• Announcements

    • Andrew Browne

      Support for other products than adaware, ad block and Web Companion

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock


      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/

Sign in to follow this  
Followers 0
Ultrad321

My browser has been hijacked by search-daily.com! HELP!

36 posts in this topic

When I try to follow a google search link it redirects me to this search-daily.net website. I have been reading around seeing that others have had this problem, trying to fix it but I can't. It just doesnt go away. I am hoping you guys can help me with it

 

I have tried my F-prot antivirus, Spybot - S and D, Ad-Aware 2007, and Hijack This, but nothing seems to work.

 

PLEASE HELP ME! I know some about computers but it is past my knowledge point.

 

I have microsoft XP professional x64 so my comp is 64 bit in case that matters

 

here is my hijackthis log, attached is my last ad-aware log before from earlier in the day before I began trying to eliminate this with hijackthis.

 

in addition to this there was another bho with a name like 4vxmpgs or something like that in my sysWOW64 folder that i thought might be it so i deleted it, but the search daily did not go away. it might still be lingering around on my comp somewhere.

 

Logfile of HijackThis v1.99.1

Scan saved at 1:08:43 AM, on 12/8/2007

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

 

Running processes:

C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

C:\WINDOWS\SysWOW64\PnkBstrA.exe

C:\WINDOWS\SysWOW64\wwSecure.exe

C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe

C:\Program Files (x86)\AIM6\aim6.exe

C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

C:\WINDOWS\SysWOW64\ctfmon.exe

C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe

C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\iPod\bin\iPodService.exe

C:\Program Files (x86)\AIM6\aolsoftware.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\Program Files (x86)\hijackthis\HijackThis.exe

C:\WINDOWS\system32\drwtsn32.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {293D6DCB-E93F-42F9-BB5B-A11EF759210C} - C:\WINDOWS\SysWow64\dpvacmv.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"

O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll

O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll

O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\camaddin.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)

O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Ad_Aware_2007.log

Edited by Ultrad321

Share this post


Link to post
Share on other sites

Hello.Ultrad321 & Welcome

 

First your running an outdated Ver of Hijack-This remove/uninstall the Ver you have now and install this Ver.

 

Download HJTInstall.exe to your Desktop.

 

    Doubleclick HJTInstall.exe to install it.
    By default it will install to C:\Program Files\Trend Micro\HijackThis .
    Click on Install.
    It will create a HijackThis icon on the desktop.
    Once installed, it will launch HijackThis.
    Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    Save the log to a convenient location as you'll need to post it soon.
    Don't use the Analyse This button, its findings are dangerous if misinterpreted.
    Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

 

=====================

 

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6

    [*]Click the Remove or Change/Remove button.

    [*]Repeat as many times as necessary to remove each Java versions.

    [*]Reboot your computer once all Java components are removed.

    [*]Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

Let me know in your next reply how things are now.

 

=========================

 

Then after doing all above run this online scan, come back here with it's scan results and new Hijack-This log.

 

Lets run an F-Secure online scan for Viruses, Spyware and RootKits:

  • Go to http://support.f-secure.com/enu/home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan

  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Notes:

  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient

 

Gogo :)

Share this post


Link to post
Share on other sites

ok i am running f-secure right now. just wanted to let you know that i found a file nljazrum.dat in my sysWOW64 folder that was created and modified, etc. at the precise date and time that I know this worm found its way to my computer--It seems suspicious. also my pf usage is up, i think this thing is slowing down my computer and/or messing with my processes or something. these things are malicious, cuz at the same time that file was created (along with the 4vmxdpmgs.exe file i deleted earlier) my system restore was turned off by this thing. whenever this f-secure is done i will run a new hijack this and post it.

Share this post


Link to post
Share on other sites

ok here is the f-secure scan result and my post-scan hijack this

 

f-secure scan log:

 

Scanning Report

Saturday, December 08, 2007 13:14:36 - 13:51:06

Computer name: DREWS-SGAMER

Scanning type: Scan system for viruses, rootkits, spyware

Target: C:\

 

 

--------------------------------------------------------------------------------

 

Result: 9 malware found

Packed.Win32.NSAnti.r (virus)

C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5X6ZKLYZ\CONTEXTPLUS[1].EXE (Submitted)

Possible Browser Hijack attempt (spyware)

System (Disinfected)

Tracking Cookie (spyware)

System (Disinfected)

Trojan.Win32.Pakes.bpw (virus)

C:\PROGRAM FILES (X86)\HIJACKTHIS\BACKUPS\BACKUP-20071207-233006-457.DLL (Renamed & Submitted)

C:\PROGRAM FILES (X86)\HIJACKTHIS\BACKUPS\BACKUP-20071207-233103-479.DLL (Renamed & Submitted)

C:\PROGRAM FILES (X86)\HIJACKTHIS\BACKUPS\BACKUP-20071207-233123-734.DLL (Renamed & Submitted)

C:\PROGRAM FILES (X86)\HIJACKTHIS\BACKUPS\BACKUP-20071207-233141-958.DLL (Renamed & Submitted)

C:\PROGRAM FILES (X86)\HIJACKTHIS\BACKUPS\BACKUP-20071207-235336-312.DLL (Renamed & Submitted)

C:\PROGRAM FILES (X86)\HIJACKTHIS\BACKUPS\BACKUP-20071208-000717-169.DLL (Renamed & Submitted)

 

--------------------------------------------------------------------------------

 

Statistics

Scanned:

Files: 38314

System: 3458

Not scanned: 2

Actions:

Disinfected: 2

Renamed: 6

Deleted: 0

None: 1

Submitted: 7

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{4A522605-6BF8-476C-A40C-A6BEF70FFAE6}.BIN

 

--------------------------------------------------------------------------------

 

Options

Scanning engines:

F-Secure Libra: 2.4.2, 2007-11-28

F-Secure AVP: 7.0.171, 2007-12-08

F-Secure Orion: 1.2.37, 2007-12-08

F-Secure Blacklight: 1.0.64

F-Secure Draco: 1.0.35, 1008-150-72

F-Secure Pegasus: 1.19.0, 2007-11-03

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX

Use Advanced heuristics

 

--------------------------------------------------------------------------------

 

Copyright © 1998-2006 Product support |Send virus sample to F-Secure

F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

 

 

 

hijack this log from after f-secure scan:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:59:39 PM, on 12/8/2007

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

C:\WINDOWS\SysWOW64\PnkBstrA.exe

C:\WINDOWS\SysWOW64\wwSecure.exe

C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe

C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

C:\WINDOWS\SysWOW64\ctfmon.exe

C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe

C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\iPod\bin\iPodService.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {293D6DCB-E93F-42F9-BB5B-A11EF759210C} - C:\WINDOWS\SysWow64\dpvacmv.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Policies\Explorer\Run: [udhrat] C:\WINDOWS\system32\udhrat.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL

O15 - ESC Trusted Zone: http://runonce.msn.com

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\camaddin.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)

O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

 

--

End of file - 7368 bytes

Share this post


Link to post
Share on other sites

Hi.Ultrad321

 

Now I'm not 100% sure this tool will run on your PC! but give it a try.

 

Download ComboFix from Here or Here to your Desktop.

 

[*]Double click combofix.exe and follow the prompts.

[*]When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply

 

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

 

Gogo :)

Share this post


Link to post
Share on other sites

Hi.Ultrad321

 

Ok not sure run this one.

 

Please download Deckard's System Scanner (DSS) to your Desktop.

 

[*]Close all applications and windows.

[*]Double-click on DSS.exe to run it, and follow the prompts.

[*]The scan may take a minute. When the scan is complete, two text files will open - Main.txt and Extra.txt

 

Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

 

Post the main.txt and extra.txt from the C:\Deckard\System Scanner folder into your next reply.

 

 

Gogo ;)

Share this post


Link to post
Share on other sites

the first time it ran it used the older version of hijack this, so i reran it for it to use the new version but did not get an extra file the second time. so the main file is from the second scan with new hijackthis and the extra from the first scan when it used the older hijackthis

 

attached is my latest HJT log if you need it. i will also put it at the bottom of this post

 

i have noticed a few suspicious files that I think might be related to my problem but i will wait for your input to take any action.

 

main.txt:

 

Deckard's System Scanner v20071014.68

Run by Administrator on 2007-12-08 17:03:58

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

 

 

-- HijackThis (run as Administrator.exe) ---------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 05:04 PM, on 2007-12-08

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

C:\WINDOWS\SysWOW64\PnkBstrA.exe

C:\WINDOWS\SysWOW64\wwSecure.exe

C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe

C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

C:\WINDOWS\SysWOW64\ctfmon.exe

C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe

C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files (x86)\iPod\bin\iPodService.exe

C:\Documents and Settings\Administrator\Desktop\dss.exe

C:\PROGRA~2\TRENDM~1\HIJACK~1\Administrator.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {10F02D85-BCB8-4AD4-BCA8-CBBA548FC64B} - C:\WINDOWS\SysWow64\dpvacmv.dll

O2 - BHO: (no name) - {293D6DCB-E93F-42F9-BB5B-A11EF759210C} - C:\WINDOWS\SysWow64\dpvacmv.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7BCD843D-31F6-493D-BDA9-BDC6F721542C} - C:\WINDOWS\SysWow64\dpvacmv.dll

O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Policies\Explorer\Run: [udhrat] C:\WINDOWS\system32\udhrat.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL

O15 - ESC Trusted Zone: http://runonce.msn.com

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\camaddin.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)

O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

 

--

End of file - 7520 bytes

 

-- Files created between 2007-11-08 and 2007-12-08 -----------------------------

 

2007-12-08 12:59:49 0 d-------- C:\Program Files (x86)\Common Files\Java

2007-12-08 12:43:31 0 d-------- C:\Program Files (x86)\Trend Micro

2007-12-07 23:06:09 0 d-------- C:\Program Files (x86)\SpywareGuard

2007-12-07 16:23:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\GetRightToGo

2007-12-07 02:43:08 119552 --a------ C:\WINDOWS\system32\nljazrum.dat

2007-12-07 02:35:27 19456 --a------ C:\WINDOWS\system32\drivers\ylcgcuoq.dat

2007-12-07 02:35:24 54784 --a------ C:\WINDOWS\system32\audiosrva.dll

2007-12-07 02:35:00 0 d-------- C:\WINDOWS\system32\AppCert

2007-12-07 02:34:45 84992 --a------ C:\WINDOWS\system32\dpvacmv.dll

2007-11-09 23:45:37 500224 --a------ C:\Program Files (x86)\FS0J.EXE

 

 

-- Find3M Report ---------------------------------------------------------------

 

2007-12-08 13:00:07 0 d-------- C:\Program Files (x86)\Java

2007-12-08 12:59:49 0 d-------- C:\Program Files (x86)\Common Files

2007-12-07 22:33:48 0 d-------- C:\Program Files (x86)\Viewpoint

2007-12-07 16:26:42 0 d--h----- C:\Program Files (x86)\InstallShield Installation Information

2007-11-11 14:46:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire

2007-11-09 23:39:07 487354 --a------ C:\Program Files (x86)\P9SFS0J.rar

2007-11-09 22:20:04 0 d-------- C:\Program Files (x86)\Activision

2007-11-09 22:17:29 0 d-------- C:\Program Files (x86)\Diablo II

2007-11-05 19:55:00 2 --ahs---- C:\Documents and Settings\Administrator\Application Data\evf

2007-11-04 17:01:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars

2007-11-04 02:53:20 0 d-------- C:\Program Files (x86)\Electronic Arts

2007-10-30 03:25:20 0 d-------- C:\Program Files (x86)\AIM6

2007-10-27 16:33:40 1980198419 --a------ C:\Program Files (x86)\BioShock_PC_Demo.zip

2007-10-27 16:10:01 45975 --a------ C:\Program Files (x86)\aohv4-lbcp.zip

2007-10-27 14:51:27 0 d-------- C:\Documents and Settings\Administrator\Application Data\Codemasters

2007-10-27 14:39:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield

2007-10-27 14:39:19 0 d-------- C:\Program Files (x86)\AGEIA Technologies

2007-10-27 14:39:01 0 d-------- C:\Program Files (x86)\Common Files\Wise Installation Wizard

2007-10-27 14:36:33 0 d-------- C:\Program Files (x86)\Common Files\InstallShield

2007-10-26 18:05:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Bioshock

2007-10-26 17:48:39 0 d-------- C:\Program Files (x86)\Common Files\ATI Technologies

2007-10-26 16:48:19 0 --a------ C:\WINDOWS\ativpsrm.bin

2007-10-26 16:40:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\ATI

2007-10-26 16:10:13 0 d-------- C:\Program Files (x86)\ATI

2007-10-26 16:02:53 0 d-------- C:\Program Files (x86)\ATI Technologies

2007-10-11 20:45:17 0 d-------- C:\Program Files (x86)\Doom 3

2007-09-28 20:05:00 660992 -----n--- C:\WINDOWS\system32\ati2saag.exe <Not Verified; ; ATI Smart>

 

 

-- Registry Dump ---------------------------------------------------------------

 

 

 

-- End of Deckard's System Scanner: finished at 2007-12-08 17:06:17 ------------

 

 

 

 

 

extra.txt:

 

Deckard's System Scanner v20071014.68

Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

 

-- System Information ----------------------------------------------------------

 

Microsoft® Windows® XP Professional x64 Edition (build 3790) SP 2.0

Architecture: X64; Language: English

 

CPU 0: AMD Athlon 64 Processor 3200+

Percentage of Memory in Use: 21%

Physical Memory (total/avail): 1023.38 MiB / 802.37 MiB

Pagefile Memory (total/avail): 3002.97 MiB / 2561.24 MiB

Virtual Memory (total/avail): 4095.88 MiB / 3946.42 MiB

 

C: is Fixed (NTFS) - 152.66 GiB total, 52.08 GiB free.

D: is CDROM (No Media)

E: is CDROM (No Media)

 

\\.\PHYSICALDRIVE0 - Maxtor 6B160M0 - 152.66 GiB - 1 partition

\PARTITION0 (bootable) - Installable File System - 152.66 GiB - C:

 

 

 

-- Security Center -------------------------------------------------------------

 

Windows Internal Firewall is enabled.

 

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files (x86)\\Valve\\Steam\\Steam.exe"="C:\\Program Files (x86)\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"

"C:\\Program Files (x86)\\Valve\\Steam\\SteamApps\\ultrad321\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files (x86)\\Valve\\Steam\\SteamApps\\ultrad321\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"

"C:\\Program Files (x86)\\AIM\\aim.exe"="C:\\Program Files (x86)\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

"C:\\Program Files (x86)\\Valve\\Steam\\SteamApps\\ultrad321\\counter-strike source\\hl2.exe"="C:\\Program Files (x86)\\Valve\\Steam\\SteamApps\\ultrad321\\counter-strike source\\hl2.exe:*:Enabled:hl2"

"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe"="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"

"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer (64-bit)"

"C:\\Program Files (x86)\\FSI\\F-Prot\\F-Sched.exe"="C:\\Program Files (x86)\\FSI\\F-Prot\\F-Sched.exe:*:Enabled:Scheduler"

"C:\\Program Files (x86)\\FSI\\F-Prot\\FP-Win.exe"="C:\\Program Files (x86)\\FSI\\F-Prot\\FP-Win.exe:*:Enabled:OnDemand Scanner"

"C:\\Program Files (x86)\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"="C:\\Program Files (x86)\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe:*:Enabled:Ad-Aware SE Personal"

"C:\\Program Files (x86)\\FSI\\F-Prot\\FP-Updater\\Updater.exe"="C:\\Program Files (x86)\\FSI\\F-Prot\\FP-Updater\\Updater.exe:*:Enabled:Updater"

"C:\\Program Files (x86)\\WASTE\\WASTE.exe"="C:\\Program Files (x86)\\WASTE\\WASTE.exe:*:Enabled:WASTE"

"C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe"="C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"

"C:\\Program Files (x86)\\Microsoft Games\\Halo\\halo.exe"="C:\\Program Files (x86)\\Microsoft Games\\Halo\\halo.exe:*:Enabled:Halo"

"C:\\Program Files (x86)\\Valve\\Steam\\SteamApps\\ultrad321\\half-life 2\\hl2.exe"="C:\\Program Files (x86)\\Valve\\Steam\\SteamApps\\ultrad321\\half-life 2\\hl2.exe:*:Enabled:hl2"

"C:\\Program Files (x86)\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files (x86)\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"

"C:\\Program Files (x86)\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files (x86)\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"

"C:\\Program Files (x86)\\Sierra\\FEAR\\FEAR.exe"="C:\\Program Files (x86)\\Sierra\\FEAR\\FEAR.exe:*:Enabled:FEAR"

"C:\\Program Files (x86)\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files (x86)\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"

"C:\\Program Files (x86)\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe"="C:\\Program Files (x86)\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe:*:Enabled:Far Cry"

"C:\\Program Files (x86)\\Sierra\\FEAR\\fpupdate.exe"="C:\\Program Files (x86)\\Sierra\\FEAR\\fpupdate.exe:*:Enabled:fpupdate"

"C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"

"C:\\Program Files (x86)\\EA GAMES\\Battlefield 1942\\BF1942.exe"="C:\\Program Files (x86)\\EA GAMES\\Battlefield 1942\\BF1942.exe:*:Enabled:BF1942"

"C:\\Program Files (x86)\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files (x86)\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"

"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"

"C:\\Program Files (x86)\\uTorrent\\uTorrent.exe"="C:\\Program Files (x86)\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"

"C:\\Program Files (x86)\\AIM6\\aim6.exe"="C:\\Program Files (x86)\\AIM6\\aim6.exe:*:Enabled:AIM"

"C:\\Program Files (x86)\\BitTorrent_DNA\\dna.exe"="C:\\Program Files (x86)\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"

"C:\\Program Files (x86)\\BitTorrent\\bittorrent.exe"="C:\\Program Files (x86)\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

"C:\\Program Files (x86)\\iTunes\\iTunes.exe"="C:\\Program Files (x86)\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"C:\\WINDOWS\\SysWOW64\\PnkBstrA.exe"="C:\\WINDOWS\\SysWOW64\\PnkBstrA.exe:*:Enabled:PnkBstrA"

"C:\\WINDOWS\\SysWOW64\\PnkBstrB.exe"="C:\\WINDOWS\\SysWOW64\\PnkBstrB.exe:*:Enabled:PnkBstrB"

"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"

"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"

"C:\\WINDOWS\\SysWOW64\\4vmxdpmgs.exe"="C:\\WINDOWS\\SysWOW64\\4vmxdpmgs.exe:*:Disabled:4vmxdpmgs"

"C:\\Program Files (x86)\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files (x86)\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare "

 

 

-- Environment Variables -------------------------------------------------------

 

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Administrator\Application Data

CLASSPATH=.;C:\Program Files (x86)\Java\jre1.5.0_04\lib\ext\QTJava.zip

CLIENTNAME=Console

CommonProgramFiles=C:\Program Files (x86)\Common Files

CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files

CommonProgramW6432=C:\Program Files\Common Files

COMPUTERNAME=DREWS-SGAMER

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Administrator

LOGONSERVER=\\DREWS-SGAMER

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files (x86)\QuickTime\QTSystem\;C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_ARCHITEW6432=AMD64

PROCESSOR_IDENTIFIER=AMD64 Family 15 Model 47 Stepping 2, AuthenticAMD

PROCESSOR_LEVEL=15

PROCESSOR_REVISION=2f02

ProgramFiles=C:\Program Files (x86)

ProgramFiles(x86)=C:\Program Files (x86)

ProgramW6432=C:\Program Files

PROMPT=$P$G

QTJAVA=C:\Program Files (x86)\Java\jre1.5.0_04\lib\ext\QTJava.zip

SESSIONNAME=Console

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp

TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp

USERDOMAIN=DREWS-SGAMER

USERNAME=Administrator

USERPROFILE=C:\Documents and Settings\Administrator

windir=C:\WINDOWS

 

 

-- User Profiles ---------------------------------------------------------------

 

Administrator (admin)

 

 

-- Add/Remove Programs ---------------------------------------------------------

 

--> C:\Program Files (x86)\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

--> MsiExec /X{85EBB283-65AF-4C53-9EBE-7C0A232762F7}

ABIT uGuru --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{FF8500E6-EA0D-11D7-8755-0080C8F92A32}\Setup.exe" -l0x9

Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}

Adobe Flash Player ActiveX --> C:\WINDOWS\SysWOW64\Macromed\Flash\uninstall_activeX.exe

Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}

AGEIA PhysX v7.03.21 --> MsiExec.exe /X{85EBB283-65AF-4C53-9EBE-7C0A232762F7}

AIM 6 --> C:\Program Files (x86)\AIM6\uninst.exe

Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}

Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9

ATI - Software Uninstall Utility --> C:\Program Files (x86)\ATI Technologies\UninstallAll\AtiCimUn.exe

ATI AVIVO Codecs --> MsiExec.exe /I{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}

ATI Catalyst Control Center --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0

ATI Control Panel --> C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{F8A2AF2E-DDE7-429C-A803-89FA9E0F4805} /l1033

Birth of the Federation --> C:\WINDOWS\IsUninst.exe -f"c:\program files (x86)\botf\Uninst.isu"

Call of Duty® 2 --> C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D0A05794-48C2-4424-A15A-9F20FCFDD374} /l1033

Call of Duty® 4 - Modern Warfare --> C:\Program Files (x86)\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409

Call of Duty® 4 - Modern Warfare 1.2 Patch --> C:\Program Files (x86)\InstallShield Installation Information\{E5141379-B2D9-4BBC-BB2A-5805541571DD}\setup.exe -runfromtemp -l0x0409

Call of Duty® 4 - Modern Warfare 1.3 Patch --> C:\Program Files (x86)\InstallShield Installation Information\{050C1C8E-4A4D-4C2F-B9AE-67E60EE91B7F}\setup.exe -runfromtemp -l0x0409

Catalyst Registration --> MsiExec.exe /X{5E2691D1-9EDF-43E8-9CF2-E3DF6A17706E}

Command & Conquer 3 --> MsiExec.exe /I{DDEDAF6C-488E-4CDA-8276-1CCF5F3C5C32}

Command & Conquer Red Alert 2 --> C:\Westwood\RA2\Uninstll.EXE

Doom 3 --> C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{584267B8-0BB0-4D18-9FFA-726576619E9A} /l1033 /x

Doom II for Windows 95 --> C:\Program Files\Doom II for Windows 95\uninstl.exe /S C:\Program Files\Doom II for Windows 95

F-Prot for Windows --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{9FD12630-1991-46F5-8479-92DE1EAE87DA}\setup.exe" -l0x9

Far Cry --> C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC}

FEAR --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{2B653229-9854-4989-B780-D978F5F13EAB}\setup.exe" -l0x9 /zU -removeonly

GameSpy Arcade --> C:\PROGRA~2\GAMESP~1\UNWISE.EXE C:\PROGRA~2\GAMESP~1\INSTALL.LOG

Google Earth --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly

Half-Life 2: Episode Two --> "C:\Program Files (x86)\Valve\Steam\steam.exe" steam://uninstall/420

Half-Life® 2 --> MsiExec.exe /I{D45EC259-4A19-4656-B588-C2C360DD18EA}

HijackThis 1.99.1 --> C:\Program Files (x86)\hijackthis\HijackThis.exe /uninstall

InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe

iTunes --> MsiExec.exe /I{B8A204BC-7177-470E-BBDD-47256D05B325}

Java 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}

LimeWire 4.14.8 --> "C:\Program Files (x86)\LimeWire\uninstall.exe"

Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log

Max Payne --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{39930321-4C58-4B8B-BCBF-342698C9801D}\Setup.exe" uninstall uninstall

Max Payne 2 --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{EFE1AB94-5466-4B6E-BE31-FF4C115FD25D}\Setup.exe" -l0x9

Medieval II Total War --> C:\Program Files (x86)\InstallShield Installation Information\{C0698BDA-0D29-40EE-8570-A31106DF9AB1}\setup.exe -runfromtemp -l0x0009 -removeonly

Medieval II Total War : Kingdoms : Americas --> C:\Program Files (x86)\InstallShield Installation Information\{75983B66-804C-40D1-BA13-64DAF652A6F1}\setup.exe -runfromtemp -l0x0009 -removeonly

Medieval II Total War : Kingdoms : Britannia --> C:\Program Files (x86)\InstallShield Installation Information\{CEDDEE73-3D36-41C2-AA40-29355D9FBD63}\setup.exe -runfromtemp -l0x0009 -removeonly

Medieval II Total War : Kingdoms : Crusades --> C:\Program Files (x86)\InstallShield Installation Information\{02A10468-2F1C-447C-AD8E-4DEDDEA25AE2}\setup.exe -runfromtemp -l0x0009 -removeonly

Medieval II Total War : Kingdoms : Teutonic --> C:\Program Files (x86)\InstallShield Installation Information\{7AEE1963-7001-4C37-BC20-2FAEB74AA41C}\setup.exe -runfromtemp -l0x0009 -removeonly

Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 1.1 Hotfix (KB928366) --> "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"

Microsoft Halo --> "C:\Program Files (x86)\Microsoft Games\Halo\UNINSTAL.EXE" /runtemp /addremove

Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}

Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}

Microsoft Visual J# .NET Redistributable Package 1.1 --> MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}

Mozilla Firefox (1.0.7) --> C:\WINDOWS\UninstallFirefox.exe /ua "1.0.7 (en-US)"

MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}

MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}

MSXML 4.0 SP2 Parser and SDK --> MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}

MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}

Nero OEM --> C:\Program Files (x86)\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL

NvMixer --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{D7A6C517-11F2-419F-B5BB-27772B939698}\Setup.exe" -uninstall

Pocket Tanks 1.00b --> "C:\Program Files (x86)\Pocket Tanks\unins000.exe"

PowerDVD --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall

QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}

RealPlayer --> C:\Program Files (x86)\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

Rome - Total War --> C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4089999C-6CB7-4F9D-A2F6-DB158DBF91FB} /l1033 /x

Rome Total War - patch 1.3 --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{A5D65411-8E73-4C85-AD80-9FE8B7391CF9}\Setup.exe" -l0x9

Security Update for Microsoft .NET Framework 2.0 (x64) (KB928365) --> C:\WINDOWS\SysWOW64\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {B6EC01E7-431D-4D29-B9D4-E1D74CAF0AB0}

Sid Meier's Civilization 4 --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}\setup.exe" -l0x9 -removeonly

Spybot - Search & Destroy 1.4 --> "C:\Program Files (x86)\Spybot - Search & Destroy\unins000.exe"

Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat

Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}

SWF Opener --> "C:\Program Files (x86)\UnH Solutions\SWF Opener\unins000.exe"

TeamSpeak 2 RC2 --> "C:\Program Files (x86)\Teamspeak2_RC2\unins000.exe"

Total Realism Mod --> C:\Program Files (x86)\Firaxis Games\Sid Meier's Civilization 4\Mods\Total Realism\uninstall.exe

Ultimate Doom for Windows 95 --> C:\Program Files\Ultimate Doom for Windows 95\uninstl.exe /S C:\Program Files\Ultimate Doom for Windows 95

Window Washer --> C:\WINDOWS\Unwash6.exe

WinRAR archiver --> C:\Program Files (x86)\WinRAR\uninstall.exe

 

 

-- Application Event Log -------------------------------------------------------

 

Event Record #/Type3452 / Error

Event Submitted/Written: 12/07/2007 09:58:51 PM

Event ID/Source: 0 / wwSecure.exe

Event Description:

The service process could not connect to the service controller

 

Event Record #/Type3447 / Error

Event Submitted/Written: 12/07/2007 02:02:33 PM

Event ID/Source: 10005 / MsiInstaller

Event Description:

Product: F-PROT Antivirus for Windows -- This setup of F-PROT Antivirus for Windows requires 32-bit Windows 2000, Windows XP or Windows Server 2003. To install F-PROT Antivirus on 64-bit Windows please use 64-bit version of F-PROT Antivirus for Windows

 

Event Record #/Type3445 / Error

Event Submitted/Written: 12/07/2007 02:00:56 PM

Event ID/Source: 10005 / MsiInstaller

Event Description:

Product: F-PROT Antivirus for Windows -- This setup of F-PROT Antivirus for Windows requires 32-bit Windows 2000, Windows XP or Windows Server 2003. To install F-PROT Antivirus on 64-bit Windows please use 64-bit version of F-PROT Antivirus for Windows

 

Event Record #/Type3443 / Error

Event Submitted/Written: 12/07/2007 01:57:35 PM

Event ID/Source: 10005 / MsiInstaller

Event Description:

Product: F-PROT Antivirus for Windows -- This setup of F-PROT Antivirus for Windows requires 32-bit Windows 2000, Windows XP or Windows Server 2003. To install F-PROT Antivirus on 64-bit Windows please use 64-bit version of F-PROT Antivirus for Windows

 

Event Record #/Type3433 / Error

Event Submitted/Written: 11/29/2007 04:48:33 AM

Event ID/Source: 1000 / Application Error

Event Description:

Faulting application iexplore.exe, version 7.0.6000.16544, faulting module flash9d.ocx, version 9.0.47.0, fault address 0x0009a014.

Processing media-specific event for [iexplore.exe!ws!]

 

 

 

-- Security Event Log ----------------------------------------------------------

 

No Errors/Warnings found.

 

 

-- System Event Log ------------------------------------------------------------

 

Event Record #/Type37726 / Error

Event Submitted/Written: 12/08/2007 04:48:04 PM / 12/08/2007 04:48:05 PM

Event ID/Source: 12294 / ati2mtag

Event Description:

 

 

Event Record #/Type37710 / Error

Event Submitted/Written: 12/08/2007 03:35:47 PM

Event ID/Source: 7000 / Service Control Manager

Event Description:

The Keyboard Class Monitor service failed to start due to the following error:

%%1083

 

Event Record #/Type37706 / Error

Event Submitted/Written: 12/08/2007 03:35:16 PM / 12/08/2007 03:35:21 PM

Event ID/Source: 12294 / ati2mtag

Event Description:

 

 

Event Record #/Type37703 / Error

Event Submitted/Written: 12/08/2007 03:34:58 PM / 12/08/2007 03:35:21 PM

Event ID/Source: 1060 / Application Popup

Event Description:

\SystemRoot\SysWow64\Drivers\GEARAspiWDM.sys has been blocked from loading due to incompatibility with this system. Please contact your software

vendor for a compatible version of the driver.

 

Event Record #/Type37702 / Error

Event Submitted/Written: 12/08/2007 03:34:58 PM / 12/08/2007 03:35:21 PM

Event ID/Source: 1060 / Application Popup

Event Description:

\SystemRoot\SysWow64\Drivers\GEARAspiWDM.sys has been blocked from loading due to incompatibility with this system. Please contact your software

vendor for a compatible version of the driver.

 

 

 

-- End of Deckard's System Scanner: finished at 2007-12-08 16:55:54 ------------

 

 

 

 

latest Hijack This log

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 07:08 PM, on 12/08/2007

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe

C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\SysWOW64\ctfmon.exe

C:\WINDOWS\SysWOW64\PnkBstrA.exe

C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe

C:\WINDOWS\SysWOW64\wwSecure.exe

C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files (x86)\iPod\bin\iPodService.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: be placed in the first column followed by the corresponding host name.

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {10F02D85-BCB8-4AD4-BCA8-CBBA548FC64B} - C:\WINDOWS\SysWow64\dpvacmv.dll

O2 - BHO: (no name) - {293D6DCB-E93F-42F9-BB5B-A11EF759210C} - C:\WINDOWS\SysWow64\dpvacmv.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7BCD843D-31F6-493D-BDA9-BDC6F721542C} - C:\WINDOWS\SysWow64\dpvacmv.dll

O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe /startupscan

O4 - HKCU\..\Policies\Explorer\Run: [udhrat] C:\WINDOWS\system32\udhrat.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL

O15 - ESC Trusted Zone: http://runonce.msn.com

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\camaddin.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)

O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

 

--

End of file - 7734 bytes

hijackthis.log

Edited by Ultrad321

Share this post


Link to post
Share on other sites

Hi.Ultrad321

 

Sorry for the hold-up here ran into a problem of my own. I would like to have a look at some files here.

 

Please submit the following files for analysis.

 

Jotti File Submission:

 

[*]Please go to Jotti's malware scan

[*]Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

 

C:\WINDOWS\SysWow64\dpvacmv.dll

C:\WINDOWS\system32\udhrat.exe

C:\WINDOWS\system32\nljazrum.dat

C:\WINDOWS\system32\drivers\ylcgcuoq.dat

C:\WINDOWS\system32\audiosrva.dll

C:\WINDOWS\SysWOW64\4vmxdpmgs.exe

 

[*]Click on the submit button

[*]Please post the results in your next reply.

 

Please note that if you are submitting more than one file they will have to be entered one at a time.

 

Please come back here with the scan results.

 

Gogo ;)

Share this post


Link to post
Share on other sites

ok here are my results

 

File: dpvacmv.dll

Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5: b9c228372922f8901791e9c11274d5c7

Packers detected: PE_PATCH.UPX, UPX

Bit9 reports: File not found

Scan taken on 09 Dec 2007 04:20:54 (GMT)

A-Squared Found nothing

AntiVir Found TR/Spy.BZub.NGP.7

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found Trojan.Spy.Bzub.NGP

ClamAV Found nothing

CPsecure Found nothing

Dr.Web Found Trojan.DownLoader.origin

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

Fortinet Found nothing

Ikarus Found Trojan-PWS.Win32.Lmir

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found BZub.ARU

Panda Antivirus Found nothing

Rising Antivirus Found nothing

Sophos Antivirus Found nothing

VirusBuster Found nothing

VBA32 Found nothing

 

 

udhrat.exe (note this was a problem file taht i got rid of last year, or so i thought, so the file itself might not still be on my comp)

 

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

 

 

File: nljazrum.dat

Status: OK

MD5: 343dcf82198435f175d4bf252c5b2fee

Packers detected: -

Bit9 reports: File not found

 

Scanner results

Scan taken on 09 Dec 2007 04:25:01 (GMT)

A-Squared Found nothing

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

CPsecure Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

Fortinet Found nothing

Ikarus Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

Panda Antivirus Found nothing

Rising Antivirus Found nothing

Sophos Antivirus Found nothing

VirusBuster Found nothing

VBA32 Found nothing

 

ylcgcuoq.dat

 

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

 

File: audiosrva.dll

Status: INFECTED/MALWARE

MD5: afb9102775751a5a2ad07fb25b971d89

Packers detected: -

Bit9 reports: File not found

 

Scanner results

Scan taken on 09 Dec 2007 04:28:53 (GMT)

A-Squared Found nothing

AntiVir Found TR/Crypt.Morphine.Gen

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found Obfustat.ABPN

BitDefender Found nothing

ClamAV Found nothing

CPsecure Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

Fortinet Found nothing

Ikarus Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

Panda Antivirus Found nothing

Rising Antivirus Found nothing

Sophos Antivirus Found nothing

VirusBuster Found nothing

VBA32 Found nothing

 

4vmxdpmgs.exe (note I manually deleted this file earlier)

 

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Share this post


Link to post
Share on other sites

it keeps telling me that look2 me is not found. i tried actually going to the website and downloading the zip too, but it did not work either.

 

I dont know if that means taht the look2me virus is not on my computer, or if the program doesnt work right , but here is my HJT log anyways.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:32 AM, on 12/09/2007

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

C:\WINDOWS\SysWOW64\PnkBstrA.exe

C:\WINDOWS\SysWOW64\wwSecure.exe

C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe

C:\Program Files (x86)\AIM6\aim6.exe

C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\WINDOWS\SysWOW64\ctfmon.exe

C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe

C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe

C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files (x86)\iPod\bin\iPodService.exe

C:\Program Files (x86)\AIM6\aolsoftware.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: be placed in the first column followed by the corresponding host name.

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {10F02D85-BCB8-4AD4-BCA8-CBBA548FC64B} - C:\WINDOWS\SysWow64\dpvacmv.dll

O2 - BHO: (no name) - {293D6DCB-E93F-42F9-BB5B-A11EF759210C} - C:\WINDOWS\SysWow64\dpvacmv.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7BCD843D-31F6-493D-BDA9-BDC6F721542C} - C:\WINDOWS\SysWow64\dpvacmv.dll

O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe /startupscan

O4 - HKCU\..\Policies\Explorer\Run: [udhrat] C:\WINDOWS\system32\udhrat.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL

O15 - ESC Trusted Zone: http://runonce.msn.com

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\camaddin.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)

O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

 

--

End of file - 7790 bytes

Edited by Ultrad321

Share this post


Link to post
Share on other sites

Hey.Ultrad321

 

Sorry about the delay my wireless has gone nut's today.

 

Now download The Avenger

by Swandog46, and save it to your Desktop.

 

Don't run just Yet!

 

=========================

 

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

( Do not copy the word quote)

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10F02D85-BCB8-4AD4-BCA8-CBBA548FC64B}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{293D6DCB-E93F-42F9-BB5B-A11EF759210C}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7BCD843D-31F6-493D-BDA9-BDC6F721542C}]

 

Save this as fix.reg Choose to save as *all files and place it on your Desktop.

It should look like this:

Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

 

=======================

 

Now run

 

Extract avenger.exe from the Zip file and save it to your desktop

Run avenger.exe by double-clicking on it.

Check the 'Input script manually' box.

Click on the magnifying glass icon.

Copy everything in the Quote box below, and paste it in the box that opens:

 

Files to delete:

C:\WINDOWS\SysWow64\dpvacmv.dll

C:\WINDOWS\system32\udhrat.exe

C:\WINDOWS\system32\nljazrum.dat

C:\WINDOWS\system32\drivers\ylcgcuoq.dat

C:\WINDOWS\system32\audiosrva.dll

C:\WINDOWS\SysWOW64\4vmxdpmgs.exe

C:\WINDOWS\system32\camaddin.dll

 

Now click the 'Done' button.

Click on the traffic light icon and OK the prompt.

You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.

A log file from Avenger will be produced at C:\avenger.txt

 

===========================

 

Please make sure to do a reboot come back here with the Avenger.txt and new Hijack-This log.

 

Gogo ;)

Share this post


Link to post
Share on other sites

ok heres whats happening. because of my 64 bit system i have to run avenger in compatability mode in the first place. Even so, everything goes normally until after it boots back up, when in the black dos program operation box it says a whole bunch of stuff about not having the right files, etc. it goes away after a few seconds and the log file is blank.

 

and the offending items still show up on HJT.

 

do you know why my avenger is messing up? is HJT capable of fixing these?

 

new HTJ log just for the hell of it. something new is on there too i think--O4 - HKLM\..\Run: [ksrilaxa] C:\ctjekswn.bat--I dont recognize this one, it might be suspicious

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 04:28 AM, on 12/09/2007

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

C:\WINDOWS\SysWOW64\PnkBstrA.exe

C:\WINDOWS\SysWOW64\wwSecure.exe

C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe

C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\SysWOW64\ctfmon.exe

C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe

C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files (x86)\iPod\bin\iPodService.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: be placed in the first column followed by the corresponding host name.

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {10F02D85-BCB8-4AD4-BCA8-CBBA548FC64B} - C:\WINDOWS\SysWow64\dpvacmv.dll

O2 - BHO: (no name) - {293D6DCB-E93F-42F9-BB5B-A11EF759210C} - C:\WINDOWS\SysWow64\dpvacmv.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7BCD843D-31F6-493D-BDA9-BDC6F721542C} - C:\WINDOWS\SysWow64\dpvacmv.dll

O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [ksrilaxa] C:\ctjekswn.bat

O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe /startupscan

O4 - HKCU\..\Policies\Explorer\Run: [udhrat] C:\WINDOWS\system32\udhrat.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL

O15 - ESC Trusted Zone: http://runonce.msn.com

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\camaddin.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)

O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

 

--

End of file - 7653 bytes

Edited by Ultrad321

Share this post


Link to post
Share on other sites

Hey.Ultrad321

 

Sorry I keep thinking your on XP! not sure it may work on 003, Let's see if we can get them this way.

 

1. Close all programs so that you are at your desktop.

2. Double-click on the My Computer icon.

3. Select the Tools menu and click Folder Options.

4. After the new window appears select the View tab.

5. Put a checkmark in the checkbox labeled Display the contents of system folders.

6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

8. Remove the checkmark from the checkbox labeled Hide protected operating system files.

9. Press the Apply button and then the OK button and shutdown My Computer.

10. Now your computer is configured to show all hidden files.

 

===================================

 

Reboot into safe mode. To do so, restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

 

===================================

 

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these FILES (if present):

C:\WINDOWS\SysWow64\dpvacmv.dll<---This file

C:\WINDOWS\system32\udhrat.exe<---This file

C:\WINDOWS\system32\nljazrum.dat<---This file

C:\WINDOWS\system32\drivers\ylcgcuoq.dat<---This file

C:\WINDOWS\system32\audiosrva.dll<---This file

C:\WINDOWS\SysWOW64\4vmxdpmgs.exe<---This file

C:\WINDOWS\system32\camaddin.dll<---This file

 

===================================

 

NOTE: As for the last file found let it be for now. Let's find out what it is first.

 

After doing the above reboot till me how it goes. Show me new HijackThis logfile.

 

Gogo ;)

Share this post


Link to post
Share on other sites

One thing is that (before the deleting of these files, havent had any yet) i have noticed the popups returning--every once in a while the warning triangle would come up with "SCAN YOUR SYSTEM--NOW!", etc.) and i would click it to make it go away.

 

here is how it went:

 

C:\WINDOWS\SysWow64\dpvacmv.dll<---This file* (deleted)

C:\WINDOWS\system32\udhrat.exe<---This file* (not present)

C:\WINDOWS\system32\nljazrum.dat<---This file* (deleted)

C:\WINDOWS\system32\audiosrva.dll<---This file* (deleted)

C:\WINDOWS\SysWOW64\4vmxdpmgs.exe<---This file* (not present)

C:\WINDOWS\system32\camaddin.dll<---This file* (not present)

 

all good, 3 files deleted, 3 not present (two of which I had deleted earlier udhrat and 4vmx) except that C:\WINDOWS\SysWOW64\Drivers\ylcgcuoq.dat<---windows said that this file is in use (because it is not checked read only, it is not write protected) and won't let me delete it. I tried using hijack this' delete on reboot feature but it did not work. Also now that I have its actual location i tried to scan it to jottis, but it is being blocked--I know it is not 0 bytes because it is 19 kb. it somehow blocking its own scan and deletion.

 

Don't want to count my chickens before they hatch, but after deleting those files i have not been redirected in my searches (knock on wood * * *). The internet still seems sluggish, but that probably is just ylcgcuoq and/or that new file from before.

 

here is my HJT log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 01:43 PM, on 12/09/2007

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

C:\WINDOWS\SysWOW64\PnkBstrA.exe

C:\WINDOWS\SysWOW64\wwSecure.exe

C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe

C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\WINDOWS\SysWOW64\ctfmon.exe

C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe

C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files (x86)\iPod\bin\iPodService.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: be placed in the first column followed by the corresponding host name.

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {10F02D85-BCB8-4AD4-BCA8-CBBA548FC64B} - C:\WINDOWS\SysWow64\dpvacmv.dll (file missing)

O2 - BHO: (no name) - {293D6DCB-E93F-42F9-BB5B-A11EF759210C} - C:\WINDOWS\SysWow64\dpvacmv.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7BCD843D-31F6-493D-BDA9-BDC6F721542C} - C:\WINDOWS\SysWow64\dpvacmv.dll (file missing)

O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe /startupscan

O4 - HKCU\..\Policies\Explorer\Run: [udhrat] C:\WINDOWS\system32\udhrat.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL

O15 - ESC Trusted Zone: http://runonce.msn.com

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\camaddin.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)

O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

 

--

End of file - 7597 bytes

Edited by Ultrad321

Share this post


Link to post
Share on other sites

Hey.Ultrad321

 

Nice work not sure if this tool will work but give it a try.

 

=======================

Please download OTMoveIt by OldTimer.

 

* Save it to your desktop.

 

Don't run just Yet!

 

=======================

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

 

O2 - BHO: (no name) - {10F02D85-BCB8-4AD4-BCA8-CBBA548FC64B} - C:\WINDOWS\SysWow64\dpvacmv.dll (file missing)

O2 - BHO: (no name) - {293D6DCB-E93F-42F9-BB5B-A11EF759210C} - C:\WINDOWS\SysWow64\dpvacmv.dll (file missing)

O2 - BHO: (no name) - {7BCD843D-31F6-493D-BDA9-BDC6F721542C} - C:\WINDOWS\SysWow64\dpvacmv.dll (file missing)

 

O4 - HKCU\..\Policies\Explorer\Run: [udhrat] C:\WINDOWS\system32\udhrat.exe

 

O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\camaddin.dll (file missing)

 

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

 

Close Hijackthis.

 

===========================

 

Run the tool.

 

[*]Save it to your desktop.

[*]Please double-click OTMoveIt.exe to run it.

[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

 

C:\WINDOWS\system32\udhrat.exe

C:\WINDOWS\SysWOW64\Drivers\ylcgcuoq.dat

 

[*]Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

[*]Click the red Moveit! button.

[*]Close OTMoveIt

 

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

 

=========================

 

Come back here with results from OTMoveIt and new HijackThis log.

 

Gogo :o

Share this post


Link to post
Share on other sites

first time i tried it restarted and before loading up my desktop i received a blue screen of death talking about the nvata64 driver and something messing up, talking about beginning dump of physical memory, then i restarted and it loaded up fine, but with our friend ylcgcuoq.dat still infesting my machine. I am wary of trying it again

 

should I?

 

the HJT part worked fine, anyway. (knock on wood) my searches are no longer being redirected, but I am still very suspicious of ylcgcuoq.dat due to its successful resistance to being deleted. That BSOD scared me, i hoep this thing does not tear up my system as we try to remove it.

 

here is the log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 04:37 PM, on 12/09/2007

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

C:\WINDOWS\SysWOW64\PnkBstrA.exe

C:\WINDOWS\SysWOW64\wwSecure.exe

C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe

C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

C:\WINDOWS\SysWOW64\ctfmon.exe

C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe

C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files (x86)\iPod\bin\iPodService.exe

C:\Documents and Settings\Administrator\Desktop\OTMoveIt.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: be placed in the first column followed by the corresponding host name.

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe /startupscan

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL

O15 - ESC Trusted Zone: http://runonce.msn.com

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)

O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

 

--

End of file - 7254 bytes

Share this post


Link to post
Share on other sites

Hi.Ultrad321

 

No don't go after it again. Let me go find out how we can go for it. Hm till I find something did you try right clicking the ylcgcuoq.dat and see if you can rename to say ylcgcuoq.txt try it till me if you can.

 

Gogo :o

Share this post


Link to post
Share on other sites

Hi.Ultrad321

 

Now I found this tool here. It looks like it will have no problems running on your OS! but I would not delete it just use this tool to try and rename it. This way if we have a problem we can get it back.

 

http://ccollomb.free.fr/unlocker/

 

Gogo ;)

Share this post


Link to post
Share on other sites

the program installs fine, but then is unresponsive. double clicking on the icon brings up the hourglass for a second or less, but nothing happens. the unlocker option never shows up on the right click menu as the website says it will. trying in compatibility mode does nothing.

 

downloaded and tried Emco Unlock IT which said the file was not being locked by any processes, which is wierd because the access denied message continues to come up. i might try a few of the other programs on the unlocker site's list to check multiple times to see if i can unlock the file

Edited by Ultrad321

Share this post


Link to post
Share on other sites

Hey.Ultrad321

 

If you don't find anything this tool may work.

 

Next please download the Killbox by Option^Explicit.

 

Note: In the event you already have Killbox, this is a new version that I need you to download.

 

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select:

o Delete on Reboot

o then Click on the All Files button.

* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

 

C:\WINDOWS\SysWOW64\Drivers\ylcgcuoq.dat

 

* Return to Killbox, go to the File menu, and choose Paste from Clipboard.

* Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (just please let me know if you receive this message!).

 

If your computer does not restart automatically, please restart it manually.

 

 

P.S. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

 

 

=====================

 

Let me know

 

Gogo ;)

Share this post


Link to post
Share on other sites

well i tried it and the file is still there. I tried it a second time and I got the pending filename message. I did not receive it the first time, but did the second time. It remains after the second attempt.

 

this is one persistant bug huh?

 

we'll get it ; )

Edited by Ultrad321

Share this post


Link to post
Share on other sites

Hey.Ultrad321

 

Sorry to hear it yes it is a big one. I'm going to have someone have a look for both of us.

 

Gogo ;)

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0