0

This all started when I tried to install Kaspersky. During the installation, it told me to uninstall Symantec and AVG. A couple of reboots later, Kaspersky was installed. I then downloaded something I wanted that seemed fine (I even scanned it with Kaspersky) and then executed it. This caused winlogon.exe to have an error, which made the blue screen of death appear.

After I restarted my laptop explorer.exe started closing and opening itself every couple of seconds. Right now, my laptop is extremely laggy and I'm getting this weird "gap lag" where my laptop freezes for a couple of milliseconds and then unfreezes (I've actually had this before, but I found the virus that was causing it and got rid of this). This time, I've run Avast, AVG, Spyware Doctor and VundoFix but they haven't found anything that's worth mentioning.

HijackThis Logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:11, on 2007-11-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\FlashGet\FlashGet.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\imapi.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.balwynhs.vic.edu.au;172.*;*.education.vic.gov.au;*.sofweb.vic.edu.au;*.vass.vic.edu.au;*.eduweb.vic.gov.au;*.edudev.vic.gov.au;*.edumail.vic.gov.au;*.otte.vic.gov.au;*.icon.edu.vic.gov.au;*.ultranet.vic.edu.au;*.vcaa.vic.edu.au;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR Smart Wizard.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\IESpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\IESpell\wikipedia.HTM
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189310573102
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189310549718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = balwynhs.vic.edu.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{64E8F97B-0E16-4880-B1DC-B4BE5415C0CD}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE3C0847-A744-439C-AF04-145D3C4775F1}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O20 - AppInit_DLLs: "",wbsys.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - c:/xampp/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

--
End of file - 12045 bytes

2
Contributors
18
Replies
19
Views
9 Years
Discussion Span
Last Post by kylethedarkn
Featured Replies
  • Nice Find! Now Combofix is working again so I'd like you to run it just to make sure everything is gone. Just to let you know it restarts your computer so don't freak out. Please download Combofix.exe from [URL="http://download.bleepingcomputer.com/sUBs/ComboFix.exe"]here [/URL]to your desktop. Double click it to run and and when … Read More

0

Ok lemme take a crack at this one. Bare with me its been awhile since my last hjt log.

Ok first run hjt and place a checkmark in the box next to the following.

O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

Now close all other windows and hit fix checked.

Ok now open task manager(hit alt+ctrl+del at the same time) and end the process flashget.exe

Now go to control panel>add/remove programs and look for flashget or anything similar and uninstall them.

Now open My Computer and navagate to C:\Program Files\ and delete the flashget folder.

Now scan with HJT again and post the new log here. Also tell me if your still having problems.

0

After removing the Flashget stuff, it worked for about two minutes. Explorer.exe then started to open and close itself again.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:03, on 2007-11-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SYSTEM32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.balwynhs.vic.edu.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.balwynhs.vic.edu.au;172.*;*.education.vic.gov.au;*.sofweb.vic.edu.au;*.vass.vic.edu.au;*.eduweb.vic.gov.au;*.edudev.vic.gov.au;*.edumail.vic.gov.au;*.otte.vic.gov.au;*.icon.edu.vic.gov.au;*.ultranet.vic.edu.au;*.vcaa.vic.edu.au;*.local
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR Smart Wizard.lnk = ?
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\IESpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\IESpell\wikipedia.HTM
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189310573102
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189310549718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = balwynhs.vic.edu.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{64E8F97B-0E16-4880-B1DC-B4BE5415C0CD}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE3C0847-A744-439C-AF04-145D3C4775F1}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O20 - AppInit_DLLs: "",wbsys.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

--
End of file - 11163 bytes

0

I would love to have you download combo fix and use that to give me a more in depth scan to work with, but unfortunetly its not working right now, so lets do something a little bold and just have you run some programs for what you might have.

First, Please download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt


And the code if you want it.

Second, Download SmitfraudFix (by S!Ri)
- Extract the content (a folder named SmitfraudFix) to your Desktop.
- Run Smitfraud fix and when prompted select option 1. This should pop up a notepad document at the end, save that and post it in you next post.

Finally, rename HJT to something random like hippo.exe and run another scan.

Post those three logs in your next post.

0

Because I'd viewed previous threads, I kinda already used VundoFix (which means the scan was clean). These were the results of the previous Vundo scan:

VundoFix Log.

VundoFix V6.6.2

Checking Java version...

Scan started at 8:38:58 PM 18/11/2007

Listing files found while scanning....

C:\windows\system32\awvuv.dll
C:\windows\system32\ddayx.dll
C:\windows\system32\ddcaw.dll
C:\windows\system32\dgjlm.ini
C:\windows\system32\dgjlm.ini2
C:\windows\system32\fccby.dll
C:\windows\system32\iknmp.ini
C:\windows\system32\mljgd.dll
C:\windows\system32\opppp.dll
C:\windows\system32\pmnki.dll
C:\windows\system32\ppppo.ini
C:\windows\system32\ppppo.ini2
C:\windows\system32\vuvwa.ini
C:\windows\system32\vuvwa.ini2
C:\windows\system32\wacdd.ini
C:\windows\system32\wacdd.ini2
C:\windows\system32\xyadd.ini
C:\windows\system32\xyadd.ini2
C:\windows\system32\ybccf.ini
C:\windows\system32\ybccf.ini2

Beginning removal...

Attempting to delete C:\windows\system32\awvuv.dll
C:\windows\system32\awvuv.dll Has been deleted!

Attempting to delete C:\windows\system32\ddayx.dll
C:\windows\system32\ddayx.dll Has been deleted!

Attempting to delete C:\windows\system32\ddcaw.dll
C:\windows\system32\ddcaw.dll Has been deleted!

Attempting to delete C:\windows\system32\dgjlm.ini
C:\windows\system32\dgjlm.ini Has been deleted!

Attempting to delete C:\windows\system32\dgjlm.ini2
C:\windows\system32\dgjlm.ini2 Has been deleted!

Attempting to delete C:\windows\system32\fccby.dll
C:\windows\system32\fccby.dll Has been deleted!

Attempting to delete C:\windows\system32\iknmp.ini
C:\windows\system32\iknmp.ini Has been deleted!

Attempting to delete C:\windows\system32\mljgd.dll
C:\windows\system32\mljgd.dll Has been deleted!

Attempting to delete C:\windows\system32\opppp.dll
C:\windows\system32\opppp.dll Has been deleted!

Attempting to delete C:\windows\system32\pmnki.dll
C:\windows\system32\pmnki.dll Has been deleted!

Attempting to delete C:\windows\system32\ppppo.ini
C:\windows\system32\ppppo.ini Has been deleted!

Attempting to delete C:\windows\system32\ppppo.ini2
C:\windows\system32\ppppo.ini2 Has been deleted!

Attempting to delete C:\windows\system32\vuvwa.ini
C:\windows\system32\vuvwa.ini Has been deleted!

Attempting to delete C:\windows\system32\vuvwa.ini2
C:\windows\system32\vuvwa.ini2 Has been deleted!

Attempting to delete C:\windows\system32\wacdd.ini
C:\windows\system32\wacdd.ini Has been deleted!

Attempting to delete C:\windows\system32\wacdd.ini2
C:\windows\system32\wacdd.ini2 Has been deleted!

Attempting to delete C:\windows\system32\xyadd.ini
C:\windows\system32\xyadd.ini Has been deleted!

Attempting to delete C:\windows\system32\xyadd.ini2
C:\windows\system32\xyadd.ini2 Has been deleted!

Attempting to delete C:\windows\system32\ybccf.ini
C:\windows\system32\ybccf.ini Has been deleted!

Attempting to delete C:\windows\system32\ybccf.ini2
C:\windows\system32\ybccf.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 10:13:41 PM 18/11/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.6.2

Checking Java version...

Scan started at 3:48:50 PM 2007-11-20

Listing files found while scanning....

SmitFraudFix:

SmitFraudFix v2.253

Scan done at 16:05:26.32, 2007-11-20
Run from C:\Documents and Settings\dis0003\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\dis0003


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\dis0003\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\dis0003\Favorites


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="\"\",wbsys.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NETGEAR WG511v2 54 Mbps Wireless PC Card - Packet Scheduler Miniport
DNS Server Search Order: 10.0.0.138
DNS Server Search Order: 10.0.0.138

HKLM\SYSTEM\CCS\Services\Tcpip\..\{CE3C0847-A744-439C-AF04-145D3C4775F1}: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CE3C0847-A744-439C-AF04-145D3C4775F1}: DhcpNameServer=10.0.0.138 10.0.0.138


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Hijackthis Report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07, on 2007-11-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.balwynhs.vic.edu.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.balwynhs.vic.edu.au;172.*;*.education.vic.gov.au;*.sofweb.vic.edu.au;*.vass.vic.edu.au;*.eduweb.vic.gov.au;*.edudev.vic.gov.au;*.edumail.vic.gov.au;*.otte.vic.gov.au;*.icon.edu.vic.gov.au;*.ultranet.vic.edu.au;*.vcaa.vic.edu.au;*.local
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [SpybotDeletingA6803] command /c del "C:\Program Files\SpywareBot\DataBase.ref"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4467] cmd /c del "C:\Program Files\SpywareBot\DataBase.ref"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5110] command /c del "C:\Program Files\Spywarebot\Launcher.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5727] cmd /c del "C:\Program Files\Spywarebot\Launcher.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8890] command /c del "C:\Program Files\SpywareBot\SpywareBot.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4007] cmd /c del "C:\Program Files\SpywareBot\SpywareBot.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8352] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\Uninstall SpywareBot.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4192] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\Uninstall SpywareBot.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5612] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\SpywareBot on the Web.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7566] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\SpywareBot on the Web.lnk"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8854] command /c del "C:\Program Files\SpywareBot\DataBase.ref"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4786] cmd /c del "C:\Program Files\SpywareBot\DataBase.ref"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3100] command /c del "C:\Program Files\Spywarebot\Launcher.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6116] cmd /c del "C:\Program Files\Spywarebot\Launcher.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4276] command /c del "C:\Program Files\SpywareBot\SpywareBot.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4551] cmd /c del "C:\Program Files\SpywareBot\SpywareBot.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6473] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\Uninstall SpywareBot.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7812] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\Uninstall SpywareBot.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6712] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\SpywareBot on the Web.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5577] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\SpywareBot on the Web.lnk"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR Smart Wizard.lnk = ?
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\IESpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\IESpell\wikipedia.HTM
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189310573102
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189310549718
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = balwynhs.vic.edu.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{64E8F97B-0E16-4880-B1DC-B4BE5415C0CD}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE3C0847-A744-439C-AF04-145D3C4775F1}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O20 - AppInit_DLLs: "",wbsys.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

--
End of file - 13316 bytes

0

Ok so somehow since your last log you've goten infected with Adware.Win32.SpywareBot.

So heres what I'm gonna have you do. You might want to write down the following directions as the internet will be unavailible during safe mode.

Boot into safe by restarting your computer and tapping F8. Then use the arrow keys to select safe mode and hit enter.

Now once in safe mode delete the following folder.

C:\Program Files\SpywareBot

Reboot back to normal mode and run HJT again. Post the new log here. Also is explorer.exe still messed up after doing this?

0

I installed SpywareBot yesterday. I also uninstalled it yesterday after I found out it was bad. I even ran Spybot S&D afterwards just to make sure it was gone.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:30, on 2007-11-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.balwynhs.vic.edu.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.balwynhs.vic.edu.au;172.*;*.education.vic.gov.au;*.sofweb.vic.edu.au;*.vass.vic.edu.au;*.eduweb.vic.gov.au;*.edudev.vic.gov.au;*.edumail.vic.gov.au;*.otte.vic.gov.au;*.icon.edu.vic.gov.au;*.ultranet.vic.edu.au;*.vcaa.vic.edu.au;*.local
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [SpybotDeletingA6803] command /c del "C:\Program Files\SpywareBot\DataBase.ref"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4467] cmd /c del "C:\Program Files\SpywareBot\DataBase.ref"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5110] command /c del "C:\Program Files\Spywarebot\Launcher.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5727] cmd /c del "C:\Program Files\Spywarebot\Launcher.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8890] command /c del "C:\Program Files\SpywareBot\SpywareBot.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4007] cmd /c del "C:\Program Files\SpywareBot\SpywareBot.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8352] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\Uninstall SpywareBot.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4192] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\Uninstall SpywareBot.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5612] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\SpywareBot on the Web.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7566] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\SpywareBot on the Web.lnk"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8854] command /c del "C:\Program Files\SpywareBot\DataBase.ref"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4786] cmd /c del "C:\Program Files\SpywareBot\DataBase.ref"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3100] command /c del "C:\Program Files\Spywarebot\Launcher.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6116] cmd /c del "C:\Program Files\Spywarebot\Launcher.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4276] command /c del "C:\Program Files\SpywareBot\SpywareBot.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4551] cmd /c del "C:\Program Files\SpywareBot\SpywareBot.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6473] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\Uninstall SpywareBot.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7812] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\Uninstall SpywareBot.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6712] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\SpywareBot on the Web.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5577] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBot\SpywareBot on the Web.lnk"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR Smart Wizard.lnk = ?
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\IESpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\IESpell\wikipedia.HTM
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189310573102
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189310549718
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = balwynhs.vic.edu.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{64E8F97B-0E16-4880-B1DC-B4BE5415C0CD}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE3C0847-A744-439C-AF04-145D3C4775F1}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O20 - AppInit_DLLs: "",wbsys.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

--
End of file - 13200 bytes

Explorer.exe is still restarting. I also still have this weird freezing lag thing.

0

Ah, now I see what that was. You need to restart your computer for SpywareBot to be removed completely so do that now.

When your done with that I would like you to run a scan with PandaActiveScan.

After its done scanning, which may take awhile, save the log and post it here.

0

I'm running the Panda scan right now, but upon restarting I noticed some weird things.

-Command Prompt boxes kept appearing and disappearing.

-My time had been change to 24 hour time.

-An Internet Explorer icon had appeared on my desktop.

0

Panda Scan froze halfway through.


Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.cfexe
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.serving-sys.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.doubleclick.net/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.maxserving.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.questionmarket.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.belnk.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.bfast.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[ad.yieldmanager.com/]
Spyware:Cookie/Lop Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.mp3search.ru/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.statcounter.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.cs.sexcounter.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.bluestreak.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.zedo.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.as-eu.falkag.net/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.yadro.ru/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.atwola.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.ads.pointroll.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.mediaplex.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.burstnet.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.tribalfusion.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.fastclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.advertising.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.as-us.falkag.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies-1.txt[.com.com/]
Spyware:Cookie/Lop Not disinfected C:\Documents and Settings\dis0003\Application Data\Mozilla\Firefox\Profiles\4zz6kerz.default\cookies.txt[.mp3search.ru/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@ad.sensismediasmart.com[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@adserver.easyad[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@adserver.filefront[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@adserver.filefront[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@azjmp[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@azjmp[3].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@clickbank[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@com[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@doubleclick[1].txt
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@pacificpoker[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@searchportal.information[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@searchportal.information[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@searchportal.information[3].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@server.iad.liveperson[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@toplist[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@toplist[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@tribalfusion[2].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\dis0003\Cookies\dis0003@tucows[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\dis0003\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\dis0003\Desktop\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\dis0003\Desktop\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\dis0003\Local Settings\Temporary Internet Files\Content.IE5\HHB3YFO7\ComboFix[1].exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\dis0003\Local Settings\Temporary Internet Files\Content.IE5\HHB3YFO7\ComboFix[1].exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\dis0003\Local Settings\Temporary Internet Files\Content.IE5\HHB3YFO7\SmitfraudFix[1].zip[SmitfraudFix/Process.exe]
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\dis0003\Local Settings\Temporary Internet Files\Content.IE5\HHB3YFO7\SmitfraudFix[1].zip[SmitfraudFix/Reboot.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\dis0003\Local Settings\Temporary Internet Files\Content.IE5\HHB3YFO7\SmitfraudFix[1].zip[SmitfraudFix/restart.exe]
Hacktool:HackTool/Aircrack Not disinfected C:\Documents and Settings\dis0003\My Documents\WPA\aircrack-ng-0.6.2-win\bin\airodump-ng.exe

0

Not a good thing. Hmm, I really wish combofix was working...oh well. the only thing that the scan found before it was interrupted was what appears to be a crack.

If you didn't download this on purpose then delete it immediately.

Heres the file in question.

C:\Documents and Settings\dis0003\My Documents\WPA\aircrack-ng-0.6.2-win\bin\airodump-ng.exe

If you didn't put that there delete it.

Since Combofix is down lets try this.


Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread in your next post
5. Please attach extra.txt to your next post do not copy and paste it.
*To attach click the icon above this text box that looks like a paperclip. Then click browse and navigate to extra.txt and select it, then hit upload. You can then close the pop up window.

What DSS will do:

* create a new System Restore point in Windows XP and Vista.
* clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
* check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.


Hopefully this will lets me see a little bit more of whats wrong. And also thanks for your patience

0

Main.txt:

Deckard's System Scanner v20071014.68
Run by DIS0003 on 2007-11-21 13:57:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2007-11-21 02:57:33 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2007-11-20 06:02:13 UTC - RP3 - Last known good configuration
2: 2007-11-20 06:01:24 UTC - RP2 - Test
1: 2007-11-20 06:01:23 UTC - RP1 - Screwed


Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as DIS0003.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00, on 2007-11-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\dis0003\Desktop\dss.exe
C:\PROGRA~1\Trend Micro\HijackThis\DIS0003.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.balwynhs.vic.edu.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.balwynhs.vic.edu.au;172.*;*.education.vic.gov.au;*.sofweb.vic.edu.au;*.vass.vic.edu.au;*.eduweb.vic.gov.au;*.edudev.vic.gov.au;*.edumail.vic.gov.au;*.otte.vic.gov.au;*.icon.edu.vic.gov.au;*.ultranet.vic.edu.au;*.vcaa.vic.edu.au;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Alwil Software\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR Smart Wizard.lnk = ?
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\IESpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\IESpell\wikipedia.HTM
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189310573102
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189310549718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\Software\..\Telephony: DomainName = balwynhs.vic.edu.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{64E8F97B-0E16-4880-B1DC-B4BE5415C0CD}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE3C0847-A744-439C-AF04-145D3C4775F1}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = balwynhs.vic.edu.au
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

--
End of file - 11314 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\Trend Micro\HijackThis\backups\) ------

backup-20070910-171258-717 O8 - Extra context menu item: Download with Rapget - C:\Documents and Settings\dis0003\Desktop\RAP\rapget.htm
backup-20071117-231700-973 O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\jtpm0771e.dll (file missing)
backup-20071119-012518-517 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20071119-012538-137 O9 - Extra button: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
backup-20071119-012538-466 O9 - Extra 'Tools' menuitem: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
backup-20071119-012617-876 O23 - Service: MySql - Unknown owner - c:/xampp/mysql/bin/mysqld-nt.exe (file missing)
backup-20071119-155042-177 O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
backup-20071119-155042-349 O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
backup-20071119-155042-782 O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
backup-20071119-155042-882 O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
backup-20071119-155042-991 O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
backup-20071119-200329-288 O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
backup-20071120-202132-415 O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
backup-20071120-224027-144 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20071120-224241-285 O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\gpn0l35m1.dll (file missing)
backup-20071120-225030-546 O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
backup-20071120-225132-663 O20 - AppInit_DLLs: "",wbsys.dll
backup-20071120-225957-839 O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 EpmPsd (Acer EPM Power Scheme Driver) - c:\windows\system32\drivers\epm-psd.sys <Not Verified; Acer Value Labs, USA; Acer EPM Power Scheme Driver>
R2 EpmShd (Acer EPM System Hardware Driver) - c:\windows\system32\drivers\epm-shd.sys <Not Verified; Acer Value Labs, USA; Acer EPM System Hardware Driver>
R2 osaio - c:\windows\system32\drivers\osaio.sys <Not Verified; Windows (R) 2000 DDK provider; OSA I/O Port Driver Version 1.0.5>
R2 osanbm - c:\windows\system32\drivers\osanbm.sys <Not Verified; Windows (R) 2000 DDK provider; OSA int15 Driver Version 2.0.2>
R3 cmudau (C-Media USB Sound Interface) - c:\windows\system32\drivers\cmudau.sys <Not Verified; C-Media Inc; C-Media USB Audio Driver (WDM)>
R3 DKbFltr (Dritek HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\dkbfltr.sys <Not Verified; Dritek System Inc.; Dritek MMKey>
R3 int15.sys - c:\program files\acer\erecovery\int15.sys
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S0 VClone - c:\windows\system32\drivers\vclone.sys (file missing)
S2 npkcrypt - d:\game program files\ms\npkcrypt.sys (file missing)
S3 ASPI (Advanced SCSI Programming Interface Driver) - c:\windows\system32\drivers\aspi32.sys <Not Verified; Adaptec; Adaptec's ASPI Layer>
S3 BPIKSp50 (BPIKSp50 NDIS Protocol Driver) - e:\bpiksp50.sys (file missing)
S3 DISK_DRIVE32 - d:\game program files\hizet\newhack\disk drove\ce\disk_1024.sys (file missing)
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 nocashio - c:\windows\system32\drivers\nocashio.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 anbmService (Notebook Manager Service) - c:\acer\emanager\anbmserv.exe <Not Verified; OSA Technologies Inc.; Acer eManager for Notebook>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 MySql - c:/xampp/mysql/bin/mysqld-nt.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E977-E325-11CE-BFC1-08002BE10318}
Description: Intel PCIC compatible PCMCIA controller
Device ID: ROOT\PCMCIA\0000
Manufacturer: Intel
Name: Intel PCIC compatible PCMCIA controller
PNP Device ID: ROOT\PCMCIA\0000
Service: pcmcia

Class GUID: {4D36E977-E325-11CE-BFC1-08002BE10318}
Description: Intel PCIC compatible PCMCIA controller
Device ID: ROOT\PCMCIA\0001
Manufacturer: Intel
Name: Intel PCIC compatible PCMCIA controller
PNP Device ID: ROOT\PCMCIA\0001
Service: pcmcia


-- Scheduled Tasks -------------------------------------------------------------

2007-11-18 01:39:02 330 --ah---c- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2007-10-21 and 2007-11-21 -----------------------------

2007-11-21 13:48:43 6925 --ahs--c- C:\WINDOWS\system32\fihjl.ini2
2007-11-21 13:48:29 319072 -------c- C:\WINDOWS\system32\ljhif.dll
2007-11-21 00:20:31 317 --ahs--c- C:\WINDOWS\system32\ppsut.ini2
2007-11-21 00:20:19 319072 -------c- C:\WINDOWS\system32\tuspp.dll
2007-11-20 23:50:16 6925 --ahs--c- C:\WINDOWS\system32\nmnpo.ini2
2007-11-20 23:50:00 319072 -------c- C:\WINDOWS\system32\opnmn.dll
2007-11-20 23:19:41 6925 --ahs--c- C:\WINDOWS\system32\ggjlm.ini2
2007-11-20 23:19:30 319072 --a----c- C:\WINDOWS\system32\mljgg.dll
2007-11-20 17:12:15 0 d------c- C:\WINDOWS\system32\ActiveScan
2007-11-20 15:48:50 0 d------c- C:\VundoFix Backups
2007-11-19 21:29:05 0 d------c- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-19 20:14:16 0 d------c- C:\Program Files\CCleaner
2007-11-19 00:27:32 317 --ahs--c- C:\WINDOWS\system32\aaycf.ini2
2007-11-19 00:27:17 320608 -------c- C:\WINDOWS\system32\fcyaa.dll
2007-11-19 00:07:21 3552 --a----c- C:\WINDOWS\system32\tmp.reg
2007-11-19 00:05:50 25600 --a----c- C:\WINDOWS\system32\WS2Fix.exe
2007-11-19 00:05:50 289144 --a----c- C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-19 00:05:50 288417 --a----c- C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-19 00:05:50 53248 --a----c- C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-19 00:05:50 51200 --a----c- C:\WINDOWS\system32\dumphive.exe
2007-11-18 18:09:52 7375 --ahs--c- C:\WINDOWS\system32\nnmoq.ini2
2007-11-18 18:09:41 320608 -------c- C:\WINDOWS\system32\qomnn.dll
2007-11-18 13:20:33 0 d------c- C:\Documents and Settings\dis0003\Application Data\Uniblue
2007-11-17 22:28:56 0 d------c- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-17 20:18:24 37376 --a----c- C:\WINDOWS\system32\wvurqnm.dll
2007-11-17 19:35:18 0 d------c- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-11-16 19:16:31 0 d------c- C:\Program Files\Pointstone
2007-11-13 23:01:50 0 d------c- C:\Program Files\AimGames
2007-11-04 22:18:22 0 d------c- C:\Documents and Settings\dis0003\Application Data\teamspeak2
2007-11-03 17:28:12 0 d------c- C:\Documents and Settings\NetworkService\Application Data\Xfire


-- Find3M Report ---------------------------------------------------------------

2007-11-20 23:07:22 0 d------c- C:\Documents and Settings\dis0003\Application Data\AVG7
2007-11-20 22:58:43 0 d------c- C:\Program Files\mIRC
2007-11-20 19:13:05 0 d------c- C:\Program Files\Windows Defender
2007-11-20 19:12:45 0 d------c- C:\Program Files\MSN Messenger
2007-11-20 17:52:52 0 d------c- C:\Program Files\NetBattle
2007-11-19 00:44:44 0 d------c- C:\Program Files\Spyware Doctor
2007-11-18 17:05:30 0 d------c- C:\Program Files\PowerISO
2007-11-18 17:05:29 0 d------c- C:\Program Files\7-Zip
2007-11-18 17:05:27 0 d------c- C:\Program Files\Notepad++
2007-11-18 17:04:28 0 d------c- C:\Program Files\Microsoft Silverlight
2007-11-18 00:43:19 0 d------c- C:\Program Files\Alwil Software
2007-11-17 19:45:28 0 d------c- C:\Program Files\Common Files\Symantec Shared
2007-11-15 23:48:43 0 d------c- C:\Program Files\Bonjour
2007-11-09 17:06:19 0 d------c- C:\Documents and Settings\dis0003\Application Data\Xfire
2007-10-23 16:52:35 0 d------c- C:\Documents and Settings\dis0003\Application Data\Hamachi
2007-10-22 18:37:07 0 d------c- C:\Program Files\Cheat Engine
2007-10-20 20:23:15 0 d------c- C:\Program Files\IObit
2007-10-19 00:53:34 0 d------c- C:\Program Files\Common Files
2007-10-19 00:53:34 0 d------c- C:\Program Files\Common Files\ScanSoft Shared
2007-10-19 00:52:36 0 d------c- C:\Program Files\ScanSoft
2007-10-16 18:11:59 0 d------c- C:\Program Files\Google
2007-10-16 17:18:41 0 d------c- C:\Program Files\Softnyx Canada
2007-10-07 02:14:05 0 d------c- C:\Documents and Settings\dis0003\Application Data\Audacity
2007-10-06 19:45:06 0 d------c- C:\Program Files\Any Sound Recorder
2007-10-04 20:37:14 0 d------c- C:\Program Files\Audacity 1.3 Beta (Unicode)
2007-10-02 06:39:39 0 d------c- C:\Program Files\Microsoft Visual Studio 9.0
2007-10-02 02:43:38 0 d------c- C:\Program Files\Common Files\AOL
2007-10-01 22:59:34 0 d------c- C:\Program Files\Microsoft SDKs
2007-10-01 22:53:34 0 d------c- C:\Program Files\MSBuild
2007-10-01 22:53:25 0 d------c- C:\Program Files\Reference Assemblies
2007-10-01 21:44:27 0 d------c- C:\Program Files\Canon
2007-10-01 21:42:58 0 d--h---c- C:\Program Files\InstallShield Installation Information
2007-10-01 06:44:04 0 d------c- C:\Program Files\Microsoft
2007-10-01 06:02:27 0 d------c- C:\Program Files\Fiddler2
2007-10-01 04:52:48 0 d------c- C:\Program Files\Fiddler
2007-10-01 04:48:26 796672 --a----c- C:\WINDOWS\GPInstall.exe <Not Verified; Qsc; GP-Install>
2007-10-01 04:47:27 0 d------c- C:\Program Files\AutoTypist
2007-09-26 22:38:25 0 d------c- C:\Documents and Settings\dis0003\Application Data\Avant Profiles
2007-09-26 22:37:27 0 d------c- C:\Program Files\Avant Browser
2007-09-10 12:55:54 692224 --a----c- C:\WINDOWS\system32\ijjiSetup.exe <Not Verified; NHN USA; ijjiSetup Application>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 03:47 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 12:41 C:\WINDOWS\AGRSMMSG.exe]
"eRecoveryService"="C:\Windows\System32\Check.exe" [2004-07-20 01:14]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 09:10]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 02:19]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2004-09-01 05:38]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2004-06-30 03:41]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 05:15]
"CmUsbSound"="cmcnfgu.cpl" []
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 07:03]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-17 10:28]
"avast!"="C:\PROGRA~1\Alwil Software\Avast4\ashDisp.exe" [2007-09-06 08:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Oshddndf"=C:\WINDOWS\YSTEM3~1\IXPLOR~1.EXE
"Spyware Doctor"=

C:\Documents and Settings\dis0003\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-21 2:49:31 PM]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2006-07-04 5:26:30 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-21 2:49:31 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 5:05:26 PM]
NETGEAR Smart Wizard.lnk - C:\WINDOWS\Installer\{B93D24B3-928D-4805-B379-4AA47CB3794E}\NewShortcut2.exe [2007-02-05 11:17:58 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8ED2EE63-44E2-46A6-8BB4-E486F5F22EF4}"= C:\WINDOWS\system32\wvurqnm.dll [2007-11-17 08:18 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\ljhif

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-32192\Scripts\Logon\0\0]
"Script"=StudentScripts.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-32192\Scripts\Logon\1\0]
"Script"=LaptopProgram.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^dis0003^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\dis0003\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"D:\Game Program Files\Bit\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1158301443\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
"C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
"C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Documents and Settings\dis0003\Desktop\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7489 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-11-21 14:08:39 ------------

Attachments
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) M processor 1.60GHz
Percentage of Memory in Use: 48%
Physical Memory (total/avail): 1022.42 MiB / 522.45 MiB
Pagefile Memory (total/avail): 2460.8 MiB / 1999.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1907.44 MiB

C: is Fixed (NTFS) - 17.53 GiB total, 3.66 GiB free. 
D: is Fixed (FAT32) - 17.7 GiB total, 6.37 GiB free. 
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK4025GAS - 37.26 GiB - 3 partitions
  \PARTITION0 - Unknown - 2.01 GiB
  \PARTITION1 (bootable) - Installable File System - 17.53 GiB - C:
  \PARTITION2 - Extended w/Extended Int 13 - 17.71 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG 7.5.503 v7.5.503 (Grisoft)
AV: avast! antivirus 4.7.1043 [VPS 071120-0] v4.7.1043 (ALWIL Software) [COLOR=RED]Disabled[/COLOR]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\dis0003\\My Documents\\U Bangi Routine\\Other\\LieroX v0.56b Pack 1.7\\LieroX.exe"="C:\\Documents and Settings\\dis0003\\My Documents\\U Bangi Routine\\Other\\LieroX v0.56b Pack 1.7\\LieroX.exe:*:Enabled:LieroX"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:bittorrent"
"C:\\Documents and Settings\\dis0003\\My Documents\\U Bangi Routine\\GBA Games\\FLAMING HOT GAMES\\VBA\\vbaserver.exe"="C:\\Documents and Settings\\dis0003\\My Documents\\U Bangi Routine\\GBA Games\\FLAMING HOT GAMES\\VBA\\vbaserver.exe:*:Enabled:vbaserver"
"C:\\Program Files\\Vektor Space\\VektorSpace.exe"="C:\\Program Files\\Vektor Space\\VektorSpace.exe:*:Enabled:VektorSpace Multiplayer Alpha Executable"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"\\\\172.18.0.50\\GaiaData$\\gpclient.exe"="\\\\172.18.0.50\\GaiaData$\\gpclient.exe:*:Enabled:gpclient.exe"
"D:\\Game Program Files\\iTunes\\iTunes.exe"="D:\\Game Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"D:\\Game Program Files\\Bit\\bittorrent.exe"="D:\\Game Program Files\\Bit\\bittorrent.exe:*:Enabled:bittorrent"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Desktop\\Pong\\pong.exe"="D:\\Desktop\\Pong\\pong.exe:*:Enabled:pong"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Blockland\\Blockland.exe"="C:\\Program Files\\Blockland\\Blockland.exe:*:Enabled:Blockland"
"C:\\Program Files\\blockland0002\\blockLand.exe"="C:\\Program Files\\blockland0002\\blockLand.exe:*:Enabled:blockLand"
"C:\\Program Files\\Vektor Space\\VektorSpace.exe"="C:\\Program Files\\Vektor Space\\VektorSpace.exe:*:Enabled:VektorSpace Multiplayer Alpha Executable"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\Wizet\\MapleStory\\MapleStory.exe"="C:\\Program Files\\Wizet\\MapleStory\\MapleStory.exe:*:Enabled:MapleStory"
"C:\\Program Files\\Tremulous\\tremulous.exe"="C:\\Program Files\\Tremulous\\tremulous.exe:*:Enabled:tremulous"
"C:\\Documents and Settings\\dis0003\\My Documents\\U Bangi Routine\\GBA Games\\FLAMING HOT GAMES\\VBA\\vbaserver.exe"="C:\\Documents and Settings\\dis0003\\My Documents\\U Bangi Routine\\GBA Games\\FLAMING HOT GAMES\\VBA\\vbaserver.exe:*:Enabled:vbaserver"
"C:\\Program Files\\Gate88_Mar19_05\\gate88.exe"="C:\\Program Files\\Gate88_Mar19_05\\gate88.exe:*:Enabled:gate88"
"C:\\Program Files\\PlayNow\\PlayNowClient.exe"="C:\\Program Files\\PlayNow\\PlayNowClient.exe:*:Enabled:PlayNow 1.0.22"
"C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe"="C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Program Files\\Wizet\\MapleStory\\NewPatcher.exe"="C:\\Program Files\\Wizet\\MapleStory\\NewPatcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Armagetron Advanced\\armagetronad.exe"="C:\\Program Files\\Armagetron Advanced\\armagetronad.exe:*:Enabled:armagetronad"
"C:\\Program Files\\Net Tools\\nettools4.exe"="C:\\Program Files\\Net Tools\\nettools4.exe:*:Enabled:Net Tools by Mohammad Ahmadi Bidakhvidi"
"D:\\SC\\SpaceCowboy.exe"="D:\\SC\\SpaceCowboy.exe:*:Enabled:SpaceCowboy MFC Application"
"D:\\Game Program Files\\Worms Armageddon\\wormsarm\\WA.exe"="D:\\Game Program Files\\Worms Armageddon\\wormsarm\\WA.exe:*:Enabled:Worms Armageddon"
"D:\\Game Program Files\\wormsarm\\WA.exe"="D:\\Game Program Files\\wormsarm\\WA.exe:*:Enabled:Worms Armageddon"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Java\\jre1.5.0_07\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1158301443\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1158301443\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1158301443\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1158301443\\ee\\aim6.exe:*:Enabled:AIM"
"D:\\Game Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"="D:\\Game Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe:*:Enabled:TmNationsESWC"
"D:\\Game Program Files\\Wizet\\MapleStory\\Patcher.exe"="D:\\Game Program Files\\Wizet\\MapleStory\\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"D:\\FlashGet\\UTORRENT.EXE"="D:\\FlashGet\\UTORRENT.EXE:*:Enabled:Torrent"
"D:\\Game Program Files\\Bit\\bittorrent.exe"="D:\\Game Program Files\\Bit\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Documents and Settings\\dis0003\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\dis0003\\Desktop\\utorrent.exe:*:Enabled:Torrent"
"D:\\Game Program Files\\BitComet\\BitComet.exe"="D:\\Game Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"D:\\Game Program Files\\Vent Server\\ventrilo_srv.exe"="D:\\Game Program Files\\Vent Server\\ventrilo_srv.exe:*:Enabled:ventrilo_srv"
"D:\\Game Program Files\\Soldat\\Soldat.exe"="D:\\Game Program Files\\Soldat\\Soldat.exe:*:Enabled:Soldat"
"D:\\Other\\Other\\LieroX v0.56b Pack 1.7\\LieroX.exe"="D:\\Other\\Other\\LieroX v0.56b Pack 1.7\\LieroX.exe:*:Enabled:LieroX"
"C:\\Program Files\\Softnyx Canada\\GunBound Classic\\GunBound.exe"="C:\\Program Files\\Softnyx Canada\\GunBound Classic\\GunBound.exe:*:Enabled:GunBound Startup Application"
"C:\\Program Files\\Softnyx Canada\\GunBound Classic\\img\\GBC.YIFF"="C:\\Program Files\\Softnyx Canada\\GunBound Classic\\img\\GBC.YIFF:*:Enabled:GunBound"
"D:\\Game Program Files\\GBC\\Softnyx Canada\\GunBound Classic\\GunBound.exe"="D:\\Game Program Files\\GBC\\Softnyx Canada\\GunBound Classic\\GunBound.exe:*:Enabled:GunBound Startup Application"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"D:\\The Bad Stuff\\mIRC\\mirc.exe"="D:\\The Bad Stuff\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe"="C:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe:*:Enabled:Apache HTTP Server"
"D:\\Game Program Files\\CSS\\Counter-Strike Source\\hl2.exe"="D:\\Game Program Files\\CSS\\Counter-Strike Source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi"
"D:\\Game Program Files\\CSS\\Counter-Strike Source\\cstrike.exe"="D:\\Game Program Files\\CSS\\Counter-Strike Source\\cstrike.exe:*:Enabled:cstrike.exe"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM"
"C:\\Program Files\
0

Kyle, please read all of this.

Ok, now I think I've made some headway into this.

I examined my own HijackThis log and actually fixed a couple of things that I thought shouldn't have been auto loading themselves into my registry on startup.

They were:

ixplore.exe
ixplore.exe

Google told me that this is actually a trojan. Deleting this seemed to reveal the real problem, as conducting another scan revealed an entry I hadn't seen before, ljhif.dll. A quick Google search told me that this was a bad thing and that it was somehow related to winlogon.exe (I told you how a certain program had caused winlogon.exe to crash right before this whole problem started).

I went into the System 32 folder and used Unlocker to unlock the process. This caused absolute chaos, message boxes were popping up really fast. The first one was an error telling me that "rundll32.exe had crashed", which was then followed by two "Data Execution Prevention" message boxes telling me that "run dll as an app" was stopped to prevent damage to my laptop.

After that, it seemed to be over. No more explorer.exe restarting. The lag was gone. I was even starting to type my post here on how it was fixed...until all of a sudden explorer.exe crashed again, and the occasional freezing lag thing appeared again.

I went back into HijackThis and found that instead of ljhif.dll, there was a new entry, xxwvt.dll. I then went and found it in the System 32 file, unlocked it with Unlocker (Unlocker said that it being used by explorer.exe), and then used HijackThis to fix it.

Once again, explorer stopped crashing and the lag was gone. So I thought once again that I had won. I had even typed the first couple of lines into the post when explorer.exe disappeared again. HijackThis showed me that xxwvt.dll was back again.

I'm pretty sure that if I can find a way to stop the dlls from respawning, my problem will be fixed. Please help me find the cause of this.

0

After the second time of removing xxwvt.dll, it didn't come back. I even restarted just to make sure.

I guess it's over. Problem solved.

1

Nice Find! Now Combofix is working again so I'd like you to run it just to make sure everything is gone. Just to let you know it restarts your computer so don't freak out.

Please download Combofix.exe from here to your desktop. Double click it to run and and when prompted type 1 and enter. Now DO NOT touch the mouse or keyboard until the scan is done completely. It should finish shortly after it restarts the computer. After its done it will open up notepad, copy and paste the contents here in your next post.

Combofix and Deckards system scanner are similar, but combofix deletes problem files automatically and dss does not. It also has the abitlity to delete files.

Also you have entries in your hosts file that were created by this trojan, so you should use hjt this to fix that. To do this run hjt and select "open misc tools section" and then click on "Open hosts file manager"
Now select the bogus entries by click on them and then click delete line. (The ones you should delete will be pretty obvious...if youve never seen the site thats listed delete the line)

Votes + Comments
Great work.
0

It seemed that rather than respawning, each .dll was simply being replaced with another one. ComboFix just removed all of these backup replacement dlls.

I checked the hosts file before and after I ran ComboFix. ComboFix deleted all of the bad website URLs that were in there.

0

And it's apparently not over. Even after using ComboFix another .dll appeared.

Here's the ComboFix.txt:

ComboFix 07-11-19.3 - DIS0003 2007-11-23 17:07:06.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.537 [GMT 11:00]
Running from: C:\Documents and Settings\dis0003\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\misc001
C:\WINDOWS\sks~1
C:\WINDOWS\system32\aaycf.ini
C:\WINDOWS\system32\aaycf.ini2
C:\WINDOWS\system32\dfefe.ini
C:\WINDOWS\system32\dfefe.ini2
C:\WINDOWS\system32\fcyaa.dll
C:\WINDOWS\system32\fihjl.ini
C:\WINDOWS\system32\fihjl.ini2
C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\ggjlm.ini2
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\nmnpo.ini
C:\WINDOWS\system32\nmnpo.ini2
C:\WINDOWS\system32\nnmoq.ini
C:\WINDOWS\system32\nnmoq.ini2
C:\WINDOWS\system32\opnmn.dll
C:\WINDOWS\system32\ppsut.ini
C:\WINDOWS\system32\ppsut.ini2
C:\WINDOWS\system32\qomnn.dll
C:\WINDOWS\system32\tuspp.dll
C:\WINDOWS\system32\tuwxx.ini
C:\WINDOWS\system32\tuwxx.ini2
C:\WINDOWS\system32\tvwxx.ini
C:\WINDOWS\system32\tvwxx.ini2
C:\WINDOWS\system32\wnstssu.exe
C:\WINDOWS\ystem3~1
C:\WINDOWS\ystem3~1\i?xplore.exe

.
(((((((((((((((((((((((((   Files Created from 2007-10-23 to 2007-11-23  )))))))))))))))))))))))))))))))
.

2007-11-23 17:09    272,820 --a--c---   C:\WINDOWS\system32\wvurs.dll
2007-11-21 14:23    <DIR>    d----c---   C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-11-21 14:22    <DIR>    d----c---   C:\Program Files\AIM6
2007-11-21 13:56    <DIR>    d----c---   C:\Deckard
2007-11-20 17:12    <DIR>    d----c---   C:\WINDOWS\system32\ActiveScan
2007-11-20 17:12    30,590  --a--c---   C:\WINDOWS\system32\pavas.ico
2007-11-20 15:48    <DIR>    d----c---   C:\VundoFix Backups
2007-11-19 21:29    <DIR>    d----c---   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-19 20:14    <DIR>    d----c---   C:\Program Files\CCleaner
2007-11-19 17:07    73,472  --a--c---   C:\WINDOWS\system32\dllcache\sr.sys
2007-11-19 16:01    317 --ahsc---   C:\WINDOWS\system32\jknpo.ini
2007-11-19 00:05    51,200  --a--c---   C:\WINDOWS\system32\dumphive.exe
2007-11-18 02:25    0   --a--c---   C:\WINDOWS\system32\asfiles.txt
2007-11-18 02:02    1,406   --a--c---   C:\WINDOWS\system32\Help.ico
2007-11-18 00:43    801,144 --a--c---   C:\WINDOWS\system32\aswBoot.exe
2007-11-18 00:43    95,608  --a--c---   C:\WINDOWS\system32\AvastSS.scr
2007-11-18 00:43    92,848  --a--c---   C:\WINDOWS\system32\drivers\aswmon.sys
2007-11-18 00:43    26,624  --a--c---   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-17 22:28    <DIR>    d----c---   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-17 20:26    317 --ahsc---   C:\WINDOWS\system32\xwvwa.ini
2007-11-17 20:18    37,376  --a--c---   C:\WINDOWS\system32\wvurqnm.dll
2007-11-17 19:35    <DIR>    d----c---   C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-11-16 19:16    <DIR>    d----c---   C:\Program Files\Pointstone
2007-11-13 23:01    <DIR>    d----c---   C:\Program Files\AimGames
2007-11-04 22:18    <DIR>    d----c---   C:\Documents and Settings\dis0003\Application Data\teamspeak2
2007-11-04 22:18    34,064  --a--c---   C:\WINDOWS\system32\lhacm.acm
2007-11-03 17:28    <DIR>    d----c---   C:\Documents and Settings\NetworkService\Application Data\Xfire

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 14:43    ---------   dc----w C:\Documents and Settings\dis0003\Application Data\AVG7
2007-11-22 13:13    ---------   dc----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-22 12:54    ---------   dc----w C:\Program Files\Avant Browser
2007-11-22 12:52    ---------   dc----w C:\Program Files\DFX
2007-11-22 10:18    ---------   dc----w C:\Program Files\mIRC
2007-11-21 04:01    ---------   dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-21 03:26    ---------   dc----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-21 03:23    ---------   dc----w C:\Program Files\Common Files\AOL
2007-11-20 08:13    ---------   dc----w C:\Program Files\Windows Defender
2007-11-20 08:12    ---------   dc----w C:\Program Files\MSN Messenger
2007-11-20 06:52    ---------   dc----w C:\Program Files\NetBattle
2007-11-18 13:44    ---------   dc----w C:\Program Files\Spyware Doctor
2007-11-18 11:25    ---------   dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-18 06:05    ---------   dc----w C:\Program Files\PowerISO
2007-11-18 06:05    ---------   dc----w C:\Program Files\Notepad++
2007-11-18 06:05    ---------   dc----w C:\Program Files\7-Zip
2007-11-18 06:04    ---------   dc----w C:\Program Files\Microsoft Silverlight
2007-11-17 13:43    ---------   dc----w C:\Program Files\Alwil Software
2007-11-17 11:26    ---------   dc----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-17 08:45    ---------   dc----w C:\Program Files\Common Files\Symantec Shared
2007-11-15 12:48    ---------   dc----w C:\Program Files\Bonjour
2007-11-09 06:06    ---------   dc----w C:\Documents and Settings\dis0003\Application Data\Xfire
2007-10-23 05:52    ---------   dc----w C:\Documents and Settings\dis0003\Application Data\Hamachi
2007-10-22 07:37    ---------   dc----w C:\Program Files\Cheat Engine
2007-10-20 09:23    ---------   dc----w C:\Program Files\IObit
2007-10-18 13:53    ---------   dc----w C:\Program Files\Common Files\ScanSoft Shared
2007-10-18 13:53    ---------   dc----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-10-18 13:52    ---------   dc----w C:\Program Files\ScanSoft
2007-10-16 07:11    ---------   dc----w C:\Program Files\Google
2007-10-16 06:18    ---------   dc----w C:\Program Files\Softnyx Canada
2007-10-06 15:14    ---------   dc----w C:\Documents and Settings\dis0003\Application Data\Audacity
2007-10-06 08:45    ---------   dc----w C:\Program Files\Any Sound Recorder
2007-10-04 09:37    ---------   dc----w C:\Program Files\Audacity 1.3 Beta (Unicode)
2007-10-01 19:39    ---------   dc----w C:\Program Files\Microsoft Visual Studio 9.0
2007-10-01 12:06    ---------   dc----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-01 11:59    ---------   dc----w C:\Program Files\Microsoft SDKs
2007-10-01 11:53    ---------   dc----w C:\Program Files\Reference Assemblies
2007-10-01 11:53    ---------   dc----w C:\Program Files\MSBuild
2007-10-01 10:44    ---------   dc----w C:\Program Files\Canon
2007-10-01 10:42    ---------   dc-h--w C:\Program Files\InstallShield Installation Information
2007-09-30 19:44    ---------   dc----w C:\Program Files\Microsoft
2007-09-30 19:02    ---------   dc----w C:\Program Files\Fiddler2
2007-09-30 17:52    ---------   dc----w C:\Program Files\Fiddler
2007-09-30 17:48    796,672 -c--a-w C:\WINDOWS\GPInstall.exe
2007-09-26 11:38    ---------   dc----w C:\Documents and Settings\dis0003\Application Data\Avant Profiles
2006-07-07 12:43    0   -c-ha-w C:\Program Files\Common Files\mqmq
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 15:47 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 00:41 C:\WINDOWS\AGRSMMSG.exe]
"eRecoveryService"="C:\Windows\System32\Check.exe" [2004-07-20 13:14]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:10]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2004-07-14 14:19]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2004-09-01 17:38]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2004-06-30 15:41]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15]
"CmUsbSound"="RunDll32 cmcnfgu.cpl" []
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 07:03]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-17 22:28]
"avast!"="C:\PROGRA~1\Alwil Software\Avast4\ashDisp.exe" [2007-09-06 20:06]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-27 11:34]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-17 22:29]

C:\Documents and Settings\dis0003\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-21 14:49:31]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2006-07-04 17:26:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-21 14:49:31]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 17:05:26]
NETGEAR Smart Wizard.lnk - C:\WINDOWS\Installer\{B93D24B3-928D-4805-B379-4AA47CB3794E}\NewShortcut2.exe [2007-02-05 11:17:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{8ED2EE63-44E2-46A6-8BB4-E486F5F22EF4}"= C:\WINDOWS\system32\wvurqnm.dll [2007-11-17 20:18 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-32192\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=StudentScripts.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1292428093-1757981266-682003330-32192\Scripts\Logon\1\[u]0[/u]]
"Script"=LaptopProgram.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^dis0003^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\dis0003\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
            C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
            C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
            C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
            D:\Game Program Files\Bit\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
            C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
            C:\Program Files\Common Files\AOL\1158301443\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
            C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-19 04:55    49152   --a--c---   C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
            C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
            C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
            C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
            C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-03-21 14:19    69632   --a--c---   C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
            C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-01-20 18:09    200704  --a--c---   C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
            C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-21 11:52    40960   --a--c---   C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
            C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
            C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 05:00    132496  --a--c---   C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
            C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-05-20 04:57    532480  --a--c---   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-05-20 04:57    98304   --a--c---   C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
            C:\Documents and Settings\dis0003\Desktop\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2002-08-28 14:12    77824   --a--c---   C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
            C:\Program Files\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"aawservice"=2 (0x2)

R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys
R3 cmudau;C-Media USB Sound Interface;C:\WINDOWS\system32\drivers\cmudau.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
R3 int15.sys;int15.sys;\??\C:\Program Files\acer\erecovery\int15.sys
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys
R3 W8335XP;NETGEAR WG511v2 54 Mbps Wireless PC Card for Windows XP (8335);C:\WINDOWS\system32\DRIVERS\WG511v2XP.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys
S3 BPIKSp50;BPIKSp50 NDIS Protocol Driver;\??\E:\BPIKSp50.sys
S3 DISK_DRIVE32;DISK_DRIVE32;\??\D:\Game Program Files\Hizet\newhack\Disk Drove\ce\disk_1024.sys
S3 nocashio;nocashio;C:\WINDOWS\system32\drivers\nocashio.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-22 14:39:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-11-23 17:14:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="c:/xampp/mysql/bin/mysqld-nt.exe"
.
Completion time: 2007-11-23 17:16:16 - machine was rebooted
.
    --- E O F ---

Edited by mike_2000_17: Fixed formatting

0

Another update. As I said earlier, new problematic dlls appear each time. One of which was pmnlk.dll.

Using HijackThis' process manager with the "show dlls" box checked, I scanned each running process for pmnlk.dll. I eventually found it under ctfmon.exe. I got rid of the dll and ended the ctfmon.exe process. Unfortunately, ctfmon.exe keeps reloading itself no matter how many times I end it.

Is ctfmon.exe infected?

0

Those dlls are Virtumondo again. Run Vundofix.exe again and it should find all of those and delete them. Then rename hijackthis.exe to random.exe and run it again. post the vundofix log and the new renamed hjt log in your next post.

Also sorry for the delay.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.