0

I'm Helping a Uncle Clean out his Laptop. We got this a few days ago Unable to start up and well we got there obviously :) .So then we took a whole load of viruses,spyware,Malware, ext... The task manager and Control Panel were disabled Most likely from the viruses I wasn't able to even get into regedit to enable it untill I got something to re-enable the registy automatically So I got all the Adim controles back. No internet at all is on that laptop we're conected to our wireless router and we've also tried to wire it. Someother problems were having but I'll get at that later on Heres the log Help would be GREAT :) I'm not all that good with with hijackthis first time so please go slow :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:26 AM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Intel\NCS\Sync\NetSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file)
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {03CBA32B-A8D1-47B2-8C23-683AEAC7D6A3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {03CBA32B-A8D1-47B2-8C23-683AEAC7D6A3} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {254B281D-743D-403B-9A15-BFD736E45AD6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {254B281D-743D-403B-9A15-BFD736E45AD6} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {4343580D-A149-4C3F-8D99-8DB1CB8E896B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4343580D-A149-4C3F-8D99-8DB1CB8E896B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {56D0B23C-7C93-47E8-BAC9-1810C6F0FF50} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {56D0B23C-7C93-47E8-BAC9-1810C6F0FF50} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {90CC3EF6-D6ED-4534-A338-4C4296824DCC} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {90CC3EF6-D6ED-4534-A338-4C4296824DCC} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B4A70ABC-DE25-447E-B18D-F58AD9A32CCF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B4A70ABC-DE25-447E-B18D-F58AD9A32CCF} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DD7E33A6-5385-443F-8E7B-0B96F472EFCD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DD7E33A6-5385-443F-8E7B-0B96F472EFCD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DEEE085F-4080-4195-B99F-C83C2BBC8CED} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DEEE085F-4080-4195-B99F-C83C2BBC8CED} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E6EB790C-5B9E-4AD1-89F7-12EEBC1AA8BB} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E6EB790C-5B9E-4AD1-89F7-12EEBC1AA8BB} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://body1.spfldcol.edu/dwa7W.cab
O20 - AppInit_DLLs: murka.dat
O23 - Service: a2free - Unknown owner - C:\WINDOWS\TEMP\147662.exe (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: Avg7Alrt - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: Avg7UpdSvc - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVGEMS - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: CCALib8 - Unknown owner - C:\WINDOWS\TEMP\426172.exe (file missing)
O23 - Service: ccEvtMgr - Unknown owner - C:\WINDOWS\TEMP\355511.exe (file missing)
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: CLTNetCnService - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: comHost - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: IDriverT - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ImapiService - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LiveUpdate Notice Ex - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RasMan - Unknown owner - C:\WINDOWS\TEMP\128024.exe (file missing)
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: sp_rssrv - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WANMiniportService - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: WZCSVC - Unknown owner - C:\WINDOWS\TEMP\147662.exe (file missing)

--
End of file - 9988 bytes

2
Contributors
28
Replies
29
Views
9 Years
Discussion Span
Last Post by crunchie
Featured Replies
  • Safe mode removal would be best. Renaming them first might be a good idea, then run the pc for a while checking that all is well. Read More

0

Download and run Winsockfix from here http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

==

Can you please do the following.

===============

Scan with HijackThis and then place a check next to all the following, if present:


O3 - Toolbar: (no name) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file)

O9 - Extra button: Microsoft AntiSpyware helper - {03CBA32B-A8D1-47B2-8C23-683AEAC7D6A3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {03CBA32B-A8D1-47B2-8C23-683AEAC7D6A3} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {254B281D-743D-403B-9A15-BFD736E45AD6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {254B281D-743D-403B-9A15-BFD736E45AD6} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {4343580D-A149-4C3F-8D99-8DB1CB8E896B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4343580D-A149-4C3F-8D99-8DB1CB8E896B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {56D0B23C-7C93-47E8-BAC9-1810C6F0FF50} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {56D0B23C-7C93-47E8-BAC9-1810C6F0FF50} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {90CC3EF6-D6ED-4534-A338-4C4296824DCC} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {90CC3EF6-D6ED-4534-A338-4C4296824DCC} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B4A70ABC-DE25-447E-B18D-F58AD9A32CCF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B4A70ABC-DE25-447E-B18D-F58AD9A32CCF} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DD7E33A6-5385-443F-8E7B-0B96F472EFCD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DD7E33A6-5385-443F-8E7B-0B96F472EFCD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DEEE085F-4080-4195-B99F-C83C2BBC8CED} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DEEE085F-4080-4195-B99F-C83C2BBC8CED} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E6EB790C-5B9E-4AD1-89F7-12EEBC1AA8BB} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E6EB790C-5B9E-4AD1-89F7-12EEBC1AA8BB} - (no file) (HKCU)

O15 - Trusted Zone: *.musicmatch.com (HKLM)

O20 - AppInit_DLLs: murka.dat

O23 - Service: a2free - Unknown owner - C:\WINDOWS\TEMP\147662.exe (file missing)
O23 - Service: CCALib8 - Unknown owner - C:\WINDOWS\TEMP\426172.exe (file missing)
O23 - Service: ccEvtMgr - Unknown owner - C:\WINDOWS\TEMP\355511.exe (file missing)
O23 - Service: WZCSVC - Unknown owner - C:\WINDOWS\TEMP\147662.exe (file missing)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

0

Well I was on the phone with dell for like an hour and they helped me get the internet back up except what I see now was that it randomly released its IP just like if I went into command prompt and typed in ipconfig /release also I cant just type in ipconfig /renew to fix it, I tried :P. So then I ran the WinSock program because these internet problems and once I reset it it did it again but resetting the computer once it happens gives me the internet back for a bit. So with this I have internet for 3,5,10 minutes something like that and then it stops working but now heres my hijackthis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:58 PM, on 1/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\TEMP\134503.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://body1.spfldcol.edu/dwa7W.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AppMgmt - Unknown owner - C:\WINDOWS\TEMP\134503.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\144177.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\TEMP\183173.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: NetSvc - Unknown owner - C:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: RegSrvc - Unknown owner - C:\WINDOWS\system32\RegSrvc.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
O23 - Service: S24EventMonitor - Unknown owner - C:\WINDOWS\system32\S24EvMon.exe (file missing)
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: sp_rssrv - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 5794 bytes


This line in hijack this

F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,

The ntos.exe spybot is telling my its a part of the virus and I looked it up and someone says remove the entery but I dont want to go without approval from you. Oh and also I've heard bad happening once they deleted it so I dont think that will help us out :/ also, just me skimming through this log could the line

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

Be doing something with the internet?


Sorry for typos no time to fix em internet will die on me :/

(So I edited it and once again it died on me before I could post it so time to restart :/ )

0

That LSP is legit.

Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract
    All
    ,
  • Open the extracted folder and double click RunThis.bat to
    start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the
    registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool
    will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and
    display Finished, then press any key to end the script and load
    your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the
    contents of the results file Report.txt back onto the forum with
    a new HijackThis log
0

Hehe Thanks for specifically telling me how to boot in safe mode :) But I already know how to do that (not trying to be rude) never know might be aiding someone and they might so I guess its kind of nessassary to put it up as well :P Ok I ran SDfix earlier last week it did alot more last time than this time so heres the SDfix log

SDFix: Version 1.122


Run by Ed on Thu 01/03/2008 at 05:18 PM


Microsoft Windows XP [Version 5.1.2600]


Running From: C:\SDFix


Safe Mode:
Checking Services:


Name:
smtpdrv


Path:
System32\DRIVERS\smtpdrv.sys


smtpdrv - Deleted


Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...



Normal Mode:
Checking Files:


Trojan Files Found:


C:\2.TMP - Deleted
C:\3.TMP - Deleted
C:\5.TMP - Deleted
C:\6.TMP - Deleted
C:\7.TMP - Deleted
C:\WINDOWS\system32\7_exception.nls  - Deleted
C:\WINDOWS\system32\drivers\smtpdrv.sys  - Deleted
C:\WINDOWS\system32\ntos.exe  - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll  - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll  - Deleted



Removing Temp Files...


ADS Check:


C:\WINDOWS
No streams found.


C:\WINDOWS\system32
No streams found.


C:\WINDOWS\system32\svchost.exe
No streams found.


C:\WINDOWS\system32\ntoskrnl.exe
No streams found.


Final Check:


catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 17:22:38
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden services & system hive ...


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wqd29]
"Type"=dword:00000001
"Tag"=dword:00000006
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Core Services\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Wqd29]
"Type"=dword:00000001
"Tag"=dword:00000006
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Core Services\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Wqd29]
"Type"=dword:00000001
"Tag"=dword:00000006
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Core Services\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Wqd29]
"Type"=dword:00000001
"Tag"=dword:00000006
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Core Services\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\Wqd29]
"Type"=dword:00000001
"Tag"=dword:00000006
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Core Services\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\Wqd29]
"Type"=dword:00000001
"Tag"=dword:00000006
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Core Services\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000


scanning hidden registry entries ...


scanning hidden files ...


C:\WINDOWS\SYSTEM32\DRIVERS\Wqd29.sys 142848 bytes executable
C:\WINDOWS\LastGood
C:\WINDOWS\LastGood\INF
C:\WINDOWS\LastGood\INF\oem24.inf 0 bytes
C:\WINDOWS\LastGood\INF\oem24.PNF 0 bytes


scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 5



Remaining Services:
------------------


smtpdrv



Authorized Application Key Export:


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\EMCO Malware Destroyer\\MalwareDestroyer.exe"="C:\\Program Files\\EMCO Malware Destroyer\\MalwareDestroyer.exe:*:Enabled:Malware Scanner for Home User's"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------
C:\3.TMP Found
C:\5.TMP Found
C:\6.TMP Found
C:\7.TMP Found
C:\WINDOWS\system32\7_exception.nls  Found
C:\WINDOWS\system32\drivers\smtpdrv.sys  Found


File Backups: - C:\SDFix\backups\backups.zip


Files with Hidden Attributes:


Tue 21 Dec 2004             0 ..SHR --- "C:\mssys.com"
Tue 21 Dec 2004             0 A.SHR --- "C:\Program Files\q330994.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\WINDOWS\cvchost.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\WINDOWS\dl.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\WINDOWS\dlm.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\WINDOWS\msstasks.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\WINDOWS\mssys.com"
Tue 21 Dec 2004             0 A.SHR --- "C:\WINDOWS\mstasks1.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\WINDOWS\mstaskss.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\WINDOWS\msxmidi.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\WINDOWS\ntldr.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\WINDOWS\rocky.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\WINDOWS\seksdialer.exe"
Tue 28 Feb 2006        60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Tue 28 Feb 2006         4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Tue 28 Feb 2006        73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\WINDOWS\SYSTEM\wmscrop.exe"
Sun 23 Sep 2007        29,184 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL0711.tmp"
Fri 21 Sep 2007        29,184 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL0841.tmp"
Sun 23 Sep 2007        30,208 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL0943.tmp"
Sun 23 Sep 2007        30,208 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL0948.tmp"
Sun 23 Sep 2007        30,208 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL1098.tmp"
Sun 23 Sep 2007        29,184 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL2467.tmp"
Sun 23 Sep 2007        30,208 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL2494.tmp"
Sun 23 Sep 2007        29,696 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL2580.tmp"
Sun 23 Sep 2007        30,208 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL3211.tmp"
Sun 23 Sep 2007        30,208 ...H. --- "C:\Documents and Settings\Ed\Desktop\~WRL3979.tmp"
Thu  3 Jan 2008       597,232 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\021bbe9f2a0e31da1414f03ea6d62389\BIT4.tmp"
Wed  2 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0c114cf5b19927cfea8b29c83de1ed86\BITD.tmp"
Wed  2 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2abaeb659824de5967ddf7181c6befdb\BITC.tmp"
Wed  2 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\33831624a2e810dc854ea2f820d0dd53\BIT9.tmp"
Wed  2 Jan 2008       797,088 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\379c3e87f4016899bd06cdf1184d31ce\BITE.tmp"
Thu  3 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\393673217fc83f2b990ca70aa98f1df8\BIT8.tmp"
Wed  2 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\40a830826de015286a7a5523023b1e09\BIT13.tmp"
Wed  2 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\458b0ddf827cd2ca02539e5a3b1a3d3c\BITF.tmp"
Thu  3 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\526e15b6e1b5300357490c8089b5f84e\BIT12.tmp"
Wed  2 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6c0455d67216e75859cc27e7120ab0d1\BITA.tmp"
Sun  5 Aug 2007     4,073,736 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9e8f057b37182e58e794b70ef39a992c\BIT50E.tmp"
Wed  2 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a0d1667f129d439fad31a81898b17830\BITB.tmp"
Wed  2 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ac396c0c2d53942a12157d0ad3c4135a\BIT14.tmp"
Mon 31 Dec 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d378d94379aa314a2f8a03df7faef1bc\BIT4.tmp"
Wed  2 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d8816d09f86abbe0c321ddc90d5c0948\BIT7.tmp"
Wed  2 Jan 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\dcfb65ff18fcfdf3d0086d241818e7bc\BIT11.tmp"
Tue 14 Aug 2007     7,649,240 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\deb995e7b7d2953ec6904bd5047bd45f\BIT8.tmp"
Wed 28 Mar 2007        55,296 ...H. --- "C:\Documents and Settings\Ed\Application Data\Microsoft\Word\~WRL1465.tmp"
Tue  8 Oct 2002       106,496 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"
Sun  5 Aug 2007       308,618 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8ae7c447040239d7d5b8bbc96b906af0\download\BIT51B.tmp"
Sun  5 Aug 2007       246,738 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\90c5d2ebf41ce8d405eb458cc79a1965\download\BIT521.tmp"
Tue 21 Dec 2004             0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.DOWNLOADER.V\Files\Y.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.DUCKY\Files\y.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.SSDX\Files\MSDOS.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.BACKDOOR.BIFROSE\Files\WINDOWS\System.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.BACKDOOR.REDKOD\Files\WINDOWS\System.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.DOWNLOADER.HARNIG\Files\WINDOWS\mstasks1.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.DOWNLOADER.HARNIG\Files\WINDOWS\seksdialer.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.DOWNLOADER.HARNIG\Files\WINDOWS\system.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.DOWNLOADER.LUNII\Files\WINDOWS\mstasks1.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.EASYSEARCH\Files\WINDOWS\wininet32.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.HARNIG\Files\WINDOWS\dl.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.HARNIG\Files\WINDOWS\dlm.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.RUNWIN32\Files\WINDOWS\wininet32.exe"
Tue 21 Dec 2004             0 A.SHR --- "C:\Program Files\EMCO Malware Destroyer\Quarantine\EDWARD\NMC.STARTPA.CQ\Files\WINDOWS\System32\msxslab.dll"


Finished!



Ntos and that wsnpoem is part of a virus/torjan spybot picks up that I cant rid of. Ok hijackthis log.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:01 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://body1.spfldcol.edu/dwa7W.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\WINDOWS\TEMP\157967.exe (file missing)
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\TEMP\149675.exe (file missing)
O23 - Service: COMSysApp - Unknown owner - C:\WINDOWS\TEMP\158557.exe (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\137738.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\TEMP\183173.exe (file missing)
O23 - Service: lanmanserver - Unknown owner - C:\WINDOWS\TEMP\130377.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: NetSvc - Unknown owner - C:\WINDOWS\TEMP\134503.exe (file missing)
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: RegSrvc - Unknown owner - C:\WINDOWS\system32\RegSrvc.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
O23 - Service: S24EventMonitor - Unknown owner - C:\WINDOWS\system32\S24EvMon.exe (file missing)
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: sp_rssrv - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)


--
End of file - 5578 bytes

Again sorry for typos dont want to get into fixing them just to be kicked off the internet ill tell whats happening with that because it hasnt kicked the Ip off.

Edited by happygeek: fixed formatting

0

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\SYSTEM32\DRIVERS\Wqd29.sys
C:\mssys.com
C:\Program Files\q330994.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe

========

  • Save it to your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    "%userprofile%\desktop\ComboFix.exe" /KillAll

    [IMG]http://i5.photobucket.com/albums/y153/crunchie1/RunBox_KillAll.jpg[/IMG]

  • Click OK and this will start ComboFix.
  • When finished, it will produce a log. Please save that log to a Notepad File and include it in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* Re-enable all the programs that were disabled prior to the running of ComboFix.

* Post the following logs/Reports:


  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

Ok, first Part of that you asked for.

C:\WINDOWS\SYSTEM32\DRIVERS\Wqd29.sys
Scan taken on 04 Jan 2008 20:32:59 (GMT)
A-Squared Found nothing
AntiVir Found RKIT/Agent.SC.1
ArcaVir Found Trojan.Rootkit.Agent.Sc
Avast Found nothing
AVG Antivirus Found BackDoor.Generic9.JSS
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Rootkit.W32.Agent.sc
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Rootkit.Win32.Agent.sc
Fortinet Found W32/Agent.SC!tr.rkit
Ikarus Found Rootkit.Win32.Agent.ea
Kaspersky Anti-Virus Found Rootkit.Win32.Agent.sc
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found Rootkit/Agent.HOT
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Rootkit.Win32.Agent.sc

The rest said this so i presume that the files do not exist

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Ok now Il'l do that next part I just thought it might be more organised in 2 posts.

0

Ok, next part here is the ComboFix log seems pretty long :) Have fun with that.

ComboFix 08-01-04.1 - Ed 2008-01-04 16:04:08.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.151 [GMT -5:00]
Running from: C:\Documents and Settings\Ed\desktop\ComboFix.exe
Command switches used :: /KillAll
* Created a new restore point
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\Documents and Settings\Ed\Local Settings\Application Data.\n.ini
C:\Documents and Settings\Ed\Local Settings\Application Data\n.ini
C:\WINDOWS\bundles
C:\WINDOWS\bundles\AdSmartMedia_bundle.exe
C:\WINDOWS\bundles\adv0ltc0m.exe
C:\WINDOWS\bundles\ast_5_adsav.exe
C:\WINDOWS\bundles\Beryllium.exe
C:\WINDOWS\bundles\bruzmoh.exe
C:\WINDOWS\bundles\bs5-goodyr1.exe
C:\WINDOWS\bundles\bs5-tsrkqn.exe
C:\WINDOWS\bundles\Century.exe
C:\WINDOWS\bundles\cxt_big.exe
C:\WINDOWS\bundles\Decade.exe
C:\WINDOWS\bundles\desktrf-162813.exe
C:\WINDOWS\bundles\icmedia2_56.exe
C:\WINDOWS\bundles\ICMMedia_1cmm3d1a.exe
C:\WINDOWS\bundles\iehost.exe
C:\WINDOWS\bundles\InvestorIntelligenceInstallWeb.exe
C:\WINDOWS\bundles\optimizejames.exe
C:\WINDOWS\bundles\runsearch.exe
C:\WINDOWS\bundles\sahagent-dectest1001.exe
C:\WINDOWS\bundles\sahagent-seedcorn1002.exe
C:\WINDOWS\bundles\setup_silent_26221.exe
C:\WINDOWS\bundles\stlb2_seed.exe
C:\WINDOWS\bundles\TrafficSpec8.exe
C:\WINDOWS\bundles\Verti1.exe
C:\WINDOWS\bundles\winversion.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\system32\7_exception.nls
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\smtpdrv.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\Uae48.sys
C:\WINDOWS\system32\drivers\WQD29.sys
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dl_
C:\WINDOWS\system32\wsnpoem\video.dl_


.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


.
-------\LEGACY_RUNTIME
-------\LEGACY_SMTPDRV
-------\LEGACY_UAE48
-------\LEGACY_WQD29
-------\smtpdrv
-------\Uae48



(((((((((((((((((((((((((   Files Created from 2007-12-04 to 2008-01-04  )))))))))))))))))))))))))))))))
.


2008-01-04 16:02 . 2000-08-31 08:00 51,200  --a------   C:\WINDOWS\NirCmd.exe
2008-01-04 15:28 . 2008-01-04 15:28 2   --a------   C:\B.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0   --a------   C:\C.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0   --a------   C:\A.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0   --a------   C:\9.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0   --a------   C:\2.tmp
2008-01-03 17:23 . 2008-01-03 17:23 2   --a------   C:\5.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0   --a------   C:\8.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0   --a------   C:\7.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0   --a------   C:\6.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0   --a------   C:\3.tmp
2008-01-02 16:43 . 2008-01-02 16:43 42,496  --a------   C:\4.tmp
2008-01-02 16:32 . 2008-01-02 16:32 42,496  --a------   C:\1.tmp
2008-01-02 16:03 . 2008-01-02 16:04 <DIR>    d--------   C:\ERDNT
2007-12-31 16:31 . 2007-12-31 16:31 45,056  --a------   C:\WINDOWS\NCUNINST.EXE
2007-12-31 14:53 . 2007-12-31 14:53 <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-31 14:43 . 2007-12-31 14:44 <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2007-12-31 12:20 . 2007-12-31 14:37 <DIR>    d--------   C:\Program Files\Norton AntiVirus
2007-12-31 12:17 . 2007-12-31 15:05 <DIR>    d--------   C:\Program Files\Symantec
2007-12-31 11:56 . 2007-12-31 11:56 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-31 10:32 . 2007-12-31 10:32 <DIR>    d--------   C:\Documents and Settings\Ed\Application Data\Grisoft
2007-12-31 10:32 . 2007-05-30 07:10 10,872  --a------   C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-12-31 10:31 . 2007-01-18 07:00 3,968   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2007-12-30 22:24 . 2007-12-30 17:55 102,664 --a------   C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-12-30 18:49 . 2007-12-30 19:47 <DIR>    d--------   C:\Program Files\EsetOnlineScanner
2007-12-30 17:54 . 2007-12-30 22:37 <DIR>    d--------   C:\Documents and Settings\Ed\.housecall6.6
2007-12-30 17:08 . 2007-12-30 17:08 <DIR>    d--------   C:\Program Files\WinClamAVShield
2007-12-30 15:05 . 2007-12-30 15:05 60,968  --a------   C:\Documents and Settings\Ed\GoToAssistDownloadHelper.exe
2007-12-30 14:53 . 2007-12-30 14:53 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Citrix
2007-12-30 14:52 . 2007-12-30 14:52 <DIR>    d--------   C:\Program Files\Citrix
2007-12-30 14:52 . 2007-12-30 14:52 60,968  --a------   C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe
2007-12-30 13:32 . 2007-12-30 13:32 76,576  --a------   C:\WINDOWS\SYSTEM32\GDIPFONTCACHEV1.DAT
2007-12-30 13:12 . 2006-02-28 07:00 214,528 --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\wordpad.exe
2007-12-30 13:12 . 2006-02-28 07:00 113,222 --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\zoneclim.dll
2007-12-30 13:12 . 2006-02-28 07:00 41,029  --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\zcorem.dll
2007-12-30 13:12 . 2006-02-28 07:00 36,937  --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\zclientm.exe
2007-12-30 13:12 . 2006-02-28 07:00 29,760  --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\znetm.dll
2007-12-30 13:12 . 2006-02-28 07:00 28,288  --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2007-12-30 13:12 . 2006-02-28 07:00 13,894  --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\zonelibm.dll
2007-12-30 13:12 . 2006-02-28 07:00 5,632   --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\write.exe
2007-12-30 13:12 . 2006-02-28 07:00 4,677   --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\zeeverm.dll
2007-12-30 13:10 . 2006-02-28 07:00 1,875,968   --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2007-12-30 13:09 . 2006-02-28 07:00 10,129,408  --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\hwxkor.dll
2007-12-30 13:08 . 2006-02-28 07:00 13,463,552  --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2007-12-30 13:07 . 2006-02-28 07:00 1,817,687   --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\bckgres.dll
2007-12-30 13:06 . 2004-05-13 00:39 876,653 --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah-----   C:\WINDOWS\WindowsShell.Manifest
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah-----   C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah-----   C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah-----   C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-12-30 13:03 . 2007-12-30 13:03 488 -rah-----   C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-12-30 13:02 . 2006-02-28 07:00 32,768  --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\mnmsrvc.exe
2007-12-30 13:00 . 2006-02-28 07:00 140,800 --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\sessmgr.exe
2007-12-30 13:00 . 2006-02-28 07:00 126,464 --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\wmiapsrv.exe
2007-12-30 13:00 . 2006-02-28 07:00 6,144   --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\msdtc.exe
2007-12-30 12:54 . 2006-02-28 07:00 168,806 --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\startoc.cat
2007-12-30 12:54 . 2006-02-28 07:00 24,661  --a------   C:\WINDOWS\SYSTEM32\spxcoins.dll
2007-12-30 12:54 . 2006-02-28 07:00 24,661  --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\spxcoins.dll
2007-12-30 12:54 . 2006-02-28 07:00 24,209  --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\msn7.cat
2007-12-30 12:54 . 2006-02-28 07:00 14,573  -ra------   C:\WINDOWS\SET89.tmp
2007-12-30 12:54 . 2006-02-28 07:00 13,312  --a------   C:\WINDOWS\SYSTEM32\irclass.dll
2007-12-30 12:54 . 2006-02-28 07:00 13,312  --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\irclass.dll
2007-12-30 12:54 . 2006-02-28 07:00 11,651  --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\msn9.cat
2007-12-30 12:54 . 2006-02-28 07:00 7,382   --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\OEMBIOS.CAT
2007-12-30 11:07 . 2007-12-30 11:07 <DIR>    d--------   C:\Program Files\Trend Micro
2007-12-30 10:38 . 2007-12-30 10:38 <DIR>    d--------   C:\Program Files\Lavasoft
2007-12-30 10:38 . 2007-12-30 10:38 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-30 10:37 . 2007-12-30 10:37 <DIR>    d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 00:15 . 2007-12-30 00:15 <DIR>    d--------   C:\WINDOWS\ERUNT
2007-12-29 23:23 . 2007-12-29 23:59 <DIR>    d--------   C:\Documents and Settings\Ed\Application Data\SUPERAntiSpyware.com
2007-12-29 23:23 . 2007-12-29 23:23 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-29 19:12 . 2007-12-31 11:55 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-29 18:59 . 2007-12-29 18:59 230 --a------   C:\WINDOWS\SYSTEM32\spupdsvc.inf
2007-12-29 17:04 . 2006-09-06 17:43 22,752  --a------   C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-12-29 17:00 . 2007-12-29 17:00 0   --a------   C:\WINDOWS\nsreg.dat
2007-12-29 16:14 . 2007-12-29 16:14 <DIR>    d--------   C:\Program Files\Broadcom
2007-12-29 16:12 . 2003-03-17 21:03 966,656 --a------   C:\WINDOWS\SYSTEM32\W70MLRES.DLL
2007-12-29 16:10 . 1999-05-07 13:24 645,616 --a------   C:\WINDOWS\SYSTEM32\MSCOMCT2.OCX
2007-12-29 16:10 . 2000-03-23 12:50 446,464 -ra------   C:\WINDOWS\SYSTEM32\hhactivex.dll
2007-12-29 16:10 . 1999-05-07 13:24 414,944 --a------   C:\WINDOWS\SYSTEM32\COMCT332.OCX
2007-12-29 16:10 . 1998-11-10 10:46 328,480 --a------   C:\WINDOWS\SYSTEM32\ssa3d30.ocx
2007-12-29 16:10 . 2002-01-08 17:00 176,128 --a------   C:\WINDOWS\SYSTEM32\RcdScan.dll
2007-12-29 16:10 . 1998-06-17 23:00 89,360  --a------   C:\WINDOWS\SYSTEM32\VB5DB.DLL
2007-12-29 15:26 . 2007-12-29 15:26 <DIR>    d--------   C:\Program Files\Uniblue
2007-12-29 15:26 . 2007-12-29 15:26 <DIR>    d--------   C:\Documents and Settings\Ed\Application Data\Uniblue
2007-12-29 15:26 . 2007-12-29 15:26 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Uniblue
2007-12-29 13:24 . 2007-09-05 23:22 289,144 --a------   C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-12-29 13:24 . 2006-04-27 16:49 288,417 --a------   C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-12-29 13:24 . 2007-12-20 23:11 81,920  --a------   C:\WINDOWS\SYSTEM32\IEDFix.exe
2007-12-29 13:24 . 2004-07-31 17:50 51,200  --a------   C:\WINDOWS\SYSTEM32\dumphive.exe
2007-12-29 13:24 . 2007-10-03 23:36 25,600  --a------   C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-12-29 13:24 . 2007-12-29 20:24 1,450   --a------   C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-29 11:04 . 2006-02-28 07:00 221,184 --a------   C:\WINDOWS\SYSTEM32\wmpns.dll
2007-12-29 10:49 . 2006-02-28 07:00 1,086,058   -ra------   C:\WINDOWS\SET47.tmp
2007-12-29 10:49 . 2006-02-28 07:00 14,573  -ra------   C:\WINDOWS\SET80.tmp
2007-12-29 10:49 . 2006-02-28 07:00 13,753  -ra------   C:\WINDOWS\SET53.tmp
2007-12-29 10:49 . 2006-02-28 07:00 7,334   --a--c---   C:\WINDOWS\SYSTEM32\DLLCACHE\wmerrenu.cat
2007-12-29 10:48 . 2006-02-28 07:00 1,042,903   -ra------   C:\WINDOWS\SET46.tmp
2007-12-29 07:59 . 2007-12-31 08:40 1,596   --a------   C:\WINDOWS\SYSTEM32\wpa.bak
2007-12-29 07:46 . 2007-07-30 19:19 216,408 --a--c---   C:\WINDOWS\SYSTEM32\wuaucpl.cpl


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 18:01    ---------   d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-31 18:01    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-31 17:20    805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-31 17:20    123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-31 17:20    10,740  ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-31 03:53    ---------   d-----w C:\Program Files\Common Files\aolshare
2007-12-31 03:50    ---------   d-----w C:\Program Files\Common Files\InstallShield
2007-12-31 00:22    ---------   d-----w C:\Program Files\AIM
2007-12-30 05:40    14,037  ----a-w C:\WINDOWS\system32\drivers\mdc8021x.sys
2007-12-29 21:14    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2007-12-29 21:12    ---------   d-----w C:\Program Files\Intel
2007-12-29 12:20    ---------   d-----w C:\Program Files\Apoint
2007-12-29 06:16    ---------   d-----w C:\Program Files\AWS
2007-12-29 06:16    ---------   d-----w C:\Documents and Settings\Ed\Application Data\Rex-Services
2007-12-27 20:05    ---------   d-----w C:\Documents and Settings\Ed\Application Data\Symantec
2007-12-27 16:38    ---------   d-----w C:\Program Files\QuickTime
2007-12-25 19:10    ---------   d-----w C:\Documents and Settings\Ed\Application Data\U3
2007-12-10 16:23    ---------   d-----w C:\Documents and Settings\Ed\Application Data\MSN6
2007-12-01 04:57    43,696  ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57    317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57    279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-25 03:37    ---------   d-----w C:\Program Files\Tribeca Labs
2007-11-12 23:50    ---------   d-----w C:\Documents and Settings\Ed\Application Data\Move Networks
2007-11-10 22:39    76,576  ----a-w C:\Documents and Settings\Ed\Application Data\GDIPFONTCACHEV1.DAT
2005-03-10 17:28    0   ----a-w C:\Documents and Settings\Ed\Upgrade.exe
2004-12-22 00:10    0   -csha-r C:\Program Files\q330994.exe
2004-12-22 00:10    0   -csha-r C:\WINDOWS\cvchost.exe
2004-12-22 00:10    0   -csha-r C:\WINDOWS\dl.exe
2004-12-22 00:10    0   -csha-r C:\WINDOWS\dlm.exe
2004-12-22 00:10    0   -csha-r C:\WINDOWS\msstasks.exe
2004-12-22 00:10    0   -csha-r C:\WINDOWS\mssys.com
2004-12-22 00:10    0   -csha-r C:\WINDOWS\mstasks1.exe
2004-12-22 00:10    0   -csha-r C:\WINDOWS\mstaskss.exe
2004-12-22 00:10    0   -csha-r C:\WINDOWS\msxmidi.exe
2004-12-22 00:10    0   -csha-r C:\WINDOWS\ntldr.exe
2004-12-22 00:10    0   -csha-r C:\WINDOWS\rocky.exe
2004-12-22 00:10    0   -csha-r C:\WINDOWS\seksdialer.exe
2004-12-22 00:10    0   -csha-r C:\WINDOWS\SYSTEM\wmscrop.exe
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2007-12-28 23:07 1591808]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-12-28 21:58 2778112]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-27 11:35 115816]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2006-02-28 07:00 44544]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2007-12-30 14:52 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-06-20 07:03 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Uae48.sys]
@="Driver"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winlogin.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
backup=C:\WINDOWS\pss\winlogin.exeCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ed^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\Ed\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ed^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Ed\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ed^Start Menu^Programs^Startup^Photobot.lnk]
path=C:\Documents and Settings\Ed\Start Menu\Programs\Startup\Photobot.lnk
backup=C:\WINDOWS\pss\Photobot.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2sni3mX]
cnvc3260.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51    39792   --a------   C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2003-06-11 00:07    147456  --a--c---   C:\Program Files\Apoint\Apoint.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aqlwihou]
C:\Program Files\Tmlsfdce\aqlwihou.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2007-12-27 11:35    335872  --a------   C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater]
C:\Program Files\AutoUpdate\AutoUpdate.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Awola]
C:\Documents and Settings\Ed\Application Data\Awola\Awola.exe /MIN


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\conscorr]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Control handler]
C:\WINDOWS\System32\c6hen9sezmzo2mthd.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CSV7P70]
C:\Program Files\CSBB\CSV7P070.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2002-12-17 21:16    360448  --a------   C:\Program Files\Dell\QuickSet\quickset.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dkbepahk]
rundll32.exe C:\Program Files\dkbepahk\dmtkrqfa.dll,Init


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DR_S]
C:\Program Files\DR_S\DR_S.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2002-07-17 11:18    28672   --a------   C:\WINDOWS\System32\DSentry.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZmmod]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe -win


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JB4sRgb3Q]
cmurecst.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2002-07-16 20:21    28672   --a------   C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mnlyss]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mpyvwwbts]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nfxpzc]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
pctspk.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperProfessional]
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Pack 1]
C:\WINDOWS\System32\vedxg6ame4.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
2007-12-27 11:34    35840   --a------   C:\Documents and Settings\Ed\Application Data\Microsoft\Windows\lxcfi.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 16:46    1460560 --a------   C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]
2007-12-28 21:58    2778112 --a------   C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcloader]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SYSfit]
C:\WINDOWS\SYSfit.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Mechanic Registry Compact Handler]
C:\Program Files\iolo\System Mechanic 5 Professional\SysMech5.exe /PERSISTREGCOMPACT


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
C:\Documents and Settings\Ed\Application Data\WinTouch\WinTouch.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdtl]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"sp_rssrv"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"comHost"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"CCALib8"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"aawservice"=2 (0x2)
"a2free"=2 (0x2)
"WANMiniportService"=2 (0x2)
"RasMan"=3 (0x3)
"ImapiService"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)


R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\System32\drivers\sp_rsdrv2.sys [2007-12-29 01:55]
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2002-11-08 14:13]
S2 init_3b0c-6b44;init_3b0c-6b44;C:\WINDOWS\System32\init_3b0c-6b44.sys []
S3 EraserUtilDrv10621;EraserUtilDrv10621;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys []
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 20:01]


.
Contents of the 'Scheduled Tasks' folder
"2007-12-30 00:06:26 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-12-29 20:49:02 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************


catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 16:12:23
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
Completion time: 2008-01-04 16:17:35 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-04 21:17:01
.
2008-01-04 20:29:30 --- E O F ---



Now here is the new hijackthis log.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:46 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://body1.spfldcol.edu/dwa7W.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\WINDOWS\TEMP\157967.exe (file missing)
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: COMSysApp - Unknown owner - C:\WINDOWS\TEMP\158557.exe (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\137738.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\TEMP\183173.exe (file missing)
O23 - Service: lanmanserver - Unknown owner - C:\WINDOWS\TEMP\130377.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: NetSvc - Unknown owner - C:\WINDOWS\TEMP\134503.exe (file missing)
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: RegSrvc - Unknown owner - C:\WINDOWS\system32\RegSrvc.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
O23 - Service: S24EventMonitor - Unknown owner - C:\WINDOWS\system32\S24EvMon.exe (file missing)
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: sp_rssrv - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)


--
End of file - 5711 bytes

Internet seems to have not gone down I'll leave this computer running to see if it dose though.

Edited by happygeek: fixed formatting

0

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:


File::
C:\mssys.com
C:\Program Files\q330994.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe

Driver::
C:\WINDOWS\SYSTEM32\DRIVERS\Wqd29.sys

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

  • Combofix.txt
  • A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attachments CFScript.gif 27.09 KB
0

Not going anywhere, now on normal boot up as it is just about to goto the desktop the "blue screen of death" comes up and re boots that computer right now I have it in safe mode so should I still run what you just said in safe mode?

0

Give it a try and see what happens. At worst, I imagine you will have to do a system restore if it's still the same after :).

0

Mkay well I should be able to do that tonight if not ill get back at it tomorow :P

0

Well nothing better to do at 1:47 AM so here we go. So once I put this up Ill reboot see if I can get in normally if not well then its a system restore and im guessing go back a day fix what broke and not undo alot of wok already done. but Ill wait for your go to be 100% sure if we got to do one :o


OK here is ComboFix


ComboFix 08-01-04.1 - Ed 2008-01-05 1:38:00.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.221 [GMT -5:00]
Running from: C:\Documents and Settings\Ed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ed\Desktop\CFScript.txt

FILE
C:\mssys.com
C:\Program Files\q330994.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\mssys.com
C:\Program Files\q330994.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\ntldr.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\SYSTEM32\1691481241.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-04 18:13 . 2008-01-04 18:13 <DIR> d--h----- C:\Documents and Settings\All Users\WLANProfiles
2008-01-04 18:12 . 2008-01-04 18:12 17,801 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AegisP.sys
2008-01-04 17:49 . 2008-01-04 17:49 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-01-04 17:39 . 2008-01-04 18:09 <DIR> d-------- C:\Intel
2008-01-04 16:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 15:28 . 2008-01-04 15:28 2 --a------ C:\B.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0 --a------ C:\C.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0 --a------ C:\A.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0 --a------ C:\9.tmp
2008-01-04 15:28 . 2008-01-04 15:28 0 --a------ C:\2.tmp
2008-01-03 17:23 . 2008-01-03 17:23 2 --a------ C:\5.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0 --a------ C:\8.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0 --a------ C:\7.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0 --a------ C:\6.tmp
2008-01-03 17:23 . 2008-01-03 17:23 0 --a------ C:\3.tmp
2008-01-02 16:03 . 2008-01-02 16:04 <DIR> d-------- C:\ERDNT
2007-12-31 14:53 . 2007-12-31 14:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-31 14:43 . 2007-12-31 14:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2007-12-31 12:20 . 2007-12-31 14:37 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-12-31 12:17 . 2007-12-31 15:05 <DIR> d-------- C:\Program Files\Symantec
2007-12-31 11:56 . 2007-12-31 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-31 10:32 . 2007-12-31 10:32 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\Grisoft
2007-12-31 10:32 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-12-31 10:31 . 2007-01-18 07:00 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2007-12-30 22:24 . 2007-12-30 17:55 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-12-30 18:49 . 2007-12-30 19:47 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-12-30 17:54 . 2007-12-30 22:37 <DIR> d-------- C:\Documents and Settings\Ed\.housecall6.6
2007-12-30 17:08 . 2007-12-30 17:08 <DIR> d-------- C:\Program Files\WinClamAVShield
2007-12-30 15:05 . 2007-12-30 15:05 60,968 --a------ C:\Documents and Settings\Ed\GoToAssistDownloadHelper.exe
2007-12-30 14:53 . 2007-12-30 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2007-12-30 14:52 . 2007-12-30 14:52 <DIR> d-------- C:\Program Files\Citrix
2007-12-30 14:52 . 2007-12-30 14:52 60,968 --a------ C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe
2007-12-30 13:32 . 2007-12-30 13:32 76,576 --a------ C:\WINDOWS\SYSTEM32\GDIPFONTCACHEV1.DAT
2007-12-30 13:12 . 2006-02-28 07:00 214,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wordpad.exe
2007-12-30 13:12 . 2006-02-28 07:00 113,222 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zoneclim.dll
2007-12-30 13:12 . 2006-02-28 07:00 41,029 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zcorem.dll
2007-12-30 13:12 . 2006-02-28 07:00 36,937 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zclientm.exe
2007-12-30 13:12 . 2006-02-28 07:00 29,760 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\znetm.dll
2007-12-30 13:12 . 2006-02-28 07:00 28,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2007-12-30 13:12 . 2006-02-28 07:00 13,894 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zonelibm.dll
2007-12-30 13:12 . 2006-02-28 07:00 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\write.exe
2007-12-30 13:12 . 2006-02-28 07:00 4,677 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\zeeverm.dll
2007-12-30 13:10 . 2006-02-28 07:00 1,875,968 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2007-12-30 13:09 . 2006-02-28 07:00 10,129,408 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxkor.dll
2007-12-30 13:08 . 2006-02-28 07:00 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2007-12-30 13:07 . 2006-02-28 07:00 1,817,687 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bckgres.dll
2007-12-30 13:06 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-12-30 13:03 . 2007-12-30 13:03 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-12-30 13:03 . 2007-12-30 13:03 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-12-30 13:02 . 2006-02-28 07:00 32,768 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\mnmsrvc.exe
2007-12-30 13:00 . 2006-02-28 07:00 140,800 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sessmgr.exe
2007-12-30 13:00 . 2006-02-28 07:00 126,464 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wmiapsrv.exe
2007-12-30 13:00 . 2006-02-28 07:00 6,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msdtc.exe
2007-12-30 12:54 . 2006-02-28 07:00 168,806 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\startoc.cat
2007-12-30 12:54 . 2006-02-28 07:00 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll
2007-12-30 12:54 . 2006-02-28 07:00 24,661 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\spxcoins.dll
2007-12-30 12:54 . 2006-02-28 07:00 24,209 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msn7.cat
2007-12-30 12:54 . 2006-02-28 07:00 14,573 -ra------ C:\WINDOWS\SET89.tmp
2007-12-30 12:54 . 2006-02-28 07:00 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll
2007-12-30 12:54 . 2006-02-28 07:00 13,312 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\irclass.dll
2007-12-30 12:54 . 2006-02-28 07:00 11,651 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msn9.cat
2007-12-30 12:54 . 2006-02-28 07:00 7,382 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\OEMBIOS.CAT
2007-12-30 11:07 . 2007-12-30 11:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 10:38 . 2007-12-30 10:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-30 10:38 . 2007-12-30 10:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-30 10:37 . 2007-12-30 10:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 07:40 . 2008-01-05 01:32 0 --a------ C:\WINDOWS\MEMORY.DMP
2007-12-30 00:15 . 2007-12-30 00:15 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-29 23:23 . 2007-12-29 23:59 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\SUPERAntiSpyware.com
2007-12-29 23:23 . 2007-12-29 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-29 19:12 . 2007-12-31 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-29 18:59 . 2007-12-29 18:59 230 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.inf
2007-12-29 17:04 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-12-29 17:00 . 2007-12-29 17:00 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-29 16:14 . 2007-12-29 16:14 <DIR> d-------- C:\Program Files\Broadcom
2007-12-29 16:12 . 2003-03-17 22:03 966,656 --a------ C:\WINDOWS\SYSTEM32\W70MLRES.DLL
2007-12-29 16:10 . 1999-05-07 13:24 645,616 --a------ C:\WINDOWS\SYSTEM32\MSCOMCT2.OCX
2007-12-29 16:10 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\SYSTEM32\hhactivex.dll
2007-12-29 16:10 . 1999-05-07 13:24 414,944 --a------ C:\WINDOWS\SYSTEM32\COMCT332.OCX
2007-12-29 16:10 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\SYSTEM32\ssa3d30.ocx
2007-12-29 16:10 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\SYSTEM32\RcdScan.dll
2007-12-29 16:10 . 1998-06-17 23:00 89,360 --a------ C:\WINDOWS\SYSTEM32\VB5DB.DLL
2007-12-29 15:26 . 2007-12-29 15:26 <DIR> d-------- C:\Program Files\Uniblue
2007-12-29 15:26 . 2007-12-29 15:26 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\Uniblue
2007-12-29 15:26 . 2007-12-29 15:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2007-12-29 13:24 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-12-29 13:24 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-12-29 13:24 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2007-12-29 13:24 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-12-29 13:24 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-12-29 13:24 . 2007-12-29 20:24 1,450 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-29 11:04 . 2006-02-28 07:00 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2007-12-29 10:49 . 2006-02-28 07:00 1,086,058 -ra------ C:\WINDOWS\SET47.tmp
2007-12-29 10:49 . 2006-02-28 07:00 14,573 -ra------ C:\WINDOWS\SET80.tmp
2007-12-29 10:49 . 2006-02-28 07:00 13,753 -ra------ C:\WINDOWS\SET53.tmp
2007-12-29 10:49 . 2006-02-28 07:00 7,334 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wmerrenu.cat
2007-12-29 10:48 . 2006-02-28 07:00 1,042,903 -ra------ C:\WINDOWS\SET46.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 23:12 --------- d-----w C:\Program Files\Intel
2007-12-31 18:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-31 18:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-31 17:20 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-31 17:20 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-12-31 17:20 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-31 17:20 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-31 03:53 --------- d-----w C:\Program Files\Common Files\aolshare
2007-12-31 03:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-31 00:22 --------- d-----w C:\Program Files\AIM
2007-12-29 21:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-29 12:20 --------- d-----w C:\Program Files\Apoint
2007-12-29 06:16 --------- d-----w C:\Program Files\AWS
2007-12-29 06:16 --------- d-----w C:\Documents and Settings\Ed\Application Data\Rex-Services
2007-12-27 20:05 --------- d-----w C:\Documents and Settings\Ed\Application Data\Symantec
2007-12-27 16:38 --------- d-----w C:\Program Files\QuickTime
2007-12-25 19:10 --------- d-----w C:\Documents and Settings\Ed\Application Data\U3
2007-12-10 16:23 --------- d-----w C:\Documents and Settings\Ed\Application Data\MSN6
2007-12-01 04:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-25 03:37 --------- d-----w C:\Program Files\Tribeca Labs
2007-11-12 23:50 --------- d-----w C:\Documents and Settings\Ed\Application Data\Move Networks
2007-11-10 22:39 76,576 ----a-w C:\Documents and Settings\Ed\Application Data\GDIPFONTCACHEV1.DAT
2005-03-10 17:28 0 ----a-w C:\Documents and Settings\Ed\Upgrade.exe
2004-12-22 00:10 0 -csha-r C:\WINDOWS\SYSTEM\wmscrop.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-04_16.16.36.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-18 05:27:00 345,512 ----a-w C:\WINDOWS\Downloaded Program Files\MSDcode.dll
+ 2008-01-04 23:13:00 40,960 ----a-r C:\WINDOWS\Installer\{74C9DFA1-338F-4bf3-B317-99A9EC8EF9A6}\PROSet.56285FC4_11A9_11D6_8473_00902745D287.exe
- 2003-06-20 11:56:06 184,320 ----a-w C:\WINDOWS\SYSTEM32\1XConfig.exe
+ 2006-08-03 08:14:14 389,186 ----a-w C:\WINDOWS\SYSTEM32\1XConfig.exe
- 2003-06-20 12:09:04 450,560 ----a-w C:\WINDOWS\SYSTEM32\AdHocWiz.exe
+ 2006-08-03 08:23:12 450,560 ----a-w C:\WINDOWS\SYSTEM32\AdHocWiz.exe
- 2003-06-20 12:00:50 204,800 ----a-w C:\WINDOWS\SYSTEM32\C1XStngs.dll
+ 2006-08-03 08:15:16 528,453 ----a-w C:\WINDOWS\SYSTEM32\C1XStngs.dll
+ 2006-08-03 08:14:18 69,632 ----a-w C:\WINDOWS\SYSTEM32\D8021Xps.dll
- 2003-06-20 11:54:04 10,970 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\s24trans.sys
+ 2006-08-03 18:11:32 10,970 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\s24trans.sys
- 2003-06-11 10:06:44 2,477,952 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\w70n51.sys
+ 2003-06-11 11:06:44 2,477,952 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\w70n51.sys
- 2003-07-31 14:17:16 417,792 ----a-w C:\WINDOWS\SYSTEM32\IntelAE5.dll
+ 2005-07-05 05:55:26 1,396,841 ----a-w C:\WINDOWS\SYSTEM32\IntelAE5.dll
- 2003-06-20 12:03:28 110,592 ----a-w C:\WINDOWS\SYSTEM32\LgNotify.dll
+ 2006-08-03 08:20:40 188,482 ----a-w C:\WINDOWS\SYSTEM32\LgNotify.dll
- 2002-12-04 15:57:00 651,264 ----a-w C:\WINDOWS\SYSTEM32\libeay32.dll
+ 2005-01-13 08:00:10 651,264 ----a-w C:\WINDOWS\SYSTEM32\libeay32.dll
+ 2006-08-03 08:24:08 45,124 ----a-w C:\WINDOWS\SYSTEM32\LsaWrApi.dll
- 2003-06-20 11:55:00 217,088 ----a-w C:\WINDOWS\SYSTEM32\PfMgrApi.dll
+ 2006-08-03 08:15:50 327,748 ----a-w C:\WINDOWS\SYSTEM32\PfMgrApi.dll
+ 2006-08-03 08:24:58 20,480 ----a-w C:\WINDOWS\SYSTEM32\PfMgrTool.exe
- 2003-06-20 12:03:22 389,120 ----a-w C:\WINDOWS\SYSTEM32\PfWizard.exe
+ 2006-08-03 08:20:36 430,080 ----a-w C:\WINDOWS\SYSTEM32\PfWizard.exe
- 2003-06-20 12:09:38 192,512 ----a-w C:\WINDOWS\SYSTEM32\Pn802_11.dll
+ 2006-08-03 08:23:32 217,152 ----a-w C:\WINDOWS\SYSTEM32\Pn802_11.dll
- 2003-06-20 11:59:58 794,624 ----a-w C:\WINDOWS\SYSTEM32\PsGuiMgr.dll
+ 2006-08-03 08:18:54 942,147 ----a-w C:\WINDOWS\SYSTEM32\PsGuiMgr.dll
- 2003-06-20 11:54:30 167,936 ----a-w C:\WINDOWS\SYSTEM32\PsRegApi.dll
+ 2006-08-03 08:13:38 172,032 ----a-w C:\WINDOWS\SYSTEM32\PsRegApi.dll
+ 2006-08-03 08:13:32 122,880 ----a-w C:\WINDOWS\SYSTEM32\RegSrvc.exe
+ 2003-03-18 03:01:22 966,656 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\W20MLRes.dll
+ 2008-01-04 22:40:31 409,667 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\W20NCPA.dll
+ 2008-01-04 22:40:32 674,560 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\w70n51.sys
+ 2003-11-03 12:55:00 32,768 ----a-r C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\w70n5msg.dll
+ 2006-08-03 08:16:08 426,051 ----a-w C:\WINDOWS\SYSTEM32\S24EvMon.exe
- 2003-06-20 11:55:28 69,632 ----a-w C:\WINDOWS\SYSTEM32\S24MUDLL.DLL
+ 2006-08-03 08:16:12 81,920 ----a-w C:\WINDOWS\SYSTEM32\S24MUDLL.DLL
- 2002-12-15 06:43:40 30,938 ----a-w C:\WINDOWS\SYSTEM32\s24NCfg.dll
+ 2004-02-22 19:34:00 30,938 ----a-w C:\WINDOWS\SYSTEM32\s24NCfg.dll
- 2003-06-20 12:10:16 192,512 ----a-w C:\WINDOWS\SYSTEM32\SbrngAPI.dll
+ 2006-08-03 08:24:06 262,144 ----a-w C:\WINDOWS\SYSTEM32\SbrngAPI.dll
- 2003-06-20 11:55:06 49,152 ----a-w C:\WINDOWS\SYSTEM32\SbrngSvc.exe
+ 2006-08-03 08:15:56 49,152 ----a-w C:\WINDOWS\SYSTEM32\SbrngSvc.exe
+ 2006-08-03 08:16:54 139,264 ----a-w C:\WINDOWS\SYSTEM32\ShellNav.dll
- 2002-12-15 06:43:40 53,248 ----a-w C:\WINDOWS\SYSTEM32\SMSUnins.dll
+ 2004-02-22 19:35:00 65,536 ----a-w C:\WINDOWS\SYSTEM32\SMSUnins.dll
- 2002-12-04 15:57:00 147,456 ----a-w C:\WINDOWS\SYSTEM32\ssleay32.dll
+ 2005-01-13 08:00:14 147,456 ----a-w C:\WINDOWS\SYSTEM32\ssleay32.dll
- 2003-01-20 21:01:00 78,096 ----a-w C:\WINDOWS\SYSTEM32\TPIDI32.dll
+ 2004-02-22 19:35:00 78,096 ----a-w C:\WINDOWS\SYSTEM32\TPIDI32.dll
- 2003-01-20 21:01:00 142,256 ----a-w C:\WINDOWS\SYSTEM32\TPIDITST.exe
+ 2004-02-22 19:35:00 142,256 ----a-w C:\WINDOWS\SYSTEM32\TPIDITST.exe
- 2003-01-19 21:49:12 32,768 ----a-w C:\WINDOWS\SYSTEM32\w70n5msg.dll
+ 2003-01-19 22:49:12 32,768 ----a-w C:\WINDOWS\SYSTEM32\w70n5msg.dll
- 2003-06-20 11:56:40 475,136 ----a-w C:\WINDOWS\SYSTEM32\WConfig.dll
+ 2006-08-03 08:16:46 532,567 ----a-w C:\WINDOWS\SYSTEM32\WConfig.dll
- 2003-06-20 11:55:40 110,592 ----a-w C:\WINDOWS\SYSTEM32\WiFiAdap.dll
+ 2006-08-03 08:16:20 110,592 ----a-w C:\WINDOWS\SYSTEM32\WiFiAdap.dll
- 2003-06-20 12:01:48 258,048 ----a-w C:\WINDOWS\SYSTEM32\WLANDLL.dll
+ 2006-08-03 08:19:42 253,952 ----a-w C:\WINDOWS\SYSTEM32\WLANDLL.dll
- 2003-06-20 12:01:12 356,352 ----a-w C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
+ 2006-08-03 08:19:18 639,040 ----a-w C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2007-12-28 23:07 1591808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-12-28 21:58 2778112]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [2006-08-03 03:19 639040]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-07-07 06:08 135168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2006-02-28 07:00 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2007-12-30 14:52 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2006-08-03 03:20 188482 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Uae48.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winlogin.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
backup=C:\WINDOWS\pss\winlogin.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ed^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\Ed\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ed^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Ed\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ed^Start Menu^Programs^Startup^Photobot.lnk]
path=C:\Documents and Settings\Ed\Start Menu\Programs\Startup\Photobot.lnk
backup=C:\WINDOWS\pss\Photobot.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"sp_rssrv"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"comHost"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"CCALib8"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"aawservice"=2 (0x2)
"a2free"=2 (0x2)
"WANMiniportService"=2 (0x2)
"RasMan"=3 (0x3)
"ImapiService"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)

S1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\System32\drivers\sp_rsdrv2.sys [2007-12-29 01:55]
S2 init_3b0c-6b44;init_3b0c-6b44;C:\WINDOWS\System32\init_3b0c-6b44.sys []
S3 EraserUtilDrv10621;EraserUtilDrv10621;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys []
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys []
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2002-11-08 14:13]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-30 00:06:26 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-12-29 20:49:02 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 01:40:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 1:41:06
ComboFix-quarantined-files.txt 2008-01-05 06:40:40
ComboFix2.txt 2008-01-04 21:17:35
.
2008-01-05 00:41:53 --- E O F ---

And now a Hijackthis So this one is in safe mode and I can get a normal one once we get back into normal windows


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:13 AM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://body1.spfldcol.edu/dwa7W.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\WINDOWS\TEMP\157967.exe (file missing)
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: COMSysApp - Unknown owner - C:\WINDOWS\TEMP\158557.exe (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\137738.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\TEMP\183173.exe (file missing)
O23 - Service: lanmanserver - Unknown owner - C:\WINDOWS\TEMP\130377.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
O23 - Service: S24EventMonitor - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: sp_rssrv - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 5633 bytes

0

Ok well I tried to system restore it only let me take it back a day and that still wouldnt let me boot it up in normal mode so I thought it may have had something to do with updating the wireless cards drivers so I rolled them back and now Im in normal mode so ill get you a new hijackthis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:57 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://body1.spfldcol.edu/dwa7W.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\WINDOWS\TEMP\157967.exe (file missing)
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: COMSysApp - Unknown owner - C:\WINDOWS\TEMP\158557.exe (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\137738.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\TEMP\183173.exe (file missing)
O23 - Service: lanmanserver - Unknown owner - C:\WINDOWS\TEMP\130377.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
O23 - Service: S24EventMonitor - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: sp_rssrv - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 6126 bytes

0

Viruses, Malware, worms.... Here is something that EMCO Malware Destroyer is picking up witch if I remember we should have had deleted already

Quarantine EDWARD NMC.DOWNLOADER.HARNIG TROJAN

Quarantine EDWARD NMC.DOWNLOADER.LUNII TROJAN

Quarantine EDWARD NMC.HARNIG WORM

0

Detailed Info

[EXISTS_REGKEYVALUE_HKLM]=\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[VALUE]=Wintime
[EXISTS_REGKEY_HKCR]=\CLSID\{0A323FA1-38DE-44EC-B2FA-4002183C143E}
[EXISTS_FILE]=%winsys%\wintime.exe
[EXISTS_FILE]=%winsys%\secure32.txt
[EXISTS_FILE]=%win%\seksdialer.exe


Dont know if this helps but Ill say the files ar NOT being deleted

[HKLM_KEY_VALUE]=\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[VALUE]=Wintime
[HKCR_KEY]=\CLSID\{0A323FA1-38DE-44EC-B2FA-4002183C143E}
[HKLM_KEY_VALUE]=\SOFTWARE\Microsoft\Windows\CurrentVersion[VALUE]=ShellServiceObjectDelayLoadSystem
[FILE_DEL]=%winsys%\secure32.txt
[FILE_DEL]=%win%\system.exe
[FILE_DEL]=%winsys%\system32.dll
[FILE_DEL]=%win%\desktop.exe
[FILE_DEL]=%win%\toolbar.exe
[FILE_DEL]=%win%\mstasks1.exe
[FILE_DEL]=%win%\mstasks2.exe
[FILE_DEL]=%win%\seksdialer.exe
[FILE_DEL]=%winsys%\wintime.exe
[FILE_DEL]=%winsys%\dkdial.exe
[FILE_DEL]=%winsys%\dial32.exe
[FILE_DEL]=%win%\Web\desktop.html

0

See if you can track down the files and manually delete them. I see some there that were definitely deleted by combofix.
I know nothing about the EMCO program you have and as such, do not know if it is giving any false positives.

0

Emco was advertised on download.com when I hade nowhere else to turn to so i picked a few up and Emco turned out pretty well. Let me put a SS up so you can see the files I wish to get rid of before I give his Laptop back. Just tell me if itd safe to get ride of some of these and I presums if im deleting the files I'd do it in safe mode?

1

Safe mode removal would be best. Renaming them first might be a good idea, then run the pc for a while checking that all is well.

Votes + Comments
Really REALLLLLLy helpful in virus removal and hijackthis log analyzing
0

Looks like my scanners are done picking crap up :) want a final hijackthis log before I get rid of it and some other things before I give it back?

0

Sure. Post another hijackthis log and also do the following;

Let's get rid of Combofix now that we are finished with it.


  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


  • When shown the disclaimer, Select "2"

The above procedure will:


  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
Attachments th_CF_Cleanup.png 9.98 KB
0

Yes the main part of what they were picking up are now gone. and here is the hujackthis log just quickly go through it so I can get his laptop back today.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:37 AM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://body1.spfldcol.edu/dwa7W.cab
O23 - Service: aawservice - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: COMSysApp - Unknown owner - C:\WINDOWS\TEMP\158557.exe (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\137738.exe (file missing)
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\TEMP\183173.exe (file missing)
O23 - Service: lanmanserver - Unknown owner - C:\WINDOWS\TEMP\130377.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: RSVP - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
O23 - Service: S24EventMonitor - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: sp_rssrv - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 7654 bytes

0

He picked his computer up today I got him to order more Ram so Ill be putting that in. Thanks to you I made $100 but I gave $20 to my brother well my sister because he owed her but you know doing that or reformating at a shop would have been way moer than $100 he was at the point of trashing it when I offered to help.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.