-04 23:42:14 0 d-------- C:\Documents and Settings\Chockula\Application Data\Identities
2007-10-04 23:41:55 0 d--h----- C:\Documents and Settings\Chockula\Templates
2007-10-04 23:41:55 0 dr------- C:\Documents and Settings\Chockula\Start Menu
2007-10-04 23:41:55 0 dr-h----- C:\Documents and Settings\Chockula\SendTo
2007-10-04 23:41:55 0 dr-h----- C:\Documents and Settings\Chockula\Recent
2007-10-04 23:41:55 0 d--h----- C:\Documents and Settings\Chockula\PrintHood
2007-10-04 23:41:55 1572864 --ah----- C:\Documents and Settings\Chockula\NTUSER.DAT
2007-10-04 23:41:55 0 d--h----- C:\Documents and Settings\Chockula\NetHood
2007-10-04 23:41:55 0 dr------- C:\Documents and Settings\Chockula\My Documents
2007-10-04 23:41:55 0 d--h----- C:\Documents and Settings\Chockula\Local Settings
2007-10-04 23:41:55 0 dr------- C:\Documents and Settings\Chockula\Favorites
2007-10-04 23:41:55 0 d-------- C:\Documents and Settings\Chockula\Desktop
2007-10-04 23:41:55 0 d---s---- C:\Documents and Settings\Chockula\Cookies
2007-10-04 23:41:55 0 dr-h----- C:\Documents and Settings\Chockula\Application Data
2007-10-04 23:41:55 0 d---s---- C:\Documents and Settings\Chockula\Application Data\Microsoft
2007-10-04 23:35:07 0 d-------- C:\WINDOWS\system32\PreInstall
2007-10-04 23:24:38 0 d---s---- C:\Documents and Settings\Administrator\UserData
2007-09-09 18:04:30 0 d-------- C:\WINDOWS\Prefetch
2007-09-09 17:45:03 0 --a------ C:\AUTOEXEC.BAT
2007-09-09 17:31:57 0 d-------- C:\WINDOWS\system32\Logfiles
2007-09-09 11:50:43 0 d-------- C:\WINDOWS\Provisioning
2007-09-09 11:50:43 0 d-------- C:\WINDOWS\PeerNet
2007-09-09 11:50:43 0 d-------- C:\WINDOWS\ehome

-- Find3M Report ---------------------------------------------------------------

2007-10-06 01:12:58 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-06 01:11:55 0 d-------- C:\Program Files\Symantec
2007-10-06 01:09:16 0 dr------- C:\Program Files\Common Files
2007-10-06 01:08:30 0 d-------- C:\Program Files\Hewlett-Packard
2007-10-05 17:49:22 0 d-------- C:\Program Files\Cowabanga
2007-10-05 17:49:21 0 d-------- C:\Program Files\BeTheDealerCasino
2007-10-05 03:35:26 0 d-------- C:\Program Files\Messenger
2007-09-09 17:40:20 0 d-------- C:\Program Files\Movie Maker
2007-09-09 17:36:00 26564 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-09-09 17:33:19 0 d-------- C:\Program Files\Windows NT

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility "= "C:\WINDOWS\SYSTEM32\hpztsb03.exe" [07/05/2001 03:23 PM]
"Share-to-Web Namespace Daemon "= "C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [07/03/2001 11:11 AM]
"CXMon "= "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [08/09/2001 07:06 PM]
"LoadPowerProfile "= "powrprof.dll" [08/04/2004 07:00 AM C:\WINDOWS\SYSTEM32\powrprof.dll]
"ezShieldProtector for Px "= "C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 12:29 PM]
"IPHSend "= "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [02/17/2006 11:59 AM]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 10:36 AM]
"MsmqIntCert "= "regsvr32 /s mqrt.dll" []
"cnfgCav "= "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [10/05/2007 12:18 AM]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [10/25/2006 07:58 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Pvyl "=C:\WINDOWS\System32\w?aclt.exe
"Ilru "=C:\Program Files\srho\dset.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/6/2003 3:06:58 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\Osa9.exe [2/17/1999 10:05:56 PM]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [4/6/2003 2:37:38 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639} "= c:\Program Files\InterMute\SpySubtract\sshook.dll [06/05/2005 02:09 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
monln.dll 10/05/2007 12:18 AM 216576 C:\WINDOWS\SYSTEM32\monln.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DING!.lnk]
backup=C:\WINDOWS\pss\DING!.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniMavis.lnk]
backup=C:\WINDOWS\pss\MiniMavis.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^nidk.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nidk.exe
backup=C:\WINDOWS\pss\nidk.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Customer^Start Menu^Programs^Startup^OpenOffice.org 1.1.4.lnk]
backup=C:\WINDOWS\pss\OpenOffice.org 1.1.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Customer^Start Menu^Programs^Startup^Webshots.lnk]
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3Cmlink]
C:\WINDOWS\SYSTEM32\3CMLNKW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcctMgr]
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\B'sCLiP]
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CursorXP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
C:\WINDOWS\System32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeMem Pro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1139090306\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\KaZaA\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tracks Eraser Pro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zwuo]
C:\PROGRA~1\COMMON~1\zwuo\zwuom.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GhostStartService "=2 (0x2)
"Messenger "=2 (0x2)

-- End of Deckard's System Scanner: finished at 2007-10-06 14:12:32 ------------

JoeB · 2007/10/06

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:21 AM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM32\hpztsb03.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe "
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s
O4 - HKUS\S-1-5-18\..\Run: [Pvyl] C:\WINDOWS\System32\w?aclt.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ilru] C:\Program Files\srho\dset.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Pvyl] C:\WINDOWS\System32\w?aclt.exe (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?1c36bbcacf5e447baeadcd700de32f41
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?1c36bbcacf5e447baeadcd700de32f41
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191558620217
O17 - HKLM\System\CCS\Services\Tcpip\..\{79CACFF6-2FC3-41E7-AD0F-081B9A8DF272}: NameServer = 66.82.4.8
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--
End of file - 6020 bytes

noahdfear · 2007/10/06

Scan again with HijackThis and place a check next to the following entries, close all other windows and click Fix Checked.

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s
O4 - HKUS\S-1-5-18\..\Run: [Pvyl] C:\WINDOWS\System32\w?aclt.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ilru] C:\Program Files\srho\dset.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Pvyl] C:\WINDOWS\System32\w?aclt.exe (User 'Default user')

Close HijackThis.

Delete the following folders if present.

C:\Program Files\srho
C:\Program Files\Common Files\zwuo

Locate and delete the following file if present. Probably named wuaclt.exe

C:\WINDOWS\system32\w?aclt.exe

Be careful, as there may be a legitimate Microsoft system file with the same name, and also a legitimate one named wuauclt.exe Right click the file(s) and check it's properties if in doubt.

You also need to delete the following folder, likely named Microsoft.

C:\WINDOWS\system32\?icrosoft

Again, proceed with caution here. There will probably be two folders with the same name. The legitimate Microsoft folder has a subfolder named Protect. If in doubt, check the contents of each and let me know what you find.

I also see remnants of a zlob infection, so lets run a tool to check for and remove it. Download SmitfraudFix by S!Ri, saving it to the desktop.

Restart the computer in Safe Mode by tapping the F8 key upon startup and selecting Safe Mode from the Advanced Startup Menu. Logon to your account.

Double-click SmitfraudFix.exe to start the tool and press 2, then hit Enter.

You will be prompted 'Do you want to clean the registry?' answer Y (yes) and hit Enter.

If prompted to replace the infected wininet.dll file (if found), answer Y (yes) and hit Enter to restore a clean file.

Reboot to normal mode when the tool completes.

Post the contents of C:\rapport.txt and a fresh dss log.

JoeB · 2007/10/06

Fresh DSS Log, HJT Log, & Smitfraud Log

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:38 PM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM32\hpztsb03.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe "
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?1c36bbcacf5e447baeadcd700de32f41
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?1c36bbcacf5e447baeadcd700de32f41
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191558620217
O17 - HKLM\System\CCS\Services\Tcpip\..\{79CACFF6-2FC3-41E7-AD0F-081B9A8DF272}: NameServer = 66.82.4.8
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--
End of file - 5396 bytes
SmitFraudFix v2.239

Scan done at 20:53:48.25, Sat 10/06/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\warnhp.html Deleted
C:\WINDOWS\system32\migicons.exe Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\VirusBursters\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{79CACFF6-2FC3-41E7-AD0F-081B9A8DF272}: NameServer=66.82.4.8
HKLM\SYSTEM\CCS\Services\Tcpip\..\{AAC04808-C1CF-4455-BA04-ADAACBEFCB81}: DhcpNameServer=66.82.4.8
HKLM\SYSTEM\CS1\Services\Tcpip\..\{79CACFF6-2FC3-41E7-AD0F-081B9A8DF272}: NameServer=66.82.4.8
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AAC04808-C1CF-4455-BA04-ADAACBEFCB81}: DhcpNameServer=66.82.4.8
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.82.4.8
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.82.4.8

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End
Deckard's System Scanner v20070905.67
Run by Administrator on 2007-10-06 21:13:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 320 MiB (512 MiB recommended).

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:11 PM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM32\hpztsb03.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe "
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?1c36bbcacf5e447baeadcd700de32f41
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?1c36bbcacf5e447baeadcd700de32f41
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1191558620217
O17 - HKLM\System\CCS\Services\Tcpip\..\{79CACFF6-2FC3-41E7-AD0F-081B9A8DF272}: NameServer = 66.82.4.8
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--
End of file - 5554 bytes

-- Files created between 2007-09-06 and 2007-10-06 -----------------------------

2007-10-06 20:54:10 3968 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-06 20:53:18 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-06 20:53:18 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-10-06 20:53:18 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-10-06 20:53:18 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-10-06 20:53:18 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-06 13:02:05 0 d-------- C:\Documents and Settings\Joosh\Application Data\Talkback
2007-10-06 13:01:58 0 d-------- C:\Documents and Settings\Joosh\Application Data\Mozilla
2007-10-06 12:25:13 0 d-------- C:\Documents and Settings\Joosh\Application Data\Comodo AntiVirus
2007-10-06 12:12:33 0 d-------- C:\Documents and Settings\Joosh\Application Data\Macromedia
2007-10-06 12:10:06 0 d-------- C:\Documents and Settings\Joosh\Application Data\Grisoft
2007-10-06 12:09:46 0 d-------- C:\Documents and Settings\Joosh\Application Data\Share-to-Web Upload Folder
2007-10-06 12:08:43 0 d-------- C:\Documents and Settings\Joosh\Application Data\Identities
2007-10-06 12:08:05 0 d--h----- C:\Documents and Settings\Joosh\Templates
2007-10-06 12:08:05 0 dr------- C:\Documents and Settings\Joosh\Start Menu
2007-10-06 12:08:05 0 dr-h----- C:\Documents and Settings\Joosh\SendTo
2007-10-06 12:08:05 0 dr-h----- C:\Documents and Settings\Joosh\Recent
2007-10-06 12:08:05 0 d--h----- C:\Documents and Settings\Joosh\PrintHood
2007-10-06 12:08:05 1310720 --ah----- C:\Documents and Settings\Joosh\NTUSER.DAT
2007-10-06 12:08:05 0 d--h----- C:\Documents and Settings\Joosh\NetHood
2007-10-06 12:08:05 0 dr------- C:\Documents and Settings\Joosh\My Documents
2007-10-06 12:08:05 0 d--h----- C:\Documents and Settings\Joosh\Local Settings
2007-10-06 12:08:05 0 dr------- C:\Documents and Settings\Joosh\Favorites
2007-10-06 12:08:05 0 d-------- C:\Documents and Settings\Joosh\Desktop
2007-10-06 12:08:05 0 d---s---- C:\Documents and Settings\Joosh\Cookies
2007-10-06 12:08:05 0 dr-h----- C:\Documents and Settings\Joosh\Application Data
2007-10-06 12:08:05 0 d---s---- C:\Documents and Settings\Joosh\Application Data\Microsoft
2007-10-06 01:23:58 0 d-------- C:\Program Files\Trend Micro
2007-10-05 21:18:51 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-05 21:18:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-05 20:16:11 139536 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-10-05 18:46:07 0 d-------- C:\Documents and Settings\DAVID BRAHLER\Application Data\MySpace
2007-10-05 18:45:50 0 d-------- C:\WINDOWS\system32\?icrosoft
2007-10-05 16:47:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\MySpace
2007-10-05 16:46:54 0 d-------- C:\Program Files\MySpace
2007-10-05 16:19:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-10-05 13:35:11 0 d-------- C:\Documents and Settings\Chockula\Application Data\Comodo AntiVirus
2007-10-05 13:22:48 0 d-------- C:\Documents and Settings\Chockula\Application Data\Macromedia
2007-10-05 12:57:15 0 d-------- C:\Documents and Settings\Tiki\Application Data\Share-to-Web Upload Folder
2007-10-05 07:35:21 0 d-------- C:\Documents and Settings\Tiki\Application Data\Identities
2007-10-05 07:34:41 0 dr------- C:\Documents and Settings\Tiki\Favorites
2007-10-05 07:34:41 0 d-------- C:\Documents and Settings\Tiki\Desktop
2007-10-05 07:34:41 0 d---s---- C:\Documents and Settings\Tiki\Cookies
2007-10-05 07:34:41 0 dr-h----- C:\Documents and Settings\Tiki\Application Data
2007-10-05 07:34:41 0 d---s---- C:\Documents and Settings\Tiki\Application Data\Microsoft
2007-10-05 07:34:40 0 d--h----- C:\Documents and Settings\Tiki\Templates
2007-10-05 07:34:40 0 dr------- C:\Documents and Settings\Tiki\Start Menu
2007-10-05 07:34:40 0 dr-h----- C:\Documents and Settings\Tiki\SendTo
2007-10-05 07:34:40 0 dr-h----- C:\Documents and Settings\Tiki\Recent
2007-10-05 07:34:40 0 d--h----- C:\Documents and Settings\Tiki\PrintHood
2007-10-05 07:34:40 1310720 --ah----- C:\Documents and Settings\Tiki\NTUSER.DAT
2007-10-05 07:34:40 0 d--h----- C:\Documents and Settings\Tiki\NetHood
2007-10-05 07:34:40 0 dr------- C:\Documents and Settings\Tiki\My Documents
2007-10-05 07:34:40 0 d--h----- C:\Documents and Settings\Tiki\Local Settings
2007-10-05 00:19:46 73728 --a------ C:\WINDOWS\system32\CavEmLSP.dll <Not Verified; COMODO; Comodo AntiVirus.>
2007-10-05 00:19:27 102400 --a------ C:\WINDOWS\system32\drivers\cavasm.sys <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
2007-10-05 00:19:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-10-05 00:19:07 216576 --a------ C:\WINDOWS\system32\monln.dll <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
2007-10-05 00:18:55 0 d-------- C:\Program Files\Comodo
2007-10-04 23:42:33 0 d-------- C:\Documents and Settings\Chockula\Application Data\Share-to-Web Upload Folder
2007-10-04 23:42:14 0 d-------- C:\Documents and Settings\Chockula\Application Data\Identities
2007-10-04 23:41:55 0 d--h----- C:\Documents and Settings\Chockula\Templates
2007-10-04 23:41:55 0 dr------- C:\Documents and Settings\Chockula\Start Menu
2007-10-04 23:41:55 0 dr-h----- C:\Documents and Settings\Chockula\SendTo
2007-10-04 23:41:55 0 dr-h----- C:\Documents and Settings\Chockula\Recent
2007-10-04 23:41:55 0 d--h----- C:\Documents and Settings\Chockula\PrintHood
2007-10-04 23:41:55 1572864 --ah----- C:\Documents and Settings\Chockula\NTUSER.DAT
2007-10-04 23:41:55 0 d--h----- C:\Documents and Settings\Chockula\NetHood
2007-10-04 23:41:55 0 dr------- C:\Documents and Settings\Chockula\My Documents
2007-10-04 23:41:55 0 d--h----- C:\Documents and Settings\Chockula\Local Settings
2007-10-04 23:41:55 0 dr------- C:\Documents and Settings\Chockula\Favorites
2007-10-04 23:41:55 0 d-------- C:\Documents and Settings\Chockula\Desktop
2007-10-04 23:41:55 0 d---s---- C:\Documents and Settings\Chockula\Cookies
2007-10-04 23:41:55 0 dr-h----- C:\Documents and Settings\Chockula\Application Data
2007-10-04 23:41:55 0 d---s---- C:\Documents and Settings\Chockula\Application Data\Microsoft
2007-10-04 23:35:07 0 d-------- C:\WINDOWS\system32\PreInstall
2007-10-04 23:24:38 0 d---s---- C:\Documents and Settings\Administrator\UserData
2007-09-09 18:04:30 0 d-------- C:\WINDOWS\Prefetch
2007-09-09 17:45:03 0 --a------ C:\AUTOEXEC.BAT
2007-09-09 17:31:57 0 d-------- C:\WINDOWS\system32\Logfiles
2007-09-09 11:50:43 0 d-------- C:\WINDOWS\Provisioning
2007-09-09 11:50:43 0 d-------- C:\WINDOWS\PeerNet
2007-09-09 11:50:43 0 d-------- C:\WINDOWS\ehome

-- Find3M Report ---------------------------------------------------------------

2007-10-06 20:41:59 0 dr------- C:\Program Files\Common Files
2007-10-06 01:12:58 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-06 01:11:55 0 d-------- C:\Program Files\Symantec
2007-10-06 01:08:30 0 d-------- C:\Program Files\Hewlett-Packard
2007-10-05 17:49:22 0 d-------- C:\Program Files\Cowabanga
2007-10-05 17:49:21 0 d-------- C:\Program Files\BeTheDealerCasino
2007-10-05 03:35:26 0 d-------- C:\Program Files\Messenger
2007-09-09 17:40:20 0 d-------- C:\Program Files\Movie Maker
2007-09-09 17:36:00 26564 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-09-09 17:33:19 0 d-------- C:\Program Files\Windows NT

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility "= "C:\WINDOWS\SYSTEM32\hpztsb03.exe" [07/05/2001 03:23 PM]
"Share-to-Web Namespace Daemon "= "C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [07/03/2001 11:11 AM]
"CXMon "= "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [08/09/2001 07:06 PM]
"LoadPowerProfile "= "powrprof.dll" [08/04/2004 07:00 AM C:\WINDOWS\SYSTEM32\powrprof.dll]
"ezShieldProtector for Px "= "C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 12:29 PM]
"IPHSend "= "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [02/17/2006 11:59 AM]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 10:36 AM]
"MsmqIntCert "= "regsvr32 /s mqrt.dll" []
"cnfgCav "= "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [10/05/2007 12:18 AM]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [10/25/2006 07:58 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/6/2003 3:06:58 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\Osa9.exe [2/17/1999 10:05:56 PM]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [4/6/2003 2:37:38 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639} "= c:\Program Files\InterMute\SpySubtract\sshook.dll [06/05/2005 02:09 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
monln.dll 10/05/2007 12:18 AM 216576 C:\WINDOWS\SYSTEM32\monln.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DING!.lnk]
backup=C:\WINDOWS\pss\DING!.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniMavis.lnk]
backup=C:\WINDOWS\pss\MiniMavis.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^nidk.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nidk.exe
backup=C:\WINDOWS\pss\nidk.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Customer^Start Menu^Programs^Startup^OpenOffice.org 1.1.4.lnk]
backup=C:\WINDOWS\pss\OpenOffice.org 1.1.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Customer^Start Menu^Programs^Startup^Webshots.lnk]
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3Cmlink]
C:\WINDOWS\SYSTEM32\3CMLNKW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcctMgr]
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\B'sCLiP]
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CursorXP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
C:\WINDOWS\System32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeMem Pro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1139090306\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\KaZaA\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tracks Eraser Pro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zwuo]
C:\PROGRA~1\COMMON~1\zwuo\zwuom.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GhostStartService "=2 (0x2)
"Messenger "=2 (0x2)

-- End of Deckard's System Scanner: finished at 2007-10-06 21:17:39 ------------

noahdfear · 2007/10/06

Looks good ..... mostly. Were you not able to find or identify the following folder?

C:\WINDOWS\system32\?icrosoft

How's your computer performing now?

JoeB · 2007/10/06

Dave,

I was not able or identify the following folder: C:\WINDOWS\system32\?icrosoft. Where do I go to look for it? Also, I noticed that the computer take s along time to start up on boot up. I get a message about windows firewall being turned off but its turned on. I have about 320 MB of Ram and was wondering if I need to bump it up to 512. Its am older computer with a 400 MHZ Processor and I realize that it has its limitations.

Thanks for any additional advice
Joe

noahdfear · 2007/10/07

Open My Computer>Local Disk C:>Windows>system32
The folder you're looking for is probably named Microsoft, and there are likely 2 of them. One is a rogue, the other legitimate. If not, look for any other folder with icrosoft in it's name, and that should be the rogue.

If you find 2 Microsoft folders, open them to check their contents. The legitimate one has a folder in it named Protect.

JoeB · 2007/10/07

Are these files Legit?

ctad-566.0000
ctxad-566.0001

noahdfear · 2007/10/07

I can't say for sure, but they don't look like anything legit to me. Upload them to my submission channel and I'll check them out. Leave a link back to this topic.

Log in or Sign up

Computer Running Slow

JoeB Inactive Thread Starter

noahdfear Inactive

JoeB Inactive Thread Starter

JoeB Inactive Thread Starter

noahdfear Inactive

JoeB Inactive Thread Starter

noahdfear Inactive

JoeB Inactive Thread Starter

noahdfear Inactive

JoeB Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Computer Running Slow

JoeB Inactive Thread Starter

noahdfear Inactive

JoeB Inactive Thread Starter

JoeB Inactive Thread Starter

noahdfear Inactive

JoeB Inactive Thread Starter

noahdfear Inactive

JoeB Inactive Thread Starter

noahdfear Inactive

JoeB Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches