TheTechGuide Forum

General Category => Tech Clinic => Topic started by: dancingqueen21 on March 09, 2007, 08:55:52 PM

Title: win32:Trojan-gen{UPX!}
Post by: dancingqueen21 on March 09, 2007, 08:55:52 PM

PLEASE HELP!
My computer seems to have the viruses Win32:Trojan-gen{UPX!} and also Win32:Trojan-gen{other}. I have tried googling solutions and ways to remove these, and HijackThis seemed to be most popular. I tried downloading HijackThis, but when I try to run it, any windows that are running just diappear or nothing happens.
I am currently using Avast on Windows XP version 2002.
Any help would be greatly appreciated! (I don't want to have to buy a new computer!)

Title: win32:Trojan-gen{UPX!}
Post by: guestolo on March 10, 2007, 09:48:13 AM

Can you try the following for me please
Download [color=\"#2E8B57\"]ComboScan[/color] (http://\"http://www.techsupportforum.com/sectools/Deckard/comboscan.exe\") to your Desktop.

• Close all applications and windows.
     
  
• Double-click on comboscan.exe to run it, and follow the prompts.
     
  
• The scan may take a couple of minutes. When the scan is complete, a text file will open - ComboScan.txt

Note: When running Comboscan, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags Comboscan as suspicious. Please allow the Comboscan to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)


Post the next logs in your following reply:
 

• Comboscan.txt
• Supplementary.txt[/b]
  

Note: By default, both logs are saved too C:\ComboScan folder

You may need more than one reply to post all the info, please do so if required

Title: win32:Trojan-gen{UPX!}
Post by: dancingqueen21 on March 12, 2007, 03:21:46 AM

Here is my ComboScan.txt:

ComboScan v20070306.20 run by Ace on 2007-03-12 at 01:11:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


-- Last 2 Restore Point(s) --
2: 2007-03-10 00:49:25 UTC - RP2 - After
1: 2007-03-10 00:27:44 UTC - RP1 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as Ace.exe) -------------------------------------------------

HijackThis failed to provide a log after three minutes; running clone instead.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-03-12 01:15:35
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.0.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\QmFudGluZyBGYW1pbHk\command.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dvwwhgpc\csrss.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1bg.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{3830DA84-0BB6-1033-0217-050312030002}\Update.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Documents and Settings\Ace\Application Data\?ppPatch\wuauboot.exe
C:\Program Files\Common Files\??stem32\?xplorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\PeDevice\PeDev.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Documents and Settings\Ace\Desktop\comboscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virushelpzone.com/ (http://\"http://www.virushelpzone.com/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie (http://\"http://www.google.com/ie\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie (http://\"http://www.google.com/ie\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie (http://\"http://www.google.com/ie\")
R3 - Default URLSearchHook is missing
F0 - win.ini: load=C:\WINDOWS\system32\dvwwhgpc\csrss.exe
F0 - win.ini: run=C:\WINDOWS\system32\dvwwhgpc\csrss.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
F3 - REG:win.ini: Load=C:\WINDOWS\System32\Userinit.exe
F3 - REG:win.ini: Run=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 127.0.0.1 desktop.kazaa.com
O1 - Hosts: 127.0.0.1 www.altnetp2p.com (http://\"http://www.altnetp2p.com\")
O1 - Hosts: 127.0.0.1 alpha.kazaa.com
O1 - Hosts: 127.0.0.1 shop.kazaa.com
O1 - Hosts: 127.0.0.1 www.bonzi.com (http://\"http://www.bonzi.com\")
O1 - Hosts: 127.0.0.1 www.brilliantdigital.com (http://\"http://www.brilliantdigital.com\")
O1 - Hosts: 127.0.0.1 www.b3d.com (http://\"http://www.b3d.com\")
O1 - Hosts: 127.0.0.1 media.altnet.com
O1 - Hosts: 127.0.0.1 www.altnet.com (http://\"http://www.altnet.com\")
O1 - Hosts: 127.0.0.1 dev.bde.com.au
O1 - Hosts: # 821 more entries remain in hosts file.
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar4.dll
O2 - BHO: (no name) - {B36E7466-C9F8-E92E-F5AE-C2DEBBC20AE5} - C:\WINDOWS\system32\mrhlmpie.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3830DA84-0BB6-1033-0217-050312030002}\Bar888.dll
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3830DA84-0BB6-1033-0217-050312030002}\Bar888.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar4.dll
O4 - HKLM\..\Run: [Corel Graphics Suite 1117] C:\Program Files\Corel\Corel Graphics 11\Register\registration.exe /title="Corel Graphics Suite 11" /date=092004 serial=DR11CRD-0012082-DGW
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{3830DA84-0BB6-1033-0217-050312030002}] "C:\Program Files\Common Files\{3830DA84-0BB6-1033-0217-050312030002}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Orbt] "C:\DOCUME~1\Ace\APPLIC~1\PPPATC~1\wuauboot.exe" -vt ndrv
O4 - HKCU\..\Run: [Fihhij] C:\Program Files\Common Files\??stem32\?xplorer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: csrss.lnk =
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {44226DFF-747E-4edc-B30C-78752E50CD0C} - (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: AOL Instant Messenger (tm) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.live.com (HKCU)
O15 - Trusted Zone: *.msn.com (HKCU)
O16 - DPF: RaptisoftGameLoader () - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab (http://\"http://www.miniclip.com/hamsterball/raptisoftgameloader.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab (http://\"http://www.apple.com/qtactivex/qtplugin.cab\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab\")
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab\")
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll (http://\"http://www.miniclip.com/bestfriends/retro64_loader.dll\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab (http://\"http://by124w.bay124.mail.live.com/mail/resources/MsnPUpld.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...tupv2.0.0.9.cab (http://\"http://costco.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab\")?
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: AtiExtEvent - C:\WINDOWS\system32\Ati2evxx.dll
O23 - Service: Alerter - C:\WINDOWS\system32\svchost.exe -k LocalService
O23 - Service: Application Layer Gateway Service (ALG) - C:\WINDOWS\system32\alg.exe
O23 - Service: Application Management (AppMgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
O23 - Service: Ati HotKey Poller - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Windows Audio (AudioSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: avast! Antivirus - "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
O23 - Service: avast! Mail Scanner - "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
O23 - Service: avast! Web Scanner - "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
O23 - Service: Background Intelligent Transfer Service (BITS) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Computer Browser (Browser) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Indexing Service (cisvc) - C:\WINDOWS\system32\cisvc.exe
O23 - Service: Client IP-IPX - "C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282
O23 - Service: ClipBook (ClipSrv) - C:\WINDOWS\system32\clipsrv.exe
O23 - Service: Command Service (cmdService) - C:\WINDOWS\QmFudGluZyBGYW1pbHk\command.exe
O23 - Service: COM+ System Application (COMSysApp) - C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
O23 - Service: Creative Service for CDROM Access - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: Cryptographic Services (CryptSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - C:\WINDOWS\system32\svchost -k DcomLaunch
O23 - Service: DHCP Client (Dhcp) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: Logical Disk Manager (dmserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: DNS Client (Dnscache) - C:\WINDOWS\system32\svchost.exe -k NetworkService
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Error Reporting Service (ERSvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Event Log (Eventlog) - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Google Updater Service (gusvc) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
O23 - Service: Help and Support (helpsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Human Interface Device Access (HidServ) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: HTTP SSL (HTTPFilter) - C:\WINDOWS\System32\svchost.exe -k HTTPFilter
O23 - Service: InstallDriver Table Manager (IDriverT) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - C:\WINDOWS\system32\imapi.exe
O23 - Service: Server (lanmanserver) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Workstation (lanmanworkstation) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - C:\WINDOWS\system32\svchost.exe -k LocalService
O23 - Service: Machine Debug Manager (MDM) - "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
O23 - Service: Messenger - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - C:\WINDOWS\system32\msdtc.exe
O23 - Service: Windows Installer (MSIServer) - C:\WINDOWS\system32\msiexec.exe /V
O23 - Service: Network DDE (NetDDE) - C:\WINDOWS\system32\netdde.exe
O23 - Service: Network DDE DSDM (NetDDEdsdm) - C:\WINDOWS\system32\netdde.exe
O23 - Service: Net Logon (Netlogon) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Network Connections (Netman) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Network Location Awareness (NLA) (Nla) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: NT LM Security Support Provider (NtLmSsp) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Office Source Engine (ose) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
O23 - Service: PCTEL Speaker Phone (Pctspk) - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Plug and Play (PlugPlay) - C:\WINDOWS\system32\services.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: IPSEC Services (PolicyAgent) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Remote Access Connection Manager (RasMan) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Routing and Remote Access (RemoteAccess) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Remote Registry (RemoteRegistry) - C:\WINDOWS\system32\svchost.exe -k LocalService
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - C:\WINDOWS\system32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - C:\WINDOWS\system32\svchost -k rpcss
O23 - Service: QoS RSVP (RSVP) - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Security Accounts Manager (SamSs) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Smart Card Helper (SCardDrv) - C:\WINDOWS\system32\scardsvr.exe
O23 - Service: Smart Card (SCardSvr) - C:\WINDOWS\system32\scardsvr.exe
O23 - Service: Task Scheduler (Schedule) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Secondary Logon (seclogon) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: System Event Notification (SENS) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Shell Hardware Detection (ShellHWDetection) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Print Spooler (Spooler) - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service (srservice) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: SSDP Discovery Service (SSDPSRV) - C:\WINDOWS\system32\svchost.exe -k LocalService
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - C:\WINDOWS\system32\svchost.exe -k imgsvc
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - C:\WINDOWS\system32\dllhost.exe /Processid:{DB4DBE83-33B1-470D-9507-2231E2EB8DD1}
O23 - Service: Performance Logs and Alerts (SysmonLog) - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony (TapiSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Terminal Services (TermService) - C:\WINDOWS\System32\svchost -k DComLaunch
O23 - Service: Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Telnet (TlntSvr) - C:\WINDOWS\system32\tlntsvr.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - C:\WINDOWS\system32\wdfmgr.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - C:\WINDOWS\system32\svchost.exe -k LocalService
O23 - Service: Uninterruptible Power Supply (UPS) - C:\WINDOWS\system32\ups.exe
O23 - Service: Volume Shadow Copy (VSS) - C:\WINDOWS\system32\vssvc.exe
O23 - Service: Windows Time (W32Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: WebClient - C:\WINDOWS\system32\svchost.exe -k LocalService
O23 - Service: Windows Management Instrumentation (winmgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: WMI Performance Adapter (WmiApSrv) - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Security Center (wscsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Automatic Updates (wuauserv) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Wireless Zero Configuration (WZCSVC) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: X10 Device Network Service (x10nets) - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe
O23 - Service: Network Provisioning Service (xmlprov) - C:\WINDOWS\System32\svchost.exe -k netsvcs


-- File Associations -----------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
[color=\"red\"].reg - regfile - "%1"[/color]
.scr - scrfile - "%1" /S
[color=\"red\"].txt - txtfile - NOTEPAD.EXE %1[/color]
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3S 61883 (61883 Unit Device) - C:\WINDOWS\system32\drivers\61883.sys
1R Aavmker4 (avast! Asynchronous Virus Monitor) - C:\WINDOWS\system32\drivers\aavmker4.sys
3S ac97intc (Intel® 82801 Audio Driver Install Service (WDM)) - C:\WINDOWS\system32\drivers\ac97intc.sys
3S AGBFMON - C:\WINDOWS\system32\drivers\AGBFMON.SYS
3R Arp1394 (1394 ARP Client Protocol) - C:\WINDOWS\system32\drivers\arp1394.sys
2R Aspi32 - C:\WINDOWS\system32\drivers\aspi32.sys
2R aswMon2 (avast! Standard Shield Support) - C:\WINDOWS\system32\drivers\aswmon2.sys
3S aswRdr - C:\WINDOWS\system32\drivers\aswRdr.sys
1R aswTdi (avast! Network Shield Support) - C:\WINDOWS\system32\drivers\aswTdi.sys
3R ati2mtag - C:\WINDOWS\system32\drivers\ati2mtag.sys
3R atinrvxx (ATI WDM Rage Theater Video) - C:\WINDOWS\system32\drivers\atinrvxx.sys
2R ATITUNEP (ATI WDM TV Tuner) - C:\WINDOWS\system32\drivers\atintuxx.sys
3R ativraxx (ATI WDM Rage Theater Audio) - C:\WINDOWS\system32\drivers\atinraxx.sys
2R ATIXSAudio (ATI WDM TV Audio Crossbar) - C:\WINDOWS\system32\drivers\atinxsxx.sys
3S Avc (AVC Device) - C:\WINDOWS\system32\drivers\avc.sys
3S CCDECODE (Closed Caption Decoder) - C:\WINDOWS\system32\drivers\ccdecode.sys
1R Cdr4_xp - C:\WINDOWS\system32\drivers\cdr4_xp.sys
1R Cdralw2k - C:\WINDOWS\system32\drivers\cdralw2k.sys
1R cdudf_xp - C:\WINDOWS\system32\drivers\Cdudf_xp.sys
1R Cinemsup - C:\WINDOWS\system32\drivers\cinemsup.sys
3R ctljystk (Creative SBLive! Gameport) - C:\WINDOWS\system32\drivers\ctljystk.sys
0R drvmcdb - C:\WINDOWS\system32\drivers\drvmcdb.sys
1R DVDVRRdr_xp - C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
3R dvd_2K - C:\WINDOWS\system32\drivers\dvd_2k.sys
3R emu10k (Creative SB Live! (WDM)) - C:\WINDOWS\system32\drivers\emu10k1m.sys
3R emu10k1 (Creative Interface Manager Driver (WDM)) - C:\WINDOWS\system32\drivers\ctlfacem.sys
3R Eplpdx02 - C:\WINDOWS\system32\drivers\EPLPDX02.SYS
1R FsVga - C:\WINDOWS\system32\drivers\fsvga.sys
3S hidgame (Microsoft Hid to Joystick Port Enabler) - C:\WINDOWS\system32\drivers\hidgame.sys
3R HidUsb (Microsoft HID Class Driver) - C:\WINDOWS\system32\drivers\hidusb.sys
1R intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
3S Jukebox3 - C:\WINDOWS\system32\drivers\ctpdusb.sys
3S mmc_2K - C:\WINDOWS\system32\drivers\mmc_2k.sys
3R mouhid (Mouse HID Driver) - C:\WINDOWS\system32\drivers\mouhid.sys
3S MSDV (Microsoft DV Camera and VCR) - C:\WINDOWS\system32\drivers\msdv.sys
3S MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - C:\WINDOWS\system32\drivers\mstee.sys
3S MTDVC (Panasonic DVC USB-SERIAL Driver for NT Technology) - C:\WINDOWS\system32\drivers\mtdv2ku1.sys
3S MTDVC_ENUM (Panasonic DVC COM Driver for NT Technology) - C:\WINDOWS\system32\drivers\mtdv2ks1.sys
2R MVDCODEC (ATI WDM Specialized MVD Codec) - C:\WINDOWS\system32\drivers\atinmdxx.sys
3S NABTSFEC (NABTS/FEC VBI Codec) - C:\WINDOWS\system32\drivers\nabtsfec.sys
3S NdisIP (Microsoft TV/Video Connection) - C:\WINDOWS\system32\drivers\ndisip.sys
3R NIC1394 (1394 Net Driver) - C:\WINDOWS\system32\drivers\nic1394.sys
3S ntgrip (Gravis GamePort device driver) - C:\WINDOWS\system32\drivers\ntgrip.sys
3S nv - C:\WINDOWS\system32\drivers\nv4_mini.sys
0R ohci1394 (NEC FireWarden OHCI Compliant IEEE 1394 Host Controller) - C:\WINDOWS\system32\drivers\ohci1394.sys
3R pfc (PADUS ASPI SHELL) - C:\WINDOWS\system32\drivers\pfc.sys
2R PMJ151NM (Panasonic DVC Web Camera) - C:\WINDOWS\system32\drivers\PMJ151NM.sys
3R Ptserlp (PCTEL Serial Device Driver for PCI) - C:\WINDOWS\system32\drivers\ptserlp.sys
1R pwd_2k - C:\WINDOWS\system32\drivers\Pwd_2k.sys
0R PxHelp20 - C:\WINDOWS\system32\drivers\pxhelp20.sys
3S rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - C:\WINDOWS\system32\DRIVERS\RTL8139.SYS (not found)
3R sfman (Creative SoundFont Manager Driver (WDM)) - C:\WINDOWS\system32\drivers\sfmanm.sys
3S SLIP (BDA Slip De-Framer) - C:\WINDOWS\system32\drivers\slip.sys
3S SONYPVU1 (Sony USB Filter Driver (SONYPVU1)) - C:\WINDOWS\system32\drivers\SONYPVU1.SYS
3R StillCam (Still Serial Digital Camera Driver) - C:\WINDOWS\system32\drivers\serscan.sys
3S streamip (BDA IPSink) - C:\WINDOWS\system32\drivers\streamip.sys
1R UDFReadr - C:\WINDOWS\system32\drivers\Udfreadr.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3S usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys
3R usbscan (USB Scanner Driver) - C:\WINDOWS\system32\drivers\usbscan.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
0R Vmodem (XP Vmodem) - C:\WINDOWS\system32\drivers\vmodem.sys
0R Vpctcom (XP Vpctcom) - C:\WINDOWS\system32\drivers\vpctcom.sys
0R Vvoice (XP Vvoice) - C:\WINDOWS\system32\drivers\vvoice.sys
1R WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - C:\WINDOWS\system32\drivers\ws2ifsl.sys
3S WSTCODEC (World Standard Teletext Codec) - C:\WINDOWS\system32\drivers\wstcodec.sys
3R yukonwxp (NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller) - C:\WINDOWS\system32\drivers\yk51x86.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

4S aswUpdSv (avast! iAVS4 Control Service) - "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
2R Ati HotKey Poller - C:\WINDOWS\System32\Ati2evxx.exe
2S ATI Smart - C:\WINDOWS\system32\ati2sgag.exe
4S avast! Antivirus - "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
3S avast! Mail Scanner - "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
3S avast! Web Scanner - "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
2R Client IP-IPX - "C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282
2R cmdService (Command Service) - C:\WINDOWS\QmFudGluZyBGYW1pbHk\command.exe
2R Creative Service for CDROM Access - C:\WINDOWS\system32\CTsvcCDA.EXE
2R EPSONStatusAgent2 (EPSON Printer Status Agent2) - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
3S gusvc (Google Updater Service) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
3S IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
3S ose (Office Source Engine) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
2R Pctspk (PCTEL Speaker Phone) - C:\WINDOWS\system32\pctspk.exe
2R PMJ151LA (PMJ151 AutoLaunch Service) - C:\WINDOWS\PMJ151LA.BIN
3S SCardDrv (Smart Card Helper) - C:\WINDOWS\System32\SCardSvr.exe
2R UleadBurningHelper (Ulead Burning Helper) - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
2R UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe
3S x10nets (X10 Device Network Service) - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe


-- Scheduled Tasks -------------------------------------------------------------

2007-03-06 01:14:00       318 --a------ C:\WINDOWS\Tasks\Ad-Aware SE Personal.job<AD-AWA~1.JOB>
2007-02-28 02:00:00       230 --a------ C:\WINDOWS\Tasks\dfrg.job
2007-01-10 00:20:00       278 --a------ C:\WINDOWS\Tasks\Disk Cleanup.job<DISKCL~1.JOB>


-- Files created between 2007-02-12 and 2007-03-12 -----------------------------

2007-03-09 17:10:55         0 d-------- C:\Program Files\NoAdware5.0<NOADWA~1.0>
2007-03-09 16:26:19         2 ---hs---- C:\WINDOWS\system32\taskkill.com
2007-03-09 16:26:19         2 ---hs---- C:\WINDOWS\system32\netstat.com
2007-03-09 15:46:10         0 d--hs---- C:\WINDOWS\system32\dvwwhgpc
2007-03-04 18:59:12         0 d-------- C:\Documents and Settings\Ace\Application Data\Registry Cleaner<REGIST~1>
2007-02-23 18:14:22     56832 --a------ C:\WINDOWS\system32\mrhlmpie.dll
2007-02-23 18:14:22         0 d-------- C:\Documents and Settings\Ace\Application Data\?ymbols
2007-02-22 19:44:44         0 d-------- C:\Program Files\PeDevice
2007-02-18 14:34:21         0 d-------- C:\Program Files\Common Files\{3830DA84-0BBA-1033-0217-050312030002}<{3830D~2>


-- Find3M Report ---------------------------------------------------------------

2007-03-12 01:14:37         0 d-------- C:\Program Files\Ipwindows<IPWIND~1>
2007-03-12 00:14:00         0 d-------- C:\Program Files\Common Files\{3830DA84-0BB6-1033-0217-050312030002}<{3830D~1>
2007-03-09 17:07:39         0 d-------- C:\Program Files\EPSON
2007-03-04 23:00:33         0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-04 23:00:19         0 d-------- C:\Documents and Settings\Ace\Application Data\Apple Computer<APPLEC~1>
2007-03-03 23:21:14         0 d-------- C:\Program Files\Network Monitor<NETWOR~1>
2007-02-23 18:14:24         2 --a------ C:\WINDOWS\system32\wnsintsv.exe
2007-02-22 19:44:44         0 d-------- C:\Program Files\InetGet2
2007-02-14 19:29:40         0 d-------- C:\Program Files\Google
2007-02-11 01:38:58         0 d-------- C:\Program Files\DVD Shrink<DVDSHR~1>
2007-02-03 23:29:04      2560 --a------ C:\WINDOWS\system32\unsvchosts.exe<UNSVCH~1.EXE>
2007-02-03 23:29:04     36864 --a------ C:\WINDOWS\system32\svchosts.exe
2007-02-02 23:12:24   1902704 --a------ C:\Program Files\noadware.exe
2007-01-29 00:58:06     60416 -----n--- C:\WINDOWS\system32\tzchange.exe
2007-01-24 23:41:40         0 d-------- C:\Program Files\s?stem
2007-01-24 23:41:40         0 d-------- C:\Program Files\??stem
2007-01-24 23:41:07         0 d-------- C:\Documents and Settings\Ace\Application Data\?ppPatch
2007-01-24 15:10:20         0 d-------- C:\Program Files\Outerinfo<OUTERI~1>
2007-01-24 12:03:18         0 d-------- C:\Documents and Settings\Ace\Application Data\?ystem32
2007-01-17 14:16:37         0 d--h----- C:\Program Files\Common Files\Uninstall Information<UNINST~1>
2007-01-14 19:31:20         0 d-------- C:\Program Files\Common Files\??stem32
2007-01-14 19:30:44     32177 ---hs---- C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe<YAZZLE~2.EXE>
2007-01-14 19:05:38    687592 --a------ C:\WINDOWS\system32\atmtd.dll
2007-01-03 13:19:56    171008 ---hs---- C:\Program Files\Common Files\Yazzle1122OinAdmin.exe<YAZZLE~1.EXE>
2006-12-19 13:52:18    134656 --a------ C:\WINDOWS\system32\shsvcs.dll
2006-12-19 10:16:47    333824 --a------ C:\WINDOWS\system32\wiaservc.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"Creative Detector"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"Orbt"="\"C:\\DOCUME~1\\Ace\\APPLIC~1\\PPPATC~1\\wuauboot.exe\" -vt ndrv"
"Fihhij"="C:\\Program Files\\Common Files\\??stem32\\?xplorer.exe"
"csrss"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Corel Graphics Suite 1117"="C:\\Program Files\\Corel\\Corel Graphics 11\\Register\\registration.exe /title=\"Corel Graphics Suite 11\" /date=092004 serial=DR11CRD-0012082-DGW"
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"{3830DA84-0BB6-1033-0217-050312030002}"="\"C:\\Program Files\\Common Files\\{3830DA84-0BB6-1033-0217-050312030002}\\Update.exe\" te-110-12-0000282"
"IpWins"="C:\\Program Files\\Ipwindows\\ipwins.exe"
"Nfo"="C:\\WINDOWS\\system32\\nfomon\\nfomon.exe"
"vidmon"="C:\\WINDOWS\\system32\\vidmon\\vidmon.exe"
"csrss"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\EPSON Status Monitor 3 Environment Check 2.lnk"
"backup"="C:\\WINDOWS\\pss\\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_SRCV02.EXE "
"item"="EPSON Status Monitor 3 Environment Check 2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Banting Family^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"path"="C:\\Documents and Settings\\Banting Family\\Start Menu\\Programs\\Startup\\LimeWire On Startup.lnk"
"backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\LimeWire\\LimeWire.exe -startup"
"item"="LimeWire On Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT-Watch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Hpi_Monitor"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMEKRMIG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InkMonitor"
"hkey"="HKLM"
"command"="C:\\Program Files\\EPSON\\Ink Monitor\\InkMonitor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\key]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winxp"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\winxp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="zeh"
"hkey"="HKCU"
"command"="C:\\Program Files\\help\\zeh.exe"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ImScInst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrgToDsc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="zeh"
"hkey"="HKCU"
"command"="C:\\Program Files\\help\\zeh.exe"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SM1BG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SM1BG.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="C:\\Program Files\\Valve\\Steam\\Steam.exe -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cdaEngine0400"
"hkey"="HKLM"
"command"="RUNDLL32.exe \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0400.dll\",cdaEngineMain"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZingSpooler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ZingSpooler"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Zing\\ZingSpooler.exe"
"inimapping"="0"
 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"="1"
"NoAdminPage"="1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ    AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV
NetworkService REG_MULTI_SZ    DnsCache
rpcss REG_MULTI_SZ    RpcSs
imgsvc REG_MULTI_SZ    StiSvc
termsvcs REG_MULTI_SZ    TermService
HTTPFilter REG_MULTI_SZ    HTTPFilter
DcomLaunch REG_MULTI_SZ    DcomLaunchTermService

 

-- Hosts -----------------------------------------------------------------------

127.0.0.1 desktop.kazaa.com
127.0.0.1 www.altnetp2p.com (http://\"http://www.altnetp2p.com\")
127.0.0.1 alpha.kazaa.com
127.0.0.1 shop.kazaa.com
127.0.0.1 www.bonzi.com (http://\"http://www.bonzi.com\")
127.0.0.1 www.brilliantdigital.com (http://\"http://www.brilliantdigital.com\")
127.0.0.1 www.b3d.com (http://\"http://www.b3d.com\")
127.0.0.1 media.altnet.com
127.0.0.1 www.altnet.com (http://\"http://www.altnet.com\")
127.0.0.1 dev.bde.com.au

821 more entries in hosts file.


-- End of ComboScan: finished at 2007-03-12 at 01:16:11 ------------------------

Title: win32:Trojan-gen{UPX!}
Post by: dancingqueen21 on March 12, 2007, 03:25:01 AM

And here is my Supplementary.txt:

ComboScan v20070306.20 run by Ace on 2007-03-12 at 01:11:45
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 35%
Physical Memory (total/avail): 1023.23 MiB / 656.77 MiB
Pagefile Memory (total/avail): 2462.8 MiB / 2171.36 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1981.18 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 55.91 GiB total, 16.43 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 74.53 GiB total, 22.39 GiB free.


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.6.731 [VPS 0607-2] v4.6.731 (ALWIL Software)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Ace\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_07\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BANTING
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ace
LOGONSERVER=\\BANTING
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Ace\LOCALS~1\Temp
TMP=C:\DOCUME~1\Ace\LOCALS~1\Temp
USERDOMAIN=BANTING
USERNAME=Ace
USERPROFILE=C:\Documents and Settings\Ace
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Banting Family (admin)
Ate (admin)
Ace (admin)
Migi (admin)
Mama (admin)
Papa (admin)
Lolo (admin)
Administrator (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

 --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
 --> C:\WINDOWS\IsUninst.exe -fC:\Sierra\Contraptions\Uninst.isu
 --> C:\WINDOWS\IsUninst.exe -fC:\Sierra\CoolPool8ballNetDemo\Uninst.isu
 --> C:\WINDOWS\IsUninst.exe -fC:\Sierra\PBALL6D\Uninst.isu
 --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {637099FB-45FD-4BC7-9651-6FB540DBB749}
 --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
 --> MsiExec.exe /I{26792CA7-D87A-4DBE-896B-C2F66B344511}
 --> MsiExec.exe /I{637099FB-45FD-4BC7-9651-6FB540DBB749}
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9104A09A-EC83-11D8-8469-00D0B726B56E}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9104A09A-EC83-11D8-8469-00D0B726B56E}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9744AE38-1CC6-414F-96CE-0643AEE30A9B}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9744AE38-1CC6-414F-96CE-0643AEE30A9B}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9  /remove
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9  /remove
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3D Groove Playback Engine --> RunDll32 C:\WINDOWS\DOWNLO~1\GrooveAX.dll,_RemoveGroove@16
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop 6.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 6.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 6.0\Uninst.dll"
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
ArcSoft PhotoImpression 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\PhotoImpression\Uninst.isu"
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI DVD Decoder 2.2.0.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{45D228AA-4284-467A-9DB6-942B92BFF656} /l1041
ATI Multimedia Center 8.8.0.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{893306B3-C1B7-4CF0-A3F5-20C7047D6A08} /l1041
ATI Remote Wonder 2.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{D7F181EC-5E49-44FA-AB5B-8F9D4A93FC38} /l1041
AuthorScript Engine 1.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{752CA503-E29F-4610-A1A4-B21CDC58EF8D} /l1041
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Bar888 --> C:\Program Files\Common Files\{3830DA84-0BB6-1033-0217-050312030002}\UnInstall.exe
Command --> wscript "C:\WINDOWS\QmFudGluZyBGYW1pbHk\kAIRx35RtV13sqYDvJ4.vbs"
Creative Jukebox Driver --> C:\Program Files\Creative\Jukebox 3 Drivers\DrvUnins.exe /s
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\setup.exe" -l0x9  /remove
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9  /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9  /remove
Creative Zen Micro --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D944236D-7992-41D6-8257-930B5832F1CC}\SETUP.EXE" -l0x9  /remove
Cypress USB Mass Storage Driver Installation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}\Setup.exe" -l0x9 NotFirstInstall
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
Datasets for Data Analysis Plus? for Excel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{540E7117-510F-11D6-9FDE-0050BA8AEE3E}\setup.exe"
DirectX Media Runtime 5.1 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\DXM51.INF,Uninstall.NT
DV Studio3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5DF68560-292A-11D5-99D1-00010256D40E}\setup.exe"
EA SPORTS online 2006 --> C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
Easy CD Creator 5 Platinum --> MsiExec.exe /I{8851E12C-0EF9-11D4-A788-009027ABA5D0}
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON TWAIN 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A3EABC0-CA06-11D4-BF77-00104B130C19}\setup.exe" UNINSTALL
FIFA 06 --> C:\Program Files\EA SPORTS\FIFA 06\EAUninstall.exe
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
GUIDE PLUS+(tm) for Windows? System - ATI --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99D34763-7E45-4FE5-8424-28DBC3A5F0BF}\setup.exe"
ImageStation Easy Upload Tools --> C:\Program Files\Easy Upload Tools\UninstallHelper\UninstallHelper.exe
Ink Monitor --> C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe -U
IpWins --> C:\Program Files\Ipwindows\Uninst.exe
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150070}
JumpStart 3rd Grade v1.1 --> C:\WINDOWS\IsUninst.exe -fC:\KA\3G\DeIsL1.isu
JumpStart Kindergarten 98 v2.5 --> C:\WINDOWS\IsUninst.exe -fC:\KA\KG98\DeIsL3.isu
LimeWire 4.12.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
Need For Speed High Stakes --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Electronic Arts\Need For Speed High Stakes\Uninst.isu" -c"C:\Program Files\Electronic Arts\Need For Speed High Stakes\uninst.dll" E
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Network Monitor --> wscript "C:\WINDOWS\uninstall_nmon.vbs"
NoAdware v5.0 --> "C:\Program Files\NoAdware5.0\unins000.exe"
Outerinfo --> "C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe"
Outerinfo --> C:\Program Files\Outerinfo\OiUninstaller.exe
Pictionary --> C:\WINDOWS\unvise.exe C:\PROGRA~1\PICTIO~1\uninstal.log
QuickTax 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{53337CA9-E9A4-4C59-9D1C-D980EF9BF0C2}\isetup.ex_" -l0x9  -uninst
QuickTax 2005 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8D0BC3E-67DF-48A3-ACC9-EEAA8DBFBF29}\isetup.ex_" -l0x9  -uninst
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Roxio Easy Media Creator 7 --> MsiExec.exe /I{A99C6296-A311-4D6C-9602-53B4241921D5}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
Snes9x --> C:\WINDOWS\iun3405.exe C:\1995\Super Nintendo
Studio 8 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{53EF6570-21A4-47ED-A40A-E6470A5677A3}\Setup.exe" -l0x9  UNINSTALL-L0x9 -c
Ulead VideoStudio 8.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F1DA6BF-3614-48A1-9970-9E90F646789E}\setup.exe" -l0x9
USB Driver for Panasonic DVC (with Web Camera) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{82AF8AF6-6D0B-4EE6-B11F-CF9877877F69}\setup.exe" anythinganythinganythinganythinganythinganythinganything
USB Storage Adapter FX (SM1) --> SM1UN.EXE SM1FX_AT
WebDP 2.07 --> C:\Program Files\Common Files\Uninstall Information\RemoveWebDP.exe
webHancer Customer Companion --> C:\Program Files\webHancer\Programs\whInstaller.exe -uninstall
WildTangent Web Driver --> C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- End of ComboScan: finished at 2007-03-12 at 01:16:11 ------------------------

Title: win32:Trojan-gen{UPX!}
Post by: guestolo on March 12, 2007, 10:47:13 PM

Access your add/remove programs and remove any of the following that you find

Bar888

If the above is not found in add/remove programs
Go to START>>RUN
Copy and paste the next command line below in bold and hit OK

C:\Program Files\Common Files\{3830DA84-0BB6-1033-0217-050312030002}\UnInstall.exe

Carry on removing the next ones:
IpWins
If not found, copy>>Paste the next to START>>RUN
C:\Program Files\Ipwindows\Uninst.exe

Remove old versions of Java:
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 7

Remove anything to do with OIN
If not found, run these 2 commands, one at a time in START>>RUN
"C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe"
Then this one
C:\Program Files\Outerinfo\OiUninstaller.exe

Carry on removing
webHancer Customer Companion
Not found, go to START>>RUN
C:\Program Files\webHancer\Programs\whInstaller.exe -uninstall

Then this one:
WildTangent Web Driver

After the above is all removed, or whatever you can remove, be sure to REBOOT the computer

Back in Windows
Download and save [color=\"red\"]Brute Force Uninstaller[/color] (http://\"http://www.merijn.org/files/bfu.zip\")[/b] to the desktop

• Right click the BFU folder on your desktop, and choose Extract All
  
• Click "Next"
• In the box to choose where to extract the files to, click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C:) or whatever your primary drive is>>In your case it appears to be F:\
• Click "Make New Folder"
• Type in BFU
  
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
  

[color=\"red\"]RIGHT-CLICK HERE[/color] (http://\"http://metallica.geekstogo.com/alcanshorty.bfu\")[/b] and choose "Save As" (in IE it's "Save Target As") in order to download [color=\"red\"]Alcan worm remover[/color].
Save it then transfer to the
same folder you made earlier (F:\BFU).

Go to Start > My Computer and navigate to the F:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
  
• Next to the scriptline to execute field click the folder icon (http://metallica.geekstogo.com/foldericon.png)
  and select alcanshorty.bfu
  
• Press Execute and let it do it's job. (You ought to see a progress bar if you did this correctly.)
  
• Wait for the complete script execution box to pop up and press OK.
  
• Press exit to terminate the BFU program.
  

==Download [color=\"#FF0000\"]ATF-Cleaner[/color] (http://\"http://www.atribune.org/ccount/click.php?id=1\") by Atribune.
Save it to your desktop
We'll need this later

==Download [color=\"#FF0000\"]AVG Anti-Spyware 7.5[/color] (http://\"http://www.ewido.net/en/download/\")

• Save the installer to desktop
• Double click the installer, select your language, and then select "OK"
• Click NEXT>>>Select I Agree>>>NEXT>>>INSTALL
     
  
• AVG will now install and afterwards click FINISH
     
  
• AVG Anti-Spyware 7.5 should now Load
• Click the Update tab at the top. Under Manual Update click Start update.
     
  
• After the update finishes (the status bar at the bottom will display "Update successful")
• Click on the Scanner tab at the top
     
  
• Click the "Settings" tab and then change the recommended action under "How to Act" to Quarantine and ensure that "Automatically generate report after every scan" IS selected and
  "Only if Threats are found" IS NOT selected
  

CLOSE AVG-Antispyware for now, as we will need it later
An AVG icon will be placed in your system tray next to your clock, can you right on it and uncheck
"Resident Shield" , "Automatic updates" and "Start with Windows"


Reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.

============================================
==Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.

If you use Firefox browser
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

      Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
==================================================

Load AVG Anti-Spyware 7.5

• Click on the Scanner tab at the top
     
  
• Cick on Complete System Scan.
  This scan can take a while to run, let it run uninterrupted
   
  
• When the scan is complete it will list any infections found on the left hand side.
• Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
   
  
• Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file  (like on the Desktop).
  

I will need to see this log later

Restart the computer back to Normal windows

Post back the following
1. Post a fresh hijackthis log
2. Post the Whole report from AVG-Antispyware

Title: win32:Trojan-gen{UPX!}
Post by: dancingqueen21 on March 14, 2007, 01:49:39 AM

When I tried to copy and paste the hijackthis logfile, it kept disappearing right away. So I highlighted whatever I could from the logfile before it would instantly vanish. Hopefully this is everything:



Logfile of HijackThis v1.99.1
Scan saved at 12:05:23 PM, on 3/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\dvwwhgpc\csrss.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\WINDOWS\system32\DllHost.exe

C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Email (http://\"http://www.Email\") Removed.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.library.ubc.ca:8000
F3 - REG:win.ini: load=C:\WINDOWS\system32\dvwwhgpc\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\dvwwhgpc\csrss.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com (http://\"http://www.f-secure.com/\")
O1 - Hosts: 1.1.1.1 ftp.f-secure.com (http://\"ftp://ftp.f-secure.com/\")
O1 - Hosts: 1.1.1.1 ftp.sophos.com (http://\"ftp://ftp.sophos.com/\")
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com (http://\"http://www.my-etrust.com/\")
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com (http://\"http://www.nai.com/\")
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com (http://\"http://www.sophos.com/\")
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com (http://\"http://www.symantec.com/\")
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com (http://\"http://www.viruslist.com/\")
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com (http://\"http://www.grisoft.com/\")
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com (http://\"http://www.trendmicro.com/\")
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com (http://\"http://www.pandasoftware.com/\")
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net (http://\"http://www.ewido.net/\")
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com (http://\"http://www.zonelabs.com/\")
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com (http://\"http://www.bitdefender.com/\")
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com (http://\"http://www.spywareinfo.com/\")
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org (http://\"http://www.merijn.org/\")
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com (http://\"http://www.sysinternals.com/\")
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov (http://\"http://www.onguardonline.gov/\")
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com (http://\"http://www.avast.com/\")
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com (http://\"http://www.paretologic.com/\")
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O1 - Hosts: 1.1.1.1 www.webroot.com (http://\"http://www.webroot.com/\")
O1 - Hosts: 1.1.1.1 webroot.com
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Corel Graphics Suite 1117] C:\Program Files\Corel\Corel Graphics 11\Register\registration.exe /title="Corel Graphics Suite 11" /date=092004 serial=DR11CRD-0012082-DGW

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe

O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: csrss.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AOL Instant Messenger (tm) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O15 - Trusted Zone: *.live.com

O15 - Trusted Zone: *.msn.com

O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab (http://\"http://www.miniclip.com/hamsterball/raptisoftgameloader.cab\")

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll (http://\"http://www.miniclip.com/bestfriends/retro64_loader.dll\")

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab (http://\"http://by124w.bay124.mail.live.com/mail/resources/MsnPUpld.cab\")

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab\")

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")

O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...tupv2.0.0.9.cab (http://\"http://costco.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab\")?

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Title: win32:Trojan-gen{UPX!}
Post by: dancingqueen21 on March 14, 2007, 01:55:45 AM

I tried to attach the hijackthis logfile to this reply, but apparently I'm not permitted to upload that type of file.
Anyway, here is the AVG-Anti-Spyware Report:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at: 11:44:30 AM 3/13/2007

 + Scan result:

 

C:\WINDOWS\system32\chktrust.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bde3d_refp4.dll -> Adware.BDE : Cleaned with backup (quarantined).
C:\WINDOWS\BDE -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\Cache -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\Cache\infowin1.txt -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\Cache\infowin1a.txt -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\Cache\infowin2.txt -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\Cache\infowin3.txt -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\Cache\installb3d3105.cab -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\Cache\installb3dplayer3101.cab -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\Update -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\Update\setup.cab -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\Update\zget.cab -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\Update\zslot1.cab -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\Update\zuninstall.cab -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\Update\zupdate.exe -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\bethecasinosky -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\bethecasinosky\bethecasinosky.b3d -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino2 -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino2\CASINO_1ST.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino2\NOCLICK.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino2\SCENE2.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino2\SCENE_3.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino2\SPIN1.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino2\SPIN2.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino2\casino2.b3d -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino3 -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino3\CASINO_1ST.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino3\NOCLICK.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino3\SCENE2.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino3\SCENE_3.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino3\SPIN1.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino3\SPIN2.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino3\casino3.b3d -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino\CASINO_1ST.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino\NOCLICK.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino\SCENE2.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino\SCENE_3.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino\SPIN1.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino\SPIN2.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casino\casino.b3d -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casinosky -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casinosky2 -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casinosky2\casinosky2.b3d -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\casinosky\casinosky.b3d -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\driven -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\driven\driven.b3d -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\fortunesky -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\fortunesky2 -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\fortunesky2\fortunesky2.b3d -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\fortunesky\fortunesky.b3d -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\goldenstar -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\goldenstar\goldenstar.b3d -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\mwbanner -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\mwbanner\mwbanner.b3d -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\neo -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\neo\SCENE01.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\neo\neo.b3d -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\reefclub -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\reefclub\CASINO_SLOTS_MAIN.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\reefclub\END_BLACK.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\reefclub\END_DEFAULT.dat -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\reefclub\reefclub.b3d -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\reefclub_sky -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\movies\reefclub_sky\reefclub_sky.b3d -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\mskin -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\mskin\config3.ini -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\BDE\mskin\mskin.bmp -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\WINDOWS\QmFudGluZyBGYW1pbHk\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\QmFudGluZyBGYW1pbHk\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Program Files\PeDevice\PeDev.dll -> Adware.Delfin : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1005\Dc11\PeDev.dll -> Adware.Delfin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\VCCPGDATAACCESS.PgDataAccessCtrl.1 -> Adware.Delfin : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Uninstall Information\RemoveWebDP.exe -> Adware.DelphinMediaViewer : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nfomon\nfo.ocx -> Adware.DelphinMediaViewer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{E1412445-4FF8-410e-8D24-F2CF86B171A4} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1412445-4FF8-410e-8D24-F2CF86B171A4} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E1412445-4FF8-410E-8D24-F2CF86B171A4} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E1412445-4FF8-410E-8D24-F2CF86B171A4} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-329068152-1563985344-1060284298-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E1412445-4FF8-410E-8D24-F2CF86B171A4} -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall4_34.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{3830DA84-0BB6-1033-0217-050312030002}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{3830DA84-0BB6-1033-0217-050312030002}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{3830DA84-0BBA-1033-0217-050312030002}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{3830DA84-0BBA-1033-0217-050312030002}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\Banting Family\My Documents\GoldMinerSetup-dm.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\MobEnf_Setup-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426BE8FD-3198-4FF3-BD06-23BD2FEA7884}\RP2\A0000046.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426BE8FD-3198-4FF3-BD06-23BD2FEA7884}\RP2\A0000047.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj -> Adware.WebHancer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj.1 -> Adware.WebHancer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj\CurVer -> Adware.WebHancer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\webhancer -> Adware.WebHancer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\webhancer\CC -> Adware.WebHancer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\webhancer\ESO -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\WINDOWS\system32\EGDHTML_1026.dll -> Dialer.EGroup.1025 : Cleaned with backup (quarantined).
C:\WINDOWS\system32\EGDial.dll -> Dialer.EGroup.1025 : Cleaned with backup (quarantined).
C:\Documents and Settings\Ace\Desktop\install.exe -> Dropper.Agent.bbp : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc90.txt -> TrackingCookie.247realmedia : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc88.txt -> TrackingCookie.2o7 : Cleaned.
F:\Mama's Documents\Mama\Cookies\mama@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc191.txt -> TrackingCookie.Adbrite : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc97.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc100.txt -> TrackingCookie.Advertising : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc106.txt -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc113.txt -> TrackingCookie.Bluestreak : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc119.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc125.txt -> TrackingCookie.Com : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc132.txt -> TrackingCookie.Doubleclick : Cleaned.
F:\Mama's Documents\Mama\Cookies\mama@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc136.txt -> TrackingCookie.Estat : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc138.txt -> TrackingCookie.Fastclick : Cleaned.
F:\Mama's Documents\Mama\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
F:\Mama's Documents\Mama\Cookies\mama@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc155.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc174.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc175.txt -> TrackingCookie.Realmedia : Cleaned.
F:\Mama's Documents\Mama\Cookies\[email protected][1].txt -> TrackingCookie.Serving-sys : Cleaned.
F:\Mama's Documents\Mama\Cookies\mama@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc190.txt -> TrackingCookie.Statcounter : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc197.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc199.txt -> TrackingCookie.Valueclick : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc204.txt -> TrackingCookie.Web-stat : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc93.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc117.txt -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1003\Dc233.txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\QmFudGluZyBGYW1pbHk\kAIRx35RtV13sqYDvJ4.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wnsintsv.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

Title: win32:Trojan-gen{UPX!}
Post by: guestolo on March 14, 2007, 08:50:42 AM

Can you do the following please

 Download MsnVirRem.exe to your desktop from one of the following mirrors.

• Mirror 1 (http://\"http://downloads.malwareremoval.com/MsnVirRem.exe\")
  
• Mirror 2 (http://\"http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item9\")
  
• Mirror 3 (http://\"http://www.greyknight17.com/spy/MsnVirRem.exe\")
  
• First close any other programs you have running as this will require a reboot
• Double click MsnVirRem.exe to run it
  
• Once open, click the button labelled "[color=\"red\"]Search and Destroy[/color]"
  <<Your computer will now be scanned for Infected Files>>
  
• When scanning is finished you will be prompted to reboot only if infected, Click OK
  
• Now click the "[color=\"red\"]REBOOT[/color]" Button.
  
• After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue.
• [color=\"blue\"]A Message should popup from MsnVirRem if not, double click the program again and it will finish[/color]
  

Please Post the contents of [color=\"blue\"]C:\msnvirrem.log[/color] along with a fresh [color=\"blue\"]HijackThis log[/color]

NOTE: Before copying any of the logs, when you open them, can you ensure that Word Wrap is UNchecked under format before the copy>>Paste please

Title: win32:Trojan-gen{UPX!}
Post by: dancingqueen21 on March 15, 2007, 02:18:10 AM

the same thing keeps happening over and over again! everytime i click on hijackthis or msnvirrem.exe, it disappears from my screen before i can even read what it says! the farthest i got was downloading clicking on "search and destroy" and that's when it goes away. nothing happens after that. do you know what might be causing this? is it part of the virus?

Title: win32:Trojan-gen{UPX!}
Post by: guestolo on March 15, 2007, 07:50:17 PM

According to your comboscan earlier, some file associations are messed up
Let's see if we can repair them will help

Please do the following
Open "MyComputer"
TOOLS>>FOLDER OPTIONS>>FILE TYPES
Let this populate

Under Registered file types:>>Extensions> scroll down to
REG
Highlight Reg and then click the ADVANCED button

On my computer with XP SP2 installed, my settings are the following
Highlight edit,
Select Edit.....
The application use to perform action should read exactly
C:\WINDOWS\system32\NOTEPAD.EXE %1
and nothing else
If not, copy>>Paste that too the line
Use DDE is selected and application: NOTEPAD
OK it
If edit is not available select NEW>>under action type edit
and fill in the info under application use to perform action

Highlight Merge and select edit
Under action, should read
Mer&ge
Under application used to perform action:
regedit.exe "%1"
Use DDE is selected
Application:regedit

Let's move on to another extension type
Scroll down to
TXT
Click the advanced button
Under actions highlight open and then click edit....
Under application used to perform action:
C:\WINDOWS\system32\NOTEPAD.EXE %1
Use DDE is selected
application: NOTEPAD

EDIT>>I thought of another plan also, if the above is too confusing, can you do the following
Go [color=\"#0000FF\"]HERE[/color] (http://\"http://www.kztechs.com/eng/download.html\")
Download System Repair Engineer 2.4.12.805>>save to desktop
UNZIP the contents to it's own folder
Open SREng.exe and click on System repair, under File associtions>>Select all then choose Repair
Hold onto Sreng.exe for now, we may need it in a bit

Try running MsnVirRem.exe again with the instructions I posted earlier
and post back the logs

If still no go, can you run comboscan again and post a fresh log please

Title: win32:Trojan-gen{UPX!}
Post by: dancingqueen21 on March 15, 2007, 11:50:12 PM

phew! that works so much better. thanks so much!

this is all that was in the c:\msnvirrem.log:



MsnVirRem Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to msnvirremOLD.log

Fix running from: C:\Documents and Settings\Ace\Desktop
3/15/2007
9:43:42 PM


------------------------------------
and here is the hijackthis log:



Logfile of HijackThis v1.99.1
Scan saved at 9:46:59 PM, on 3/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox (http://\"http://www.google.ca/firefox\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.library.ubc.ca:8000
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Corel Graphics Suite 1117] C:\Program Files\Corel\Corel Graphics 11\Register\registration.exe /title="Corel Graphics Suite 11" /date=092004 serial=DR11CRD-0012082-DGW
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MsnVirRem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AOL Instant Messenger (tm) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.msn.com
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab (http://\"http://www.miniclip.com/hamsterball/raptisoftgameloader.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll (http://\"http://www.miniclip.com/bestfriends/retro64_loader.dll\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab (http://\"http://by124w.bay124.mail.live.com/mail/resources/MsnPUpld.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...tupv2.0.0.9.cab (http://\"http://costco.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab\")?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Title: win32:Trojan-gen{UPX!}
Post by: guestolo on March 16, 2007, 12:07:08 AM

That's looking better, but I want to throw another tool at you  /wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />
You still have a trojan

Can you do the following please
==Download [color=\"red\"]SDFix[/color] (http://\"http://downloads.andymanchesta.com/RemovalTools/SDFix.exe\") and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
We'll need this later

Print the rest of these instructions, of copy>>paste them too a text file saved to desktop for reference please

Do a "System scan only" with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the top of the screen that appears.
Sign in with your normal user account

SDFix
Go to START>>My Computer>>Double click to open the C:\ folder

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  

I want to see a few logs please, just to ensure your looking good on your side

1. Post the report from SDFix>>Report.txt
2. I would like to see the old log from MsnVirRem.exe>>C:\msnvirremOLD.log
3. Post a fresh hijackthis log
4. Just for a double check, can you run a fresh scan with Comboscan and post a new log

NOTE: It will probably take a couple replies to post all the info, please do so if needed

Title: win32:Trojan-gen{UPX!}
Post by: dancingqueen21 on March 18, 2007, 07:26:06 PM

Here's my SDFix Report:



SDFix: Version 1.73

Run by Ace - Sun 03/18/2007 - 17:09:22.51

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX

Path:
"C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282

Client IP-IPX Deleted

 

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\svchosts.exe - Deleted
C:\WINDOWS\system32\TFTP1940 - Deleted
C:\WINDOWS\system32\unsvchosts.exe - Deleted
C:\WINDOWS\system32\unsvchosts.lzma - Deleted

 

ADS Check:

C:\WINDOWS\system32
No streams found.


                                 Final Check:

Remaining Services:
------------------

 

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Valve\\Steam\\Steam.exe"="C:\\Program Files\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\anton_brosasEmail Removed\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\anton_brosasEmail Removed\\counter-strike\\hl.exe:*:Disabled:Half-Life Launcher"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Disabled:BitTorrent"
"C:\\Program Files\\Pictionary\\Pictionary.exe"="C:\\Program Files\\Pictionary\\Pictionary.exe:*:Disabled:Pictionary"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Program Files\Common Files\MSSoap\Binaries\wisc10.dll
C:\Program Files\Common Files\MSSoap\Binaries\Resources\1033\mssoapr.dll
C:\RECYCLER\NPROTECT1644511.dll
C:\RECYCLER\NPROTECT1644513.DLL
C:\RECYCLER\NPROTECT1644514.dll
C:\RECYCLER\NPROTECT1644515.dll
C:\RECYCLER\NPROTECT1644516.dll
C:\RECYCLER\NPROTECT1644517.dll
C:\RECYCLER\NPROTECT1644518.DLL
C:\RECYCLER\NPROTECT1644519.dll
C:\RECYCLER\NPROTECT1644520.dll
C:\RECYCLER\NPROTECT1644521.dll
C:\RECYCLER\NPROTECT1644522.dll
C:\RECYCLER\NPROTECT1644524.dll
C:\RECYCLER\NPROTECT1644540.dll
C:\RECYCLER\NPROTECT1644541.dll
C:\RECYCLER\S-1-5-21-329068152-1563985344-1060284298-1005\Dc15\arpa.exe
C:\Program Files\ATI Multimedia\RemCtrl\x10prod.sys
C:\Documents and Settings\Ace\Application Data\Roxio\Dragon\DiscInfoCache\HL-DT-ST_DVDRAM_GSA-4082B_A201_310_DICV018_DRGV205002F.TMP
C:\Documents and Settings\Ace\Application Data\Roxio\Dragon\DiscInfoCache\IDE______DVD-ROM_16X______2.0__300_DICV016_DRGV200A2.TMP
C:\Documents and Settings\Banting Family\Local Settings\Temp\DXM2E.tmp
C:\Documents and Settings\Banting Family\My Documents\~WRL0001.tmp
C:\Documents and Settings\Banting Family\My Documents\~WRL2676.tmp
C:\Documents and Settings\Banting Family\My Documents\~WRL3262.tmp
C:\Documents and Settings\Banting Family\My Documents\~WRL3401.tmp
C:\Documents and Settings\Guest\Application Data\Roxio\Dragon\DiscInfoCache\HL-DT-ST_DVDRAM_GSA-4082B_A201_310_DICV018_DRGV205002F.TMP
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

                                 Finished

Title: win32:Trojan-gen{UPX!}
Post by: dancingqueen21 on March 18, 2007, 07:29:59 PM

Here's my old MsnVirRem.exe log:


MsnVirRem Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Ace\Desktop
3/14/2007
11:23:58 PM



and the fresh HijackThis Log:



Logfile of HijackThis v1.99.1
Scan saved at 5:27:26 PM, on 3/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox (http://\"http://www.google.ca/firefox\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.library.ubc.ca:8000
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Corel Graphics Suite 1117] C:\Program Files\Corel\Corel Graphics 11\Register\registration.exe /title="Corel Graphics Suite 11" /date=092004 serial=DR11CRD-0012082-DGW
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AOL Instant Messenger (tm) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.msn.com
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab (http://\"http://www.miniclip.com/hamsterball/raptisoftgameloader.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll (http://\"http://www.miniclip.com/bestfriends/retro64_loader.dll\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab (http://\"http://by124w.bay124.mail.live.com/mail/resources/MsnPUpld.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...tupv2.0.0.9.cab (http://\"http://costco.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab\")?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Title: win32:Trojan-gen{UPX!}
Post by: dancingqueen21 on March 18, 2007, 07:44:00 PM

And finally here's my new ComboScan log:



ComboScan v20070306.20 run by Ace on 2007-03-18 at 17:30:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

 

-- HijackThis (run as Ace.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:30:26 PM, on 3/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Ace\Desktop\comboscan.exe
C:\PROGRA~1\HIJACK~1\Ace.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox (http://\"http://www.google.ca/firefox\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.library.ubc.ca:8000
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Corel Graphics Suite 1117] C:\Program Files\Corel\Corel Graphics 11\Register\registration.exe /title="Corel Graphics Suite 11" /date=092004 serial=DR11CRD-0012082-DGW
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AOL Instant Messenger (tm) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.msn.com
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab (http://\"http://www.miniclip.com/hamsterball/raptisoftgameloader.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll (http://\"http://www.miniclip.com/bestfriends/retro64_loader.dll\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab (http://\"http://by124w.bay124.mail.live.com/mail/resources/MsnPUpld.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...tupv2.0.0.9.cab (http://\"http://costco.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab\")?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- Files created between 2007-02-18 and 2007-03-18 -----------------------------

2007-03-18 17:02:15         0 d-------- C:\SDFix
2007-03-18 16:54:27         0 d-------- C:\Program Files\Common Files\{3830DA84-0BB6-1033-0217-050312030002}<{3830D~1>
2007-03-13 00:39:48      3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-13 00:39:46         0 d-------- C:\Program Files\Grisoft
2007-03-13 00:10:04         0 d-------- C:\bintheredunthat<BINTHE~1>
2007-03-12 23:58:13         0 d-------- C:\Documents and Settings\Ace\Application Data\Help
2007-03-12 23:54:52         0 d-------- C:\BFU
2007-03-09 17:10:55         0 d-------- C:\Program Files\NoAdware5.0<NOADWA~1.0>
2007-03-09 15:46:10         0 d--hs---- C:\WINDOWS\system32\dvwwhgpc
2007-03-04 18:59:12         0 d-------- C:\Documents and Settings\Ace\Application Data\Registry Cleaner<REGIST~1>
2007-02-23 18:14:22         0 d-------- C:\Documents and Settings\Ace\Application Data\?ymbols
2007-02-22 19:44:44         0 d-------- C:\Program Files\PeDevice
2007-02-18 14:34:21         0 d-------- C:\Program Files\Common Files\{3830DA84-0BBA-1033-0217-050312030002}<{3830D~2>


-- Find3M Report ---------------------------------------------------------------

2007-03-13 23:25:19       448 --a------ C:\Program Files\Shortcut (2) to HijackThis.exe.lnk<SHORTC~2.LNK>
2007-03-13 23:25:15       448 --a------ C:\Program Files\Shortcut to HijackThis.exe.lnk<SHORTC~1.LNK>
2007-03-13 11:44:17         0 d--h----- C:\Program Files\Common Files\Uninstall Information<UNINST~1>
2007-03-12 23:50:17         0 d-------- C:\Program Files\Common Files\??stem32
2007-03-12 23:50:17         0 d-------- C:\Documents and Settings\Ace\Application Data\?ppPatch
2007-03-12 23:45:59         0 d-------- C:\Program Files\Outerinfo<OUTERI~1>
2007-03-09 17:07:39         0 d-------- C:\Program Files\EPSON
2007-03-04 23:00:33         0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-04 23:00:19         0 d-------- C:\Documents and Settings\Ace\Application Data\Apple Computer<APPLEC~1>
2007-02-14 19:29:40         0 d-------- C:\Program Files\Google
2007-02-11 01:38:58         0 d-------- C:\Program Files\DVD Shrink<DVDSHR~1>
2007-02-02 23:12:24   1902704 --a------ C:\Program Files\noadware.exe
2007-01-29 00:58:06     60416 -----n--- C:\WINDOWS\system32\tzchange.exe
2007-01-24 23:41:40         0 d-------- C:\Program Files\s?stem
2007-01-24 23:41:40         0 d-------- C:\Program Files\??stem
2007-01-24 12:03:18         0 d-------- C:\Documents and Settings\Ace\Application Data\?ystem32
2007-01-14 19:05:38    687592 --a------ C:\WINDOWS\system32\atmtd.dll
2006-12-19 13:52:18    134656 --a------ C:\WINDOWS\system32\shsvcs.dll
2006-12-19 10:16:47    333824 --a------ C:\WINDOWS\system32\wiaservc.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"Creative Detector"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Corel Graphics Suite 1117"="C:\\Program Files\\Corel\\Corel Graphics 11\\Register\\registration.exe /title=\"Corel Graphics Suite 11\" /date=092004 serial=DR11CRD-0012082-DGW"
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\EPSON Status Monitor 3 Environment Check 2.lnk"
"backup"="C:\\WINDOWS\\pss\\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_SRCV02.EXE "
"item"="EPSON Status Monitor 3 Environment Check 2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Banting Family^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"path"="C:\\Documents and Settings\\Banting Family\\Start Menu\\Programs\\Startup\\LimeWire On Startup.lnk"
"backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\LimeWire\\LimeWire.exe -startup"
"item"="LimeWire On Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT-Watch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Hpi_Monitor"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMEKRMIG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InkMonitor"
"hkey"="HKLM"
"command"="C:\\Program Files\\EPSON\\Ink Monitor\\InkMonitor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\key]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winxp"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\winxp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ImScInst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrgToDsc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SM1BG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SM1BG.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="C:\\Program Files\\Valve\\Steam\\Steam.exe -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cdaEngine0400"
"hkey"="HKLM"
"command"="RUNDLL32.exe \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0400.dll\",cdaEngineMain"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZingSpooler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ZingSpooler"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Zing\\ZingSpooler.exe"
"inimapping"="0"
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoAdminPage"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ    AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV
NetworkService REG_MULTI_SZ    DnsCache
rpcss REG_MULTI_SZ    RpcSs
imgsvc REG_MULTI_SZ    StiSvc
termsvcs REG_MULTI_SZ    TermService
HTTPFilter REG_MULTI_SZ    HTTPFilter
DcomLaunch REG_MULTI_SZ    DcomLaunchTermService

 

-- End of ComboScan: finished at 2007-03-18 at 17:30:45 ------------------------

Title: win32:Trojan-gen{UPX!}
Post by: guestolo on March 21, 2007, 10:42:49 PM

Sorry for the delay Dancingqueen
That's looking good
let's get rid of some dead weight you don't need hanging aroung

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Carefully, navigate to the following files/folders and delete if found please
C:\Program Files\noadware.exe <-this file
C:\WINDOWS\system32\atmtd.dll <-this file, careful, there are others that look similiar, only the correct spelling please

C:\Program Files\Common Files\{3830DA84-0BB6-1033-0217-050312030002} <-this folder
C:\bintheredunthat <-this folder
C:\BFU <-this folder
C:\Program Files\NoAdware5.0 <-this folder
C:\Program Files\Outerinfo <-this folder
C:\Program Files\PeDevice <-this folder
C:\WINDOWS\system32\dvwwhgpc <- this folder
C:\Documents and Settings\Ace\Application Data\Registry Cleaner <-this folder

Be very careful when deleting the next folders
They have a question mark in their folder names>>>>?
The ? mark will not actually appear when you look for them, they are not recognized by windows
And some Legit folders look identical, look for the EXACT folder
The folder may even disguise as a legit folder name, so please look closely
Best to hover your mouse over the folder to get exact properties, or right click and select properties

C:\Documents and Settings\Ace\Application Data\?ymbols <- this folder, 0 byte folder, created 2007-02-23 18:14:22
C:\Program Files\Common Files\??stem32 <-this folder, 0 byte folder, created 2007-03-12 23:50:17
C:\Documents and Settings\Ace\Application Data\?ppPatch <-this folder, 0 byte folder, created 2007-03-12 23:50:17
C:\Program Files\s?stem <- this folder, 0 byte folder, created 2007-01-24 23:41:40
C:\Documents and Settings\Ace\Application Data\?ystem32 <- this folder, 0 byte folder, created 2007-01-24 12:03:18

Post back one last hijackthis log and let me know how things are running please

Title: win32:Trojan-gen{UPX!}
Post by: dancingqueen21 on March 21, 2007, 11:38:42 PM

here's my latest HijackThis logfile:



Logfile of HijackThis v1.99.1
Scan saved at 9:34:05 PM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox (http://\"http://www.google.ca/firefox\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.library.ubc.ca:8000
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Corel Graphics Suite 1117] C:\Program Files\Corel\Corel Graphics 11\Register\registration.exe /title="Corel Graphics Suite 11" /date=092004 serial=DR11CRD-0012082-DGW
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AOL Instant Messenger (tm) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.msn.com
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab (http://\"http://www.miniclip.com/hamsterball/raptisoftgameloader.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll (http://\"http://www.miniclip.com/bestfriends/retro64_loader.dll\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab (http://\"http://by124w.bay124.mail.live.com/mail/resources/MsnPUpld.cab\")
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab (http://\"http://upload.facebook.com/controls/FacebookPhotoUploader.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab (http://\"http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab\")
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...tupv2.0.0.9.cab (http://\"http://costco.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab\")?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Title: win32:Trojan-gen{UPX!}
Post by: guestolo on March 22, 2007, 12:03:10 AM

Looks good, just a leftover from Symantec's
Also, if these files are still around, please delete them
C:\WINDOWS\System32\winxp.exe <- this file
C:\Program Files\help\zeh.exe <-this file

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

 

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\key]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT-Watch]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ALUAlert"=-

Double click on fix.reg and allow to add/merge to the registry at the prompt

Reboot the computer

Back in Windows
If everything is running better
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Give it a name and click Create
When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning

You should give your computer a bit more protection
Install
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

Install and keep an additional spyware scanner on your computer
 Spybot 1.4
You can download it from
HERE (http://\"http://fileforum.betanews.com/detail/Spybot_Search_and_Destroy/1043809773/1\")

Install with default settings that are selected
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
Ensure all updates are successful, a GREEN check will indicate this
If you have an error updating, search for updates again and retry the download until all updates are successfully installed
After update is complete

Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish any cleaning process
In addition, utilize the Immunization feature
After every update
Click the "Immunize" button>>OK the prompt>>Immunize again at the top green cross

If there are other user profiles on the computer, have them login and enable all protections with Spywareblaster
and Immunize with Spybot after every update

Hope that helps

P.S> You can go back and hide hidden files>folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select "Do Not Show hidden files and folders."
    * Check the Hide protected operating system files (recommended) option.
    * Click OK.

EDIT>>>Forgot about this from the Comboscan
Failed to create restore point; System Restore is disabled (service is not running).
I take it that after running SDfix you no longer have this problem with System Restore being disabled?

Title: win32:Trojan-gen{UPX!}
Post by: dancingqueen21 on March 24, 2007, 12:06:54 AM

no, i haven't had any problems yet with the system restore (so far).
my computer seems to be running ok now.
is the trojan completely gone now? that's it?
thank you so much for all your help!!!

Title: win32:Trojan-gen{UPX!}
Post by: guestolo on March 24, 2007, 11:59:01 AM

Yes that's it, if everything is running good
One Note: These entries in your trusted zones
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.msn.com

If you didn't manually add them, unless you need them there for the sites to work properly
you may want to remove them
In IE select Tools>>Internet Options>>Security>>
Highlight Trusted Sites>>Click Sites
You can remove them in there

Title: win32:Trojan-gen{UPX!}
Post by: guestolo on June 09, 2007, 04:26:30 PM

As problems appear resolved, I'll lock this topic