Options
iesettingsupdate
Got a question, every time i start my computer, or re-start it, it opens up internet explorer and looks for iesettingsupdate, then upon not finding it it goes to some explorer page called foxy.net, which usually has links to pornographic material, my avg doesn't find it and i can't find it in my hard drive to erase it, so what can i do to get rid of it?
0
Comments
Let's take a look and see what all is loaded there.
Please download HijackThis from Here. Then click on the downloaded file to install HijackThis. After it is installed open HijackThis and select Do a system scan and save logfile. Use copy/paste and post that log back here for review.
Also Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your protective software queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. Here are guidelines for using Silent Runners. You can use separate posts here when replying and posting the log files if needed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:46 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\CAPM2RSK.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\SLWIN\slw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSL encrypt - {0B6899B6-1564-43e0-BD93-F7CF930A5E5C} - C:\WINDOWS\system32\nsu15B2.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nszD.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\system32\comcap16.dll (file missing)
O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\system32\adrotate.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PC Adware-Spware Removal] C:\Program Files\PC Adware-Spyware Removal\PCAdwareSpywareRemoval.exe /quick
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Canon iR1200-1300 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39856535-A635-44A5-8751-448B707D7CC0}: NameServer = 85.255.116.142,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B7A1A39-5F02-4F4D-AF38-AF65107D9D21}: NameServer = 85.255.116.142,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1A7E67D-074A-4CFC-828F-200EFF4185E2}: NameServer = 85.255.116.142,85.255.112.25
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.142 85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.142 85.255.112.25
O20 - Winlogon Notify: intel3 - intel3.dll (file missing)
O22 - SharedTaskScheduler: curdler - {bd0fc212-0a36-4232-83cc-2063fb9282e0} - C:\WINDOWS\system32\qzviz.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 10749 bytes
"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"DellSupport" = ""C:\Program Files\DellSupport\DSAgnt.exe" /startup" ["Gteko Ltd."]
"DellSupportCenter" = ""C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter" ["SupportSoft, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"IntelWireless" = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"DVDLauncher" = ""C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
"Dell QuickSet" = "C:\Program Files\Dell\QuickSet\quickset.exe" [empty string]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"ATIPTA" = ""C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."]
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"adstart" = ""iexplore.exe" "http://iesettingsupdate"" [MS]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"dscactivate" = ""C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"" [null data]
"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"PC Adware-Spware Removal" = "C:\Program Files\PC Adware-Spyware Removal\PCAdwareSpywareRemoval.exe /quick" [file not found]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{0B6899B6-1564-43e0-BD93-F7CF930A5E5C}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSL encrypt"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nsu15B2.dll" [file not found]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = "*Z" (unwritable string)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
{746455FE-D059-47e7-AF0E-140E03F5A447}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSL encrypt"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nszD.dll" [file not found]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll" ["Google Inc."]
{CA6319C0-31B7-401E-A518-A07C3DB8F777}\(Default) = "GoogleAFE"
-> {HKLM...CLSID} = "CBrowserHelperObject Object"
\InProcServer32\(Default) = "c:\Program Files\GoogleAFE\GoogleAE.dll" ["Google"]
{E1B2E864-8BFC-4072-AE11-924E0F8BBA96}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ComCap"
\InProcServer32\(Default) = "C:\WINDOWS\system32\comcap16.dll" [file not found]
{EEC590D8-0A3C-4464-BB20-25A4747992F9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AD Rotator"
\InProcServer32\(Default) = "C:\WINDOWS\system32\adrotate.dll" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
-> {HKLM...CLSID} = "VersionShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["Intuit, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<<!>> "{bd0fc212-0a36-4232-83cc-2063fb9282e0}" = "curdler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\qzviz.dll" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "System" = "kdfpj.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> intel3\DLLName = "intel3.dll" [file not found]
<<!>> IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableTaskMgr" = (REG_SZ) 1
{User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options|
Remove Task Manager}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}
"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Halo 2 - Desert Brigade.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Halo 2 - Desert Brigade.bmp"
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\nature.scr" [MS]
Startup items in "Community Motors" & "All Users" startup folders:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Canon iR1200-1300 Status Window" -> shortcut to: "C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE !N" ["CANON INC."]
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"QuickBooks Update Agent" -> shortcut to: "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" ["Intuit, Inc."]
Enabled Scheduled Tasks:
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]
{B205A35E-1FC4-4CE3-818B-899DBBB3388C}\
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
NICCONFIGSVC, NICCONFIGSVC, "C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe" ["Dell Inc."]
RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
SupportSoft Sprocket Service (dellsupportcenter), sprtsvc_dellsupportcenter, "C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter" ["SupportSoft, Inc."]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
WLANKEEPER, WLANKEEPER, "C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe" ["Intel® Corporation"]
Print Monitors:
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
CAPM2 Monitor\Driver = "CAPM2LMK.DLL" ["CANON INC."]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
PostScript Port\Driver = "postscriptmon.dll" [null data]
(launch time: 2008-03-15 13:02:31)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
(total run time: 64 seconds, including 11 seconds for message boxes)
A fairly serious bit of infection there, and possibly an info stealer as well. You should change any security\login information, using a different computer, and either contact or closely monitor any banking/credit accounts ever accessed on this system. A good precaution at this point.
Open Notepad (Start, Run type notepad and select Enter) and copy/paste the following text.
Save this as correct2.inf
Where it says "Files of Type", select All Files and click on Save and save it to your desktop. Exit Notepad, Then right-click on correct2.inf and select Install. This will allow Task Manager access and undo some other known infection tricks.
Then download FixWareout from here
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin, just follow the prompts. If your firewall sends an alert, please don't let your firewall block it, allow it (this tool will download an additional file from the internet). Note: You must must be online to run this utility
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load, this is normal.
Once your desktop loads, notepad will open a report.txt file. Close this, and allow the reboot to complete. On reboot you will also get notified about possible difficulties making a connection after the fix is run. If you do have net access difficulties double click the registry file dnsbak.reg located in the Fixwareout folder on the root of the drive windows is installed (normally c:\ as suggested).
Once your desktop loads, please post the contents of the logfile C:\fixwareout\report.txt along with a new HijackThis log. Also a new Silent Runners log. We will address the popups likely still occurring there in the next steps, after a review of your progress.
Username "Community Motors" - 03/17/2008 12:52:16 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdfpj.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.142 85.255.112.25" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{39856535-A635-44A5-8751-448B707D7CC0}
"nameserver"="85.255.116.142,85.255.112.25" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{7B7A1A39-5F02-4F4D-AF38-AF65107D9D21}
"nameserver"="85.255.116.142,85.255.112.25" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D1A7E67D-074A-4CFC-828F-200EFF4185E2}
"nameserver"="85.255.116.142,85.255.112.25" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{29B39846-0902-49E5-B96A-2F1FC54E9A72}
"DhcpNameServer"="85.255.116.142,85.255.112.25" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D1A7E67D-074A-4CFC-828F-200EFF4185E2}
"DhcpNameServer"="85.255.116.142,85.255.112.25" <Value cleared.
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
C:\Program Files\SpywareLocked 3.3 < Found
C:\Program Files\Video ActiveX Object < Found
Additional tools are recommended.
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"adstart"="\"iexplore.exe\" \"http://iesettingsupdate\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"dscactivate"="\"C:\\Program Files\\Dell Support Center\\gs_agent\\custom\\dsca.exe\""
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.2\\Apps\\apdproxy.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"PC Adware-Spware Removal"="C:\\Program Files\\PC Adware-Spyware Removal\\PCAdwareSpywareRemoval.exe /quick"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"
"DellSupportCenter"="\"C:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe\" /P DellSupportCenter"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:31 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\CAPM2RSK.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SoftwareDistribution\Download\30afadc4c35db2f5d8b4c076a49edc7b\update\update.exe
--
End of file - 10441 bytes
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSL encrypt - {0B6899B6-1564-43e0-BD93-F7CF930A5E5C} - C:\WINDOWS\system32\nsu15B2.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nszD.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\system32\comcap16.dll (file missing)
O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\system32\adrotate.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PC Adware-Spware Removal] C:\Program Files\PC Adware-Spyware Removal\PCAdwareSpywareRemoval.exe /quick
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Canon iR1200-1300 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586-jc.cab
O20 - Winlogon Notify: intel3 - intel3.dll (file missing)
O22 - SharedTaskScheduler: curdler - {bd0fc212-0a36-4232-83cc-2063fb9282e0} - C:\WINDOWS\system32\qzviz.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"DellSupport" = ""C:\Program Files\DellSupport\DSAgnt.exe" /startup" ["Gteko Ltd."]
"DellSupportCenter" = ""C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter" ["SupportSoft, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"IntelWireless" = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"DVDLauncher" = ""C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
"Dell QuickSet" = "C:\Program Files\Dell\QuickSet\quickset.exe" [empty string]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"ATIPTA" = ""C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."]
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"adstart" = ""iexplore.exe" "http://iesettingsupdate"" [MS]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"dscactivate" = ""C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"" [null data]
"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"PC Adware-Spware Removal" = "C:\Program Files\PC Adware-Spyware Removal\PCAdwareSpywareRemoval.exe /quick" [file not found]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{0B6899B6-1564-43e0-BD93-F7CF930A5E5C}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSL encrypt"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nsu15B2.dll" [file not found]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = "*Z" (unwritable string)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
{746455FE-D059-47e7-AF0E-140E03F5A447}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSL encrypt"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nszD.dll" [file not found]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll" ["Google Inc."]
{CA6319C0-31B7-401E-A518-A07C3DB8F777}\(Default) = "GoogleAFE"
-> {HKLM...CLSID} = "CBrowserHelperObject Object"
\InProcServer32\(Default) = "c:\Program Files\GoogleAFE\GoogleAE.dll" ["Google"]
{E1B2E864-8BFC-4072-AE11-924E0F8BBA96}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ComCap"
\InProcServer32\(Default) = "C:\WINDOWS\system32\comcap16.dll" [file not found]
{EEC590D8-0A3C-4464-BB20-25A4747992F9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AD Rotator"
\InProcServer32\(Default) = "C:\WINDOWS\system32\adrotate.dll" [file not found]
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
-> {HKLM...CLSID} = "VersionShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["Intuit, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<<!>> "{bd0fc212-0a36-4232-83cc-2063fb9282e0}" = "curdler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\qzviz.dll" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> intel3\DLLName = "intel3.dll" [file not found]
<<!>> IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}
"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Halo 2 - Desert Brigade.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Halo 2 - Desert Brigade.bmp"
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\nature.scr" [MS]
Startup items in "Community Motors" & "All Users" startup folders:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Canon iR1200-1300 Status Window" -> shortcut to: "C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE !N" ["CANON INC."]
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"QuickBooks Update Agent" -> shortcut to: "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" ["Intuit, Inc."]
Enabled Scheduled Tasks:
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]
{B205A35E-1FC4-4CE3-818B-899DBBB3388C}\
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
NICCONFIGSVC, NICCONFIGSVC, "C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe" ["Dell Inc."]
RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
SupportSoft Sprocket Service (dellsupportcenter), sprtsvc_dellsupportcenter, "C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter" ["SupportSoft, Inc."]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
WLANKEEPER, WLANKEEPER, "C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe" ["Intel® Corporation"]
Print Monitors:
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
CAPM2 Monitor\Driver = "CAPM2LMK.DLL" ["CANON INC."]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
PostScript Port\Driver = "postscriptmon.dll" [null data]
(launch time: 2008-03-17 13:00:17)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
(total run time: 44 seconds, including 13 seconds for message boxes)
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Download ComboFix.exe from here to your desktop.
Then disable your net access, and click the downloaded file to run the repair.
When starting ComboFix will cause your computer's internal speakers to produce two beeps, and during the start process display two warnings. These are intended to discourage people who are not getting help in the forum from just experimenting with tools they do not understand. Just to inform you so you will understand that the procedures are expected, and okay.
ComboFix will also change the drive autoplay settings there as it's own added security measure. When we have completed all repairs here we will return the default Windows settings.
A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop, however given the infection there ComboFix will likely cause a reboot in order to complete it's repairs.
(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)
Re-enable net access, and post back the C:\ComboFix.txt log as well as a new HijackThis log please.
ComboFix 08-03-17.1 - Community Motors 2008-03-18 9:01:42.1 - NTFSx86
Running from: C:\Documents and Settings\Community Motors\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Community Motors\Application Data\macromedia\Flash Player\#SharedObjects\FJH3ZYNE\www.broadcaster.com
C:\Documents and Settings\Community Motors\Application Data\macromedia\Flash Player\#SharedObjects\FJH3ZYNE\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Community Motors\Application Data\macromedia\Flash Player\#SharedObjects\FJH3ZYNE\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Community Motors\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Community Motors\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\{18C34~1
C:\Program Files\inetget2
C:\Program Files\video activex object
C:\Program Files\video activex object\ot.ico
C:\Program Files\video activex object\ts.ico
C:\WINDOWS\setup.exe
C:\WINDOWS\system32\adrot-uninst.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\uninsticn.exe
C:\WINDOWS\wr.txt
.
((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.
2008-03-18 08:14 . 2004-08-04 01:56 146,432 --a
C:\WINDOWS\system32\dllcache\regedit.exe
2008-03-18 08:14 . 2004-08-04 01:56 146,432 --a
C:\WINDOWS\regedit.exe
2008-03-18 08:09 . 2008-03-18 08:09 <DIR> d
C:\ComboFix(2)
2008-03-17 12:51 . 2008-03-17 12:57 <DIR> d
C:\fixwareout
2008-03-15 13:18 . 2008-03-15 13:18 1,158 --a
C:\WINDOWS\mozver.dat
2008-03-15 13:16 . 2008-03-15 13:16 <DIR> d
C:\Documents and Settings\Community Motors\Application Data\Talkback
2008-03-15 13:16 . 2008-03-15 13:16 0 --a
C:\WINDOWS\nsreg.dat
2008-03-12 12:21 . 2008-02-22 02:33 69,632 --a
C:\WINDOWS\system32\javacpl.cpl
2008-03-12 11:36 . 2008-03-15 14:04 <DIR> d
C:\Documents and Settings\Community Motors\.SunDownloadManager
2008-03-07 15:30 . 2002-08-16 13:43 299,008 --a
C:\WINDOWS\system32\PSPrinter.exe
2008-03-07 15:30 . 2002-08-16 13:43 204,800 --a
C:\WINDOWS\Uninstall.exe
2008-03-07 15:30 . 2002-08-16 13:39 196,608 --a
C:\WINDOWS\InstallPostScriptPort.exe
2008-03-07 15:30 . 2002-06-05 15:12 22,528 --a
C:\WINDOWS\system32\postscriptmon.dll
2008-03-07 15:30 . 2002-05-15 13:42 9,216 --a
C:\WINDOWS\system32\ddklocalui.dll
2008-03-07 15:30 . 2008-03-07 15:30 38 --a
C:\WINDOWS\system32\EDRPDriver.ini
2008-03-07 15:21 . 2008-03-07 15:28 20,761 --a
C:\WINDOWS\system32\PSPORT
2008-03-07 09:19 . 2008-03-07 09:19 <DIR> d
C:\Documents and Settings\Community Motors\Application Data\CyberLink
2008-03-04 11:06 . 2008-03-15 14:09 <DIR> d
C:\PrintImages
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 00:05
d
w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-15 18:59
d
w C:\Program Files\Trend Micro
2008-03-12 18:21
d
w C:\Program Files\Java
2008-03-11 21:41
d
w C:\Documents and Settings\Community Motors\Application Data\AVG7
2008-03-07 21:30
d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 13:49
d
w C:\Documents and Settings\All Users\Application Data\Dell
2008-02-22 18:02 6,360 ----a-w C:\Documents and Settings\Community Motors\Application Data\wklnhst.dat
2008-02-14 16:06
d
w C:\Program Files\RGB
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584
w C:\WINDOWS\system32\dllcache\mrxdav.sys
2006-06-05 02:44 65,408 ----a-w C:\Documents and Settings\Community Motors\Application Data\GDIPFONTCACHEV1.DAT
2007-02-21 16:59 56 --sh--r C:\WINDOWS\system32\0816B84B95.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B6899B6-1564-43e0-BD93-F7CF930A5E5C}]
C:\WINDOWS\system32\nsu15B2.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{746455FE-D059-47e7-AF0E-140E03F5A447}]
C:\WINDOWS\system32\nszD.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1B2E864-8BFC-4072-AE11-924E0F8BBA96}]
C:\WINDOWS\system32\comcap16.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEC590D8-0A3C-4464-BB20-25A4747992F9}]
C:\WINDOWS\system32\adrotate.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 07:51 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-01-18 22:34 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-18 22:34 98304]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 17:24 684032]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-26 09:19 579072]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"PC Adware-Spware Removal"="C:\Program Files\PC Adware-Spyware Removal\PCAdwareSpywareRemoval.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 09:03 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Canon iR1200-1300 Status Window.LNK - C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE [2002-07-11 11:00:00 30720]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-18 22:31:01 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36 806912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{bd0fc212-0a36-4232-83cc-2063fb9282e0}"= C:\WINDOWS\system32\qzviz.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\intel3]
intel3.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\SLWIN\\Slw.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\Community Motors\\My Documents\\Downloaded Program Updates\\Update Manager\\utorrent.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S1 intel5;INTEL processor extention;C:\WINDOWS\system32\intel5.sys []
S2 RapidPortM2;RapidPortM2;C:\WINDOWS\system32\Drivers\CAPM2LP.SYS [2002-07-11 11:00]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-18 14:01:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 09:05:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-18 9:06:20
ComboFix-quarantined-files.txt 2008-03-18 15:06:05
.
2008-03-17 22:05:38 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:47 AM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\CAPM2RSK.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\SLWIN\slw.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSL encrypt - {0B6899B6-1564-43e0-BD93-F7CF930A5E5C} - C:\WINDOWS\system32\nsu15B2.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nszD.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\system32\comcap16.dll (file missing)
O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\system32\adrotate.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PC Adware-Spware Removal] C:\Program Files\PC Adware-Spyware Removal\PCAdwareSpywareRemoval.exe /quick
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Canon iR1200-1300 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586-jc.cab
O20 - Winlogon Notify: intel3 - intel3.dll (file missing)
O22 - SharedTaskScheduler: curdler - {bd0fc212-0a36-4232-83cc-2063fb9282e0} - C:\WINDOWS\system32\qzviz.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 10193 bytes
Be sure to continue to temporarily disable any protective software when running the scan tools we use here.
Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:
Save this to your desktop as "CFScript"
(include the "quotation marks" with the name)
You should now have both ComboFix and that CFScript on the desktop. Just left click/hold on the CFScript file, and drag it into ComboFix to start the scan.
ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Also Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).
To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.
To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".
Post back that log along with the ComboFix.txt and a new HijackThis log please.
ComboFix 08-03-17.1 - Community Motors 2008-03-18 14:52:18.2 - NTFSx86
Running from: C:\Documents and Settings\Community Motors\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Community Motors\Desktop\CFScript
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\adrotate.dll
C:\WINDOWS\system32\comcap16.dll
C:\WINDOWS\system32\intel3.dll
C:\WINDOWS\system32\nsu15B2.dll
C:\WINDOWS\system32\nszD.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.
2008-03-18 08:14 . 2004-08-04 01:56 146,432 --a
C:\WINDOWS\system32\dllcache\regedit.exe
2008-03-18 08:14 . 2004-08-04 01:56 146,432 --a
C:\WINDOWS\regedit.exe
2008-03-18 08:09 . 2008-03-18 08:09 <DIR> d
C:\ComboFix(2)
2008-03-17 12:51 . 2008-03-17 12:57 <DIR> d
C:\fixwareout
2008-03-15 13:18 . 2008-03-15 13:18 1,158 --a
C:\WINDOWS\mozver.dat
2008-03-15 13:16 . 2008-03-15 13:16 <DIR> d
C:\Documents and Settings\Community Motors\Application Data\Talkback
2008-03-15 13:16 . 2008-03-15 13:16 0 --a
C:\WINDOWS\nsreg.dat
2008-03-12 12:21 . 2008-02-22 02:33 69,632 --a
C:\WINDOWS\system32\javacpl.cpl
2008-03-12 11:36 . 2008-03-15 14:04 <DIR> d
C:\Documents and Settings\Community Motors\.SunDownloadManager
2008-03-07 15:30 . 2002-08-16 13:43 299,008 --a
C:\WINDOWS\system32\PSPrinter.exe
2008-03-07 15:30 . 2002-08-16 13:43 204,800 --a
C:\WINDOWS\Uninstall.exe
2008-03-07 15:30 . 2002-08-16 13:39 196,608 --a
C:\WINDOWS\InstallPostScriptPort.exe
2008-03-07 15:30 . 2002-06-05 15:12 22,528 --a
C:\WINDOWS\system32\postscriptmon.dll
2008-03-07 15:30 . 2002-05-15 13:42 9,216 --a
C:\WINDOWS\system32\ddklocalui.dll
2008-03-07 15:30 . 2008-03-07 15:30 38 --a
C:\WINDOWS\system32\EDRPDriver.ini
2008-03-07 15:21 . 2008-03-07 15:28 20,761 --a
C:\WINDOWS\system32\PSPORT
2008-03-07 09:19 . 2008-03-07 09:19 <DIR> d
C:\Documents and Settings\Community Motors\Application Data\CyberLink
2008-03-04 11:06 . 2008-03-15 14:09 <DIR> d
C:\PrintImages
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 00:05
d
w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-15 18:59
d
w C:\Program Files\Trend Micro
2008-03-12 18:21
d
w C:\Program Files\Java
2008-03-11 21:41
d
w C:\Documents and Settings\Community Motors\Application Data\AVG7
2008-03-07 21:30
d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 13:49
d
w C:\Documents and Settings\All Users\Application Data\Dell
2008-02-22 18:02 6,360 ----a-w C:\Documents and Settings\Community Motors\Application Data\wklnhst.dat
2008-02-14 16:06
d
w C:\Program Files\RGB
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584
w C:\WINDOWS\system32\dllcache\mrxdav.sys
2006-06-05 02:44 65,408 ----a-w C:\Documents and Settings\Community Motors\Application Data\GDIPFONTCACHEV1.DAT
2007-02-21 16:59 56 --sh--r C:\WINDOWS\system32\0816B84B95.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 07:51 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-01-18 22:34 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-18 22:34 98304]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 17:24 684032]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-26 09:19 579072]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 09:03 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Canon iR1200-1300 Status Window.LNK - C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE [2002-07-11 11:00:00 30720]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-18 22:31:01 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36 806912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{bd0fc212-0a36-4232-83cc-2063fb9282e0}"= C:\WINDOWS\system32\qzviz.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\SLWIN\\Slw.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\Community Motors\\My Documents\\Downloaded Program Updates\\Update Manager\\utorrent.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S1 intel5;INTEL processor extention;C:\WINDOWS\system32\intel5.sys []
S2 RapidPortM2;RapidPortM2;C:\WINDOWS\system32\Drivers\CAPM2LP.SYS [2002-07-11 11:00]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-18 15:13:32 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 14:56:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-18 14:57:21
ComboFix-quarantined-files.txt 2008-03-18 20:57:04
ComboFix2.txt 2008-03-18 15:06:21
.
2008-03-17 22:05:38 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:08 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\CAPM2RSK.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\SLWIN\slw.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Canon iR1200-1300 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586-jc.cab
O22 - SharedTaskScheduler: curdler - {bd0fc212-0a36-4232-83cc-2063fb9282e0} - C:\WINDOWS\system32\qzviz.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9679 bytes
It'll be a few minutes befor the Kaspersky log will be done then i'll post it.
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 18, 2008 4:37:11 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/03/2008
Kaspersky Anti-Virus database records: 638211
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 66500
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 01:15:00
Infected Object Name / Virus Name / Last Action
C:\46.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\46.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-04122007-074417.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\Application Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Community Motors\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Community Motors\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Community Motors\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Community Motors\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Community Motors\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\cert8.db Object is locked skipped
C:\Documents and Settings\Community Motors\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\history.dat Object is locked skipped
C:\Documents and Settings\Community Motors\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\key3.db Object is locked skipped
C:\Documents and Settings\Community Motors\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\parent.lock Object is locked skipped
C:\Documents and Settings\Community Motors\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Community Motors\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Community Motors\Application Data\Sun\Java\Deployment\cache\6.0\53\33cb4475-5c57a95c Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Community Motors\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\java.class-2275b795-15252dad.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Community Motors\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Application Data\ApplicationHistory\sprtcmd.exe.63e7480d.ini.inuse Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{9DFCB30C-8B46-41BC-956A-6D994CA30092} Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Application Data\Mozilla\Firefox\Profiles\obtzljnm.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Application Data\SupportSoft\DellSupportCenter\Community Motors\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Temp\CTT15AF.tmp Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Temp\CTT15B0.tmp Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Temp\CTT15B3.tmp Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Temp\CTT15BE.tmp Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Temp\CTT79C.tmp Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Temp\~DF2953.tmp Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Temp\~DFE4BC.tmp Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Temp\~DFE4C8.tmp Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Community Motors\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Community Motors\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Community Motors\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP503\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D110 MDC V.9x Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B31D31D9-1965-4463-9E0F-975B281148A4}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"
Do a search ( Start - Search/Find - Files or Folders) for the following hilighted files/folders (shown in Bold), and if found, delete them.
C:\46.tmp
Then Go to Start > Settings > Control Panel > Java and Under the General tab, click Delete Files. That will empty it's cached items.
Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.
O22 - SharedTaskScheduler: curdler - {bd0fc212-0a36-4232-83cc-2063fb9282e0} - C:\WINDOWS\system32\qzviz.dll (file missing)
Then Go here and download the free version of SUPERAntiSpyware and install it.
After installation accept any prompts to allow SUPERAntiSpyware to install the latest infection definition files. Next follow the prompts to complete the installation. For now, uncheck the option to have SUPERAntiSpyware "Automatically check for program and definition updates". Providing an email address and allowing the software to send diagnostic reports to it's research center are up to you. Do NOT allow SUPERAntiSpyware to Protect your Home Page settings.
Once the installation is complete open SUPERAntiSpyware and press the Preferences button. Under the General and Startup tab, uncheck the following (leaving all other settings as is).
Start-up Options:
*Start SUPERAntiSpyware when Windows starts
Automatic Updates:
*Check for program updates when the application starts.
Start-up Scanning:
*Check for updates before scanning on startup.
Then select Close. Don't scan just yet though.
Also Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).
If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.
===============================================
Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).
Open SUPERAntiSpyware and click the Scan your Computer button. You may need to start SUPERAntiSpyware, then right click the Taskbar icon (the little bug shaped icon) and select "Scan for Spyware, Adware, Malware..." to access the scan panel. Making sure that Fixed Drive (NTFS) is checked (typically the C Drive), check "Perform Complete Scan", then click Next. SUPERAntiSpyware will now complete a system scan.
SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and click next. If prompted allow the reboot (or manually reboot at this time), and after the reboot open SUPERAntiSpyware again (double click the bug-shaped Taskbar icon).
Click Preferences, then under the Statistics/Logs tab, click to select the most recent Scan Log, then click View Log. Save the log to your desktop, and copy/paste the text from the log back here.
Run a new HijackThis scan, and post that back here along with the SUPERAntiSpyware log please.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:13 AM, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\CAPM2RSK.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Canon iR1200-1300 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by128fd.bay128.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586-jc.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9369 bytes
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 03/19/2008 at 09:58 AM
Application Version : 4.0.1154
Core Rules Database Version : 3421
Trace Rules Database Version: 1413
Scan type : Complete Scan
Total Scan Time : 00:51:32
Memory items scanned : 194
Memory threats detected : 0
Registry items scanned : 5577
Registry threats detected : 235
File items scanned : 14500
File threats detected : 20
Browser Hijacker.Internet Explorer Zone Hijack
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click#http
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click#http
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect#http
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta#http
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta#https
HKU\S-1-5-21-4006730587-1961919399-1188117590-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\media-motor.net
HKU\S-1-5-21-4006730587-1961919399-1188117590-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\media-motor.net#*
Trojan.RieMon
C:\WINDOWS\SYSTEM32\IRSSYNCD.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\irssyncd
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\irssyncd#Path
HKCR\Iman.RieMon
HKCR\Iman.RieMon\CLSID
HKCR\Iman.RieMon\CurVer
HKCR\Iman.RieMon.1
HKCR\Iman.RieMon.1\CLSID
HKU\S-1-5-21-4006730587-1961919399-1188117590-1005\SOFTWARE\Irismon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IRISm
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IRISm#Path
HKLM\SYSTEM\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\irssyncd.exe
Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\ITALFDS.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ItalU
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ItalU#Path
Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\TDOPUENB.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\TDPer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\TDPer.exe#Path
Adware.MovieLand/MediaPipe
HKCR\AppId\AMNotifier.EXE
HKCR\AppId\AMNotifier.EXE#AppID
HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}
HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0
HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\0
HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\0\win32
HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\FLAGS
HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\HELPDIR
Adware.Ezula
HKLM\SOFTWARE\Microsoft\Direct2D
HKLM\SOFTWARE\Microsoft\Direct2D#affilate_id
HKLM\SOFTWARE\Microsoft\Direct2D#request_queue
HKLM\SOFTWARE\Microsoft\Direct2D#version
HKLM\SOFTWARE\Microsoft\Direct2D#installation_id
HKLM\SOFTWARE\Microsoft\Direct2D#user_id
HKLM\SOFTWARE\Microsoft\Direct2D#db_number
HKLM\SOFTWARE\Microsoft\Direct2D#date
HKLM\SOFTWARE\Microsoft\Direct2D#popup_delay
HKLM\SOFTWARE\Microsoft\Direct2D#refresh_time
HKLM\SOFTWARE\Microsoft\Direct2D#related_pop_type
HKLM\SOFTWARE\Microsoft\Direct2D#ezula_maxdup
HKLM\SOFTWARE\Microsoft\Direct2D#rand_context_distortion
HKLM\SOFTWARE\Microsoft\Direct2D#navigation_error
HKLM\SOFTWARE\Microsoft\Direct2D#popup_time_distortion
HKLM\SOFTWARE\Microsoft\Direct2D#ezula_maxhilight
HKLM\SOFTWARE\Microsoft\Direct2D#rand_contextual_pop_type
HKLM\SOFTWARE\Microsoft\Direct2D#popup_ctx_delay
HKLM\SOFTWARE\Microsoft\Direct2D#fixed_ctx_pop_delay
HKLM\SOFTWARE\Microsoft\Direct2D#fixed_ctx_pop_distortion
HKLM\SOFTWARE\Microsoft\Direct2D#ezula_enabled
HKLM\SOFTWARE\Microsoft\Direct2D#random_contextual_enabled
HKLM\SOFTWARE\Microsoft\Direct2D#program_push_enabled
HKLM\SOFTWARE\Microsoft\Direct2D#icon_drop_enabled
HKLM\SOFTWARE\Microsoft\Direct2D#related_popups_enabled
HKLM\SOFTWARE\Microsoft\Direct2D#fixed_ctx_pop_enabled
HKLM\SOFTWARE\Microsoft\Direct2D#update_url
HKLM\SOFTWARE\Microsoft\Direct2D#internal_affiliate_id
HKLM\SOFTWARE\Microsoft\Direct2D#country_id
HKLM\SOFTWARE\Microsoft\Direct2D#install_timestamp
HKLM\SOFTWARE\Microsoft\Direct2D#last_refresh_time
HKLM\SOFTWARE\Microsoft\Direct2D#ezula_deniedsites
HKLM\SOFTWARE\Microsoft\Direct2D#nav_error_content
HKLM\SOFTWARE\Microsoft\Direct2D#ezula_dictionary
HKLM\SOFTWARE\Microsoft\Direct2D#last_ezulasync
HKLM\SOFTWARE\Microsoft\Direct2D#ctx_popup_db
HKLM\SOFTWARE\Microsoft\Direct2D#related_sites
HKLM\SOFTWARE\Microsoft\Direct2D#ctx_popup_shown
HKLM\SOFTWARE\Microsoft\Direct2D#next_ctx_popup_time
HKLM\SOFTWARE\Microsoft\Direct2D#related_popup_appendix
HKLM\SOFTWARE\Microsoft\Direct2D#next_related_time
HKLM\SOFTWARE\Microsoft\Direct2D#random_context_blacklist
HKLM\SOFTWARE\Microsoft\Direct2D#last_push_time
HKLM\SOFTWARE\Microsoft\Direct2D#pushed_already
HKLM\SOFTWARE\Microsoft\Direct2D#fixed_ctx_pop_db
HKLM\SOFTWARE\Microsoft\Direct2D#next_fixed_ctx_popup_time
Adware.MediaMotor
HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}
HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}\2.1
HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}\2.1\0
HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}\2.1\0\win32
HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}\2.1\FLAGS
HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}\2.1\HELPDIR
HKCR\Interface\{41E1565D-B7A8-4251-BD79-E6C5FACB2B5F}
HKCR\Interface\{41E1565D-B7A8-4251-BD79-E6C5FACB2B5F}\Forward
HKCR\Interface\{41E1565D-B7A8-4251-BD79-E6C5FACB2B5F}\ProxyStubClsid
HKCR\Interface\{41E1565D-B7A8-4251-BD79-E6C5FACB2B5F}\ProxyStubClsid32
HKCR\Interface\{DB312456-E762-4369-844A-AED9006B1B2F}
HKCR\Interface\{DB312456-E762-4369-844A-AED9006B1B2F}\Forward
HKCR\Interface\{DB312456-E762-4369-844A-AED9006B1B2F}\ProxyStubClsid
HKCR\Interface\{DB312456-E762-4369-844A-AED9006B1B2F}\ProxyStubClsid32
HKCR\Interface\{96866CAD-7F56-4047-9D41-08322B6B79F3}
HKCR\Interface\{96866CAD-7F56-4047-9D41-08322B6B79F3}\ProxyStubClsid
HKCR\Interface\{96866CAD-7F56-4047-9D41-08322B6B79F3}\ProxyStubClsid32
HKCR\Interface\{96866CAD-7F56-4047-9D41-08322B6B79F3}\TypeLib
HKCR\Interface\{96866CAD-7F56-4047-9D41-08322B6B79F3}\TypeLib#Version
Adware.Toolbar888
HKU\S-1-5-21-4006730587-1961919399-1188117590-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}
Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url
Trojan.Malware
HKCR\Interface\{ED3672D8-19B9-400F-8BED-734E6CC2355F}
HKCR\Interface\{ED3672D8-19B9-400F-8BED-734E6CC2355F}\ProxyStubClsid
HKCR\Interface\{ED3672D8-19B9-400F-8BED-734E6CC2355F}\ProxyStubClsid32
HKCR\Interface\{ED3672D8-19B9-400F-8BED-734E6CC2355F}\TypeLib
HKCR\Interface\{ED3672D8-19B9-400F-8BED-734E6CC2355F}\TypeLib#Version
HKCR\Da.Bomb
HKCR\Da.Bomb\CLSID
HKCR\Da.Bomb\CurVer
HKCR\Da.Bomb.1
HKCR\Da.Bomb.1\CLSID
HKCR\ONONE.Theimp
HKCR\ONONE.Theimp\CLSID
HKCR\ONONE.Theimp\CurVer
HKCR\ONONE.Theimp.1
HKCR\ONONE.Theimp.1\CLSID
HKCR\CLSID\{ABE46B90-C143-44ee-BC04-3313A048B9AC}
HKCR\CLSID\{ABE46B90-C143-44ee-BC04-3313A048B9AC}\InprocServer32
HKCR\CLSID\{ABE46B90-C143-44ee-BC04-3313A048B9AC}\InprocServer32#ThreadingModel
HKCR\CLSID\{ABE46B90-C143-44ee-BC04-3313A048B9AC}\ProgID
HKCR\CLSID\{ABE46B90-C143-44ee-BC04-3313A048B9AC}\Programmable
HKCR\CLSID\{ABE46B90-C143-44ee-BC04-3313A048B9AC}\TypeLib
HKCR\CLSID\{ABE46B90-C143-44ee-BC04-3313A048B9AC}\VersionIndependentProgID
HKCR\TypeLib\{68C93759-CAD1-465F-A320-4C2728003E08}
HKCR\TypeLib\{68C93759-CAD1-465F-A320-4C2728003E08}\1.0
HKCR\TypeLib\{68C93759-CAD1-465F-A320-4C2728003E08}\1.0\0
HKCR\TypeLib\{68C93759-CAD1-465F-A320-4C2728003E08}\1.0\0\win32
HKCR\TypeLib\{68C93759-CAD1-465F-A320-4C2728003E08}\1.0\FLAGS
HKCR\TypeLib\{68C93759-CAD1-465F-A320-4C2728003E08}\1.0\HELPDIR
HKCR\Interface\{3C7D55D7-AD86-4B05-A7A6-F19C2B3D5758}
HKCR\Interface\{3C7D55D7-AD86-4B05-A7A6-F19C2B3D5758}\ProxyStubClsid
HKCR\Interface\{3C7D55D7-AD86-4B05-A7A6-F19C2B3D5758}\ProxyStubClsid32
HKCR\Interface\{3C7D55D7-AD86-4B05-A7A6-F19C2B3D5758}\TypeLib
HKCR\Interface\{3C7D55D7-AD86-4B05-A7A6-F19C2B3D5758}\TypeLib#Version
HKCR\Interface\{DDA9619F-F00E-4B40-AA4D-94A218773C61}
HKCR\Interface\{DDA9619F-F00E-4B40-AA4D-94A218773C61}\ProxyStubClsid
HKCR\Interface\{DDA9619F-F00E-4B40-AA4D-94A218773C61}\ProxyStubClsid32
HKCR\Interface\{DDA9619F-F00E-4B40-AA4D-94A218773C61}\TypeLib
HKCR\Interface\{DDA9619F-F00E-4B40-AA4D-94A218773C61}\TypeLib#Version
Adware.AdRotator
HKCR\OddBot.AdClicker
HKCR\OddBot.AdClicker\CLSID
HKCR\OddBot.AdClicker\CurVer
HKCR\OddBot.AdClicker.1
HKCR\OddBot.AdClicker.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdRotator
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdRotator#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdRotator#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdRotator#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdRotator#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdRotator#DisplayVersion
HKLM\SOFTWARE\NodeIpProc
HKLM\SOFTWARE\NodeIpProc#Vendor
Trojan.Media-Codec
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#UninstallString
Adware.eZula/BannerRotator
HKCR\Interface\{BA2A20E0-2476-43BB-BCC8-BFEE2419B293}
HKCR\Interface\{BA2A20E0-2476-43BB-BCC8-BFEE2419B293}\ProxyStubClsid
HKCR\Interface\{BA2A20E0-2476-43BB-BCC8-BFEE2419B293}\ProxyStubClsid32
HKCR\Interface\{BA2A20E0-2476-43BB-BCC8-BFEE2419B293}\TypeLib
HKCR\Interface\{BA2A20E0-2476-43BB-BCC8-BFEE2419B293}\TypeLib#Version
HKCR\Interface\{D0C1545E-61E1-40D5-8F8C-37D4E7758275}
HKCR\Interface\{D0C1545E-61E1-40D5-8F8C-37D4E7758275}\ProxyStubClsid
HKCR\Interface\{D0C1545E-61E1-40D5-8F8C-37D4E7758275}\ProxyStubClsid32
HKCR\Interface\{D0C1545E-61E1-40D5-8F8C-37D4E7758275}\TypeLib
HKCR\Interface\{D0C1545E-61E1-40D5-8F8C-37D4E7758275}\TypeLib#Version
Adware.AdRotate/System
HKCR\Crypt.Core
HKCR\Crypt.Core\CLSID
HKCR\Crypt.Core\CurVer
HKCR\Crypt.Core.1
HKCR\Crypt.Core.1\CLSID
HKCR\ADRotator.Rotator
HKCR\ADRotator.Rotator\CLSID
HKCR\ADRotator.Rotator\CurVer
HKCR\ADRotator.Rotator.1
HKCR\ADRotator.Rotator.1\CLSID
HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}
HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\InprocServer32
HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\InprocServer32#ThreadingModel
HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\ProgID
HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\Programmable
HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\TypeLib
HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\VersionIndependentProgID
HKCR\TypeLib\{7AC21A02-5B24-47AE-9B0E-B05AE3A50FC4}
HKCR\TypeLib\{7AC21A02-5B24-47AE-9B0E-B05AE3A50FC4}\1.0
HKCR\TypeLib\{7AC21A02-5B24-47AE-9B0E-B05AE3A50FC4}\1.0\0
HKCR\TypeLib\{7AC21A02-5B24-47AE-9B0E-B05AE3A50FC4}\1.0\0\win32
HKCR\TypeLib\{7AC21A02-5B24-47AE-9B0E-B05AE3A50FC4}\1.0\FLAGS
HKCR\TypeLib\{7AC21A02-5B24-47AE-9B0E-B05AE3A50FC4}\1.0\HELPDIR
HKCR\TypeLib\{DEFDEADA-C390-4EB9-97FA-59D56B21E5D5}
HKCR\TypeLib\{DEFDEADA-C390-4EB9-97FA-59D56B21E5D5}\1.0
HKCR\TypeLib\{DEFDEADA-C390-4EB9-97FA-59D56B21E5D5}\1.0\0
HKCR\TypeLib\{DEFDEADA-C390-4EB9-97FA-59D56B21E5D5}\1.0\0\win32
HKCR\TypeLib\{DEFDEADA-C390-4EB9-97FA-59D56B21E5D5}\1.0\FLAGS
HKCR\TypeLib\{DEFDEADA-C390-4EB9-97FA-59D56B21E5D5}\1.0\HELPDIR
HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}
HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}\1.0
HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}\1.0\0
HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}\1.0\0\win32
HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}\1.0\FLAGS
HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}\1.0\HELPDIR
Malware.SpyLocked
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#lWgeAqicd
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#tnmXjmmra
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#ryliGoisKwipd
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#yfsxndmii
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#imSxqOMzserj
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#oxzehf
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#oqknhsq
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#QvxJecFRdi
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#qyqxzdtrtylIt
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#MeYmaznb
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#jJpDkwNw
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#klynHsjrCagi
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#xECVlJLd
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#NusvphrvWeh
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}#BizOlmRm
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\Control
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\Implemented Categories
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\InprocServer32
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\InprocServer32#ThreadingModel
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\Insertable
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\MiscStatus
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\MiscStatus\1
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\ProgID
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\Programmable
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\TypeLib
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\Version
HKCR\CLSID\{0B847A1A-A872-95FC-8E22-F8B4AE044657}\VersionIndependentProgID
C:\Program Files\SpywareLocked 3.3\ignored.lst
C:\Program Files\SpywareLocked 3.3\sd.ini
C:\Program Files\SpywareLocked 3.3
Malware.Installer-Pkg/Gen
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{651956B7-1969-42AA-9453-E0B813019D54}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE
Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\COMMUNITY MOTORS\DESKTOP\UNUSED DESKTOP ICONS\REALLY UNUSED ICONS\ONLINE SECURITY GUIDE.URL
C:\DOCUMENTS AND SETTINGS\COMMUNITY MOTORS\DESKTOP\UNUSED DESKTOP ICONS\REALLY UNUSED ICONS\SECURITY TROUBLESHOOTING.URL
Adware.AdRotate-Uninstaller
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP502\A0035282.EXE
The autoplay functions there were blocked as part of the procedures we did here. You can return those to the Windows default settings at this time by doing the following step, if you wish. This will allow autoplay for all drives such as CD-ROM and external drives.
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it autofix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.
You can also at this time delete the files/folders of the tools we used. To assist with some of that download OTMoveIt2 and save the file to your desktop. This will help by automatically removing some of the tools we used.
Please double-click OTMoveIt.exe to run it and click on Cleanup (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator"). When you do this list of malware removal programs will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has downloaded, you'll be asked if you want to begin cleanup process? Select Yes.
OTMoveIt will search for and delete/uninstall all the tools that we have used to fix your problems and all their backup folders and then delete itself when you next reboot. At the end of the run you will receive a prompt to reboot, but save that for the next step.
Then reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.
You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.
When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.
In addition, I like to recommend reviewing the information Here to make sure you stay malware free.
=David.:)