Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Control Panel unaccessible and Phantom Administrator account 1

Status
Not open for further replies.
pgsceci

pgsceci

Technical User
Joined
Mar 5, 2008
Messages
1
Well, I got rid of most of the junk on my pc, but one file remains that is preventing me from accessing the control panel. The weird part is that when I boot into safe mode, there are two accounts- 1 Admin and the default one (which is the only option normally) SO when I go into that and try to get into the Account Setup folder I get an Internet Explorer error that doesn't say anything!

I have been using antivir, AVG antispyware, a free registry cleaner, and AVG Antirootkit. Can anyone see a way to get into my account settings again?

I will post a HijackThis report when my antivir scan is completely done.
 
Sort by date Sort by votes
Download hijack this from the link below.Please do this. Click here:


to download HijackThis. Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't click fix on anything in hijack this
as most of the files are legitimate.


Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
I am the same person as above, I just forgot to log out of my mom's name :)

ok here is what the log says:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:11 AM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\update.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: PowerReg Scheduler V3.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {20B845BF-450F-4C1E-AF60-3CC380CDE328} (get_atlcom Class) - O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - O16 - DPF: {705EC6D4-B138-4079-A307-EF13E40C2416} (InstallerWeb Control) - O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - O20 - Winlogon Notify: winjvl32 - winjvl32.dll (file missing)
O21 - SSODL: BootCheck - {2549d529-b026-4e89-a8a7-48bfe137b121} - (no file)
O21 - SSODL: zip - {eec79bda-1d3f-4852-8d53-86a49c44a95e} - (no file)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9225 bytes
 
Upvote 0 Downvote
Please download to your
desktop.
· Double-click VundoFix.exe to run it.
· Click the Scan for Vundo button.
· Once it's done scanning, click the Remove Vundo button.
· You will receive a prompt asking if you want to remove the files, click
YES
· Once you click yes, your desktop will go blank as it starts removing
Vundo.
· When completed, it will prompt that it will shutdown your computer, click
OK.
· Turn your computer back on.


Go here and downlaod the latest version of java, once
downloaded, go to add/remove and uninstall all previous versions of java
from add/remove and then instlall the latest version you just downloaded!






Download SDFix and save it to your Desktop.


Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the
Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should
appear;
* Select the first option, to run Windows in Safe Mode, then press
Enter.
* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to start
the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds
then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the
removal process then display Finished, press any key to end the script and
load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and
also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on
the forum).
* Finally paste the contents of the Report.txt back on the forum with a
new HijackThis log

_____________________________________________________________________

NOTE: If you have downloaded ComboFix previously please delete that
version and download it again!



Download ComboFix from
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe"]Here[/URL]
or
Here
to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just
before Windows starts to load. If done right a Windows Advanced Options menu
will appear. Select the Safe Mode option and press Enter.

Perform the following actions in Safe Mode.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a
    HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its
running. That may cause it to stall



post another hijack this log, the vundo, the sdfix and the combo logs!




Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Vundofix found nothing.

After SDfix:

SDFix: Version 1.154

Run by Owner on Sat 03/08/2008 at 02:46 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
ntload

Path:
\??\C:\WINDOWS\system32\ntload.sys

ntload - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting SecurityProviders Value
Resetting AppInit_DLLs value


Rebooting

Service mp32 - Deleted after Reboot

Checking Files :

Trojan Files Found:

C:\Program Files\IE Extensions\cj.v2.dll - Deleted
C:\d.exe - Deleted
C:\WINDOWS\system32\sex1.ico - Deleted
C:\WINDOWS\system32\sex2.ico - Deleted
C:\Documents and Settings\Owner\Application Data\addon.dat - Deleted
C:\Documents and Settings\Owner\smss.bin - Deleted
C:\Documents and Settings\Owner\spoolsv.bin - Deleted
C:\WINDOWS\system32\drivers\ntndis.exe - Deleted
C:\WINDOWS\system32\isys32.exe - Deleted
C:\WINDOWS\system32\winsrc.dll - Deleted
C:\WINDOWS\system32\wscmp.dll - Deleted
C:\WINDOWS\system32\dxdss.sys - Deleted
C:\WINDOWS\system32\wowfx.dll - Deleted



Folder C:\Program Files\Helper - Removed
Folder C:\Program Files\IE Extensions - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, Rootkit scan 2008-03-08 14:55:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:ea9d5416
"s2"=dword:b71552c7
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:7a,60,be,65,47,5e,07,cc,18,9e,99,af,3c,64,f5,72,36,f2,95,6a,ac,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:97,34,f1,85,79,01,5a,9f,a4,58,e8,98,02,00,2f,c2,4d,8e,58,02,a3,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,53,d7,8a,49,f8,f6,a1,60,0f,90,4b,e8,65,fd,e3,65,d5,..
"khjeh"=hex:ef,76,50,d3,ce,1e,c7,a8,c8,5f,93,0c,2f,ba,2e,13,6c,bd,c6,d8,f8,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:1a,50,48,4f,86,2c,c5,3a,94,d2,82,18,ac,32,84,83,b6,60,e2,a9,77,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:7a,60,be,65,47,5e,07,cc,18,9e,99,af,3c,64,f5,72,36,f2,95,6a,ac,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:97,34,f1,85,79,01,5a,9f,a4,58,e8,98,02,00,2f,c2,4d,8e,58,02,a3,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,53,d7,8a,49,f8,f6,a1,60,0f,90,4b,e8,65,fd,e3,65,d5,..
"khjeh"=hex:ef,76,50,d3,ce,1e,c7,a8,c8,5f,93,0c,2f,ba,2e,13,6c,bd,c6,d8,f8,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:1a,50,48,4f,86,2c,c5,3a,94,d2,82,18,ac,32,84,83,b6,60,e2,a9,77,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\24\xe1\21]
"DisplayName"="\x6e80\x227\x6e80\x227\1"
"DeviceDesc"="\x6e80\x227\x6e80\x227\1"
"ProviderName"="\xfed4\21\xee18\x7c90\xff44\21\b"
"MFG"="\x610"
"ReinstallString"="C:\WINDOWS\System32\ReinstallBackups\\xe114\21\x80\xc010\DriverFiles\.INF"
"DeviceInstanceIds"=str(7):"d:\i386\apps\app00679\sbdrv\smbus\smbusati.inf"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{07A99747-BEFE-E08A-A8F1-36ECAE30883C}]
"abfpaljfcmmdbocieangegalaglbgknnjp"=hex:61,61,00,00
"bbfpaljfcmmdbocieachnajelnlbmnkcmael"=hex:61,61,00,00

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPAGER.EXE:*:Enabled:Yahoo! Messenger"
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"="C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\p2pnetworks\\p2pnetworks.exe"="C:\\Program Files\\p2pnetworks\\p2pnetworks.exe:*:Enabled:P2PNetworks"
"C:\\Program Files\\EA Games\\Command and Conquer Generals\\generals.exe"="C:\\Program Files\\EA Games\\Command and Conquer Generals\\generals.exe:*:Enabled:Command & Conquer Generals"
"C:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\generals.exe"="C:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\generals.exe:*:Enabled:Command and ConquerTM Generals Zero Hour"
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"="C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe:*:Enabled:SBC Yahoo! DSL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1126291343\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1126291343\\EE\\AOLServiceHost.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1126291343\\EE\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1126291343\\EE\\aolsoftware.exe:*:Disabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Disabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Disabled:AOLTsMon"
"C:\\Documents and Settings\\Theo\\My Documents\\AIM\\aim.exe"="C:\\Documents and Settings\\Theo\\My Documents\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\blah2\\trial\\halo.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\blah2\\trial\\halo.exe:*:Enabled:Halo"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\blah2\\CE\\haloce.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\blah2\\CE\\haloce.exe:*:Enabled:Halo"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\blah2\\New Folder\\Halo\\halo.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\blah2\\New Folder\\Halo\\halo.exe:*:Enabled:Halo"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\blah2\\New Folder (3)\\halo.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\blah2\\New Folder (3)\\halo.exe:*:Enabled:Halo"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\azureus\\Azureus.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\u90o[\\haloce.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\u90o[\\haloce.exe:*:Enabled:Halo"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\Shtuff\\RiseAndFall\\Bin\\RiseAndFallDemo.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\Shtuff\\RiseAndFall\\Bin\\RiseAndFallDemo.exe:*:Enabled:RiseAndFallDemo"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\Shtuff\\azureus\\Azureus.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\Shtuff\\azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Documents and Settings\\Owner\\Desktop\\Tony!!\\Robot Arena 2.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Tony!!\\Robot Arena 2.exe:*:Enabled:Robot Arena 2"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\New Folder\\halo.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\New Folder\\halo.exe:*:Enabled:Halo"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\bfdfbdfbdfb\\Quake2\\quake2.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\bfdfbdfbdfb\\Quake2\\quake2.exe:*:Enabled:quake2"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\bthhdfjklsdh\\halo.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\bthhdfjklsdh\\halo.exe:*:Enabled:Halo"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\bthhdfjklsdh\\halozero.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\bthhdfjklsdh\\halozero.exe:*:Enabled:Halo Zero "
"C:\\Documents and Settings\\Owner\\My Documents\\Downloads\\Halo\\halo.exe"="C:\\Documents and Settings\\Owner\\My Documents\\Downloads\\Halo\\halo.exe:*:Enabled:halo.exe"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\OOmpaLoompa\\Halo Custom Edition\\haloce.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\OOmpaLoompa\\Halo Custom Edition\\haloce.exe:*:Enabled:Halo"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\OOmpaLoompa\\halo.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\OOmpaLoompa\\halo.exe:*:Enabled:Halo"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\Splinter Cell Pandora Tomorrow\\pandora.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\Splinter Cell Pandora Tomorrow\\pandora.exe:*:Enabled:pandora"
"C:\\Documents and Settings\\Owner\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"="C:\\Documents and Settings\\Owner\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4 Gold"
"C:\\Documents and Settings\\Owner\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"="C:\\Documents and Settings\\Owner\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4: Warlords"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\OOmpaLoompa\\haloce.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\OOmpaLoompa\\haloce.exe:*:Enabled:Halo"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\New Folder\\Halo 2\\halo2.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\New Folder\\Halo 2\\halo2.exe:*:Enabled:Halo 2 for Windows Vista"
"C:\\Program Files\\Yahoo! Games\\Bejeweled 2 Deluxe\\WinBej2.exe"="C:\\Program Files\\Yahoo! Games\\Bejeweled 2 Deluxe\\WinBej2.exe:*:Enabled:Bejeweled2"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\New Folder\\BugReport\\BugReport.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\New Folder\\BugReport\\BugReport.exe:*:Enabled:BugReport"
"C:\\Program Files\\2Wire\\2PortalMon.exe"="C:\\Program Files\\2Wire\\2PortalMon.exe:*:Enabled:HomePortal Monitor Application by 2Wire Engineering"
"C:\\Program Files\\THQ\\MotoGP URT 3\\motogp.exe"="C:\\Program Files\\THQ\\MotoGP URT 3\\motogp.exe:*:Disabled:motogp"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"
"C:\\Program Files\\Starcraft Shareware(ED)\\Starcraft.exe"="C:\\Program Files\\Starcraft Shareware(ED)\\Starcraft.exe:*:Enabled:Starcraft"
"C:\\Documents and Settings\\Owner\\Desktop\\Theo\\Shtuff\\ACSPMonitor\\ASMonitor.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Theo\\Shtuff\\ACSPMonitor\\ASMonitor.exe:*:Enabled:System"
"C:\\Program Files\\Common Files\\AOL\\1126291343\\EE\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1126291343\\EE\\aim6.exe:*:Disabled:AIM"
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"="C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Documents and Settings\\Owner\\Application Data\\printer.exe"="C:\\DOCUMENTS AND SETTINGS\\OWNER\\APPLICATION DATA\\PRINTER.EXE:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Owner\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Theo\\My Documents\\AIM\\aim.exe"="C:\\Documents and Settings\\Theo\\My Documents\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Documents and Settings\\Owner\\Application Data\\printer.exe"="C:\\DOCUMENTS AND SETTINGS\\OWNER\\APPLICATION DATA\\PRINTER.EXE:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Owner\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 6 Dec 2007 625,664 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 4 Aug 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 18 Oct 2006 64,000 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Sat 14 Oct 2006 56 ..SHR --- "C:\WINDOWS\system32\DFA1B5E320.sys"
Thu 17 May 2007 88 ..SHR --- "C:\WINDOWS\system32\F4CAD6D6F8.sys"
Thu 17 May 2007 5,852 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 31 May 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 22 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 2 Mar 2008 165,232 A..H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll"
Sun 28 Oct 2007 25,088 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2062.tmp"
Wed 20 Jun 2007 444 ...HR --- "C:\Documents and Settings\Owner\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

and the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:30 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {20B845BF-450F-4C1E-AF60-3CC380CDE328} (get_atlcom Class) - O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - O16 - DPF: {705EC6D4-B138-4079-A307-EF13E40C2416} (InstallerWeb Control) - O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - O20 - Winlogon Notify: winjvl32 - winjvl32.dll (file missing)
O21 - SSODL: BootCheck - {2549d529-b026-4e89-a8a7-48bfe137b121} - (no file)
O21 - SSODL: zip - {eec79bda-1d3f-4852-8d53-86a49c44a95e} - (no file)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9727 bytes


I still have to do the ComboFix program
 
Upvote 0 Downvote
here is the combofix log:
ComboFix 08-03-07.4 - Owner 2008-03-08 15:34:49.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1239 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\inst.exe
C:\Documents and Settings\Owner\Application Data\Seekmo
C:\Documents and Settings\Owner\g2mdlhlpx.exe
C:\Documents and Settings\Owner\ResErrors.log
C:\WINDOWS\system32\system
C:\WINDOWS\system32\system\win.dat
C:\WINDOWS\trustinbar.exe
C:\WINDOWS\tse.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_NEW_DRV
-------\LEGACY_NM


((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-08 14:40 . 2008-03-08 14:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-08 14:19 . 2008-03-08 14:19 <DIR> d-------- C:\VundoFix Backups
2008-03-08 14:16 . 2008-03-08 14:16 0 --a------ C:\ComboFix.exe
2008-03-08 14:15 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-08 14:11 . 2008-03-08 15:04 <DIR> d-------- C:\SDFix
2008-03-08 10:08 . 2004-02-05 21:53 389,120 --a------ C:\WINDOWS\system32\actskn43.ocx
2008-03-08 10:08 . 2004-01-08 02:43 253,952 --a------ C:\WINDOWS\system32\histogram.ocx
2008-03-08 10:08 . 2004-01-09 11:54 188,416 --a------ C:\WINDOWS\system32\actsplash.ocx
2008-03-08 10:06 . 2008-03-08 10:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Comodo
2008-03-08 10:05 . 2008-03-08 10:05 <DIR> d-------- C:\Program Files\COMODO
2008-03-08 10:05 . 2008-03-08 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-03-08 10:05 . 2008-03-08 10:05 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2008-03-08 10:05 . 2008-03-08 10:05 84,856 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-03-08 10:05 . 2008-03-08 10:05 23,800 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-03-08 00:52 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-03-08 00:43 . 2008-03-08 00:43 423,736 --a------ C:\Program Files\avgarkt-setup-1.1.0.42.exe
2008-03-07 07:13 . 2008-03-07 07:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-03-06 22:23 . 2008-03-06 22:23 45 --a------ C:\WINDOWS\MBM 5.INI
2008-03-06 21:49 . 2008-03-06 21:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-06 21:44 . 2004-08-27 03:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-03-06 21:44 . 2005-09-09 12:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-03-06 21:44 . 2005-09-09 12:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-03-06 21:44 . 2005-11-26 18:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-03-06 20:40 . 2008-03-06 20:58 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-03-06 15:51 . 2008-03-06 15:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-06 15:27 . 2008-03-06 16:46 262,144 --a------ C:\ntuser.dat
2008-03-05 21:26 . 2008-03-05 21:26 <DIR> d-------- C:\Program Files\CCleaner
2008-03-05 21:09 . 2008-03-05 21:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-03-05 21:05 . 2008-03-05 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-05 21:05 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-05 20:52 . 2008-03-05 20:52 <DIR> d-------- C:\Program Files\Avira
2008-03-05 20:52 . 2008-03-05 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-04 20:40 . 2008-03-08 15:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-04 20:40 . 2008-03-04 20:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-04 15:57 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-04 15:57 . 2007-12-24 17:37 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-03-04 15:57 . 2007-12-24 17:37 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-03-03 21:42 . 2008-03-03 21:42 <DIR> d-------- C:\Program Files\WinPcap
2008-03-03 21:42 . 2008-03-03 21:42 <DIR> d-------- C:\Program Files\VirusTotalUploader
2008-03-02 21:45 . 2008-03-03 18:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WeGame
2008-03-02 21:44 . 2008-01-15 11:21 488,800 --a------ C:\WINDOWS\system32\Ltkrn15u.dll
2008-03-02 21:44 . 2008-01-15 11:21 390,496 --a------ C:\WINDOWS\system32\Lfcmp15u.dll
2008-03-02 21:44 . 2008-01-15 11:21 185,688 --a------ C:\WINDOWS\system32\Ltfil15u.dll
2008-03-02 17:44 . 2008-03-04 17:12 <DIR> d-------- C:\Program Files\Dr.Hardware 2008 english
2008-03-02 17:11 . 2008-03-02 17:11 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-03-02 16:57 . 2008-03-02 17:32 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-02 16:41 . 2008-03-02 16:41 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-03-02 16:36 . 2008-03-02 21:54 4,096 --a------ C:\WINDOWS\system32\crash
2008-03-02 15:32 . 2008-03-03 18:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GetRightToGo
2008-02-24 15:15 . 2008-03-03 21:41 <DIR> d-------- C:\Program Files\BenchemAll
2008-02-24 15:04 . 2008-02-24 15:04 <DIR> d-------- C:\Program Files\Belarc
2008-02-24 15:04 . 2005-04-07 17:18 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2008-02-24 15:03 . 2008-03-03 21:41 <DIR> d-------- C:\Program Files\Motherboard Monitor 5
2008-02-24 15:03 . 2004-04-10 09:42 2,944 --a------ C:\WINDOWS\system32\mbmiodrvr.sys
2008-02-22 22:10 . 2008-02-22 22:10 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-02-20 21:59 . 2008-02-20 21:59 <DIR> d-------- C:\Program Files\Bonjour
2008-02-20 18:26 . 2008-02-20 18:26 60 --a------ C:\WINDOWS\WININIT.INI
2008-02-20 18:19 . 2008-02-20 18:20 <DIR> d-------- C:\Program Files\2Wire
2008-02-18 18:09 . 2008-02-18 18:09 <DIR> d-------- C:\Program Files\GameSpy
2008-02-16 18:05 . 2008-02-17 10:14 <DIR> d-------- C:\Documents and Settings\Owner\VASSAL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 20:19 --------- d-----w C:\Program Files\Lx_cats
2008-03-08 20:15 --------- d-----w C:\Program Files\Java
2008-03-08 20:09 516 ----a-w C:\Program Files\Civilization3.Ini
2008-03-08 20:09 --------- d-----w C:\Program Files\Saves
2008-03-08 18:44 0 ----a-w C:\Program Files\logfile.txt
2008-03-06 03:26 --------- d-----w C:\Program Files\Yahoo!
2008-03-06 03:24 --------- d-----w C:\Program Files\Trend Micro
2008-03-05 03:11 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-05 02:39 --------- d-----w C:\Program Files\iTunes
2008-03-05 02:39 --------- d-----w C:\Program Files\iPod
2008-03-04 23:12 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-04 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-03-04 03:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-04 03:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-04 00:34 --------- d-----w C:\Program Files\7-Zip
2008-02-24 23:09 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-24 21:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-21 03:59 --------- d-----w C:\Program Files\QuickTime
2008-02-21 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-02-19 21:35 6,736 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2008-02-19 00:05 --------- d-----w C:\Program Files\Electronic Arts
2008-02-17 05:04 --------- d-----w C:\Program Files\Three Rings Design
2008-02-11 04:06 712 ----a-w C:\Program Files\HighScores.cv3
2008-02-08 00:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2008-02-01 01:34 --------- d-----w C:\Program Files\QuickTime(2)
2008-01-22 21:38 2,845,696 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-01-22 19:58 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-01-16 03:00 57,270 ----a-w C:\WINDOWS\RGI2.tmp
2007-09-15 13:35 1,867,776 ----a-w C:\Program Files\Civilization3.exe
2007-08-18 13:33 472 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-08-18 01:15 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-07-25 01:56 94,208 ----a-w C:\Documents and Settings\Owner\Application Data\ezplay.sys
2007-07-25 01:56 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2007-04-25 00:13 476,752 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2007-01-17 03:41 1,409 ----a-w C:\Program Files\LSANS.fot
2001-10-02 17:15 405,504 ----a-w C:\Program Files\jgl.dll
2001-10-02 16:32 59,468 ----a-w C:\Program Files\LSANS.TTF
2001-10-02 16:32 5,893 ----a-w C:\Program Files\jackal.txt
2001-10-02 16:32 454,656 ----a-w C:\Program Files\sound.dll
2001-10-02 16:32 4,341,643 ----a-w C:\Program Files\CIV3EDIT.HLP
2001-10-02 16:32 4,098 ----a-w C:\Program Files\jackal.pcx
2001-10-02 16:32 346,624 ----a-w C:\Program Files\Mss32.dll
2001-10-02 16:32 291,328 ----a-w C:\Program Files\binkw32.dll
2001-10-02 16:32 25,096 ----a-w C:\Program Files\README.txt
2001-10-02 16:32 241 ----a-w C:\Program Files\Civ3Edit.cnt
2001-10-02 16:32 108,200 ----a-w C:\Program Files\civ3mod.bic
2001-10-02 16:32 1,019,904 ----a-w C:\Program Files\Civ3Edit.exe
2001-09-19 01:28 46,080 ----a-w C:\Program Files\CIV 3 O-D I G.DOC
2006-10-15 02:00 56 --sh--r C:\WINDOWS\system32\DFA1B5E320.sys
2007-05-17 20:37 88 --sh--r C:\WINDOWS\system32\F4CAD6D6F8.sys
2007-05-17 20:50 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-01-21 12:16 1393928]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-05 21:21 249896]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-03-08 10:05 1502976]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 11:48 73728]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-11-20 17:32:47 225280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjvl32]
winjvl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\EA Games\\Command and Conquer Generals\\generals.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\generals.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\Tony!!\\Robot Arena 2.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Documents and Settings\\Owner\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"C:\\Documents and Settings\\Owner\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Yahoo! Games\\Bejeweled 2 Deluxe\\WinBej2.exe"=
"C:\\Program Files\\2Wire\\2PortalMon.exe"=
"C:\\Program Files\\THQ\\MotoGP URT 3\\motogp.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\winav.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49207:TCP"= 49207:TCP:utor

R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\system32\DRIVERS\sonyhcb.sys [2001-11-05 09:23]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-03-08 10:05]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-03-08 10:05]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2004-09-15 02:42]
S3 501fbfk7;501fbfk7;C:\DOCUME~1\Owner\LOCALS~1\Temp\3JIcD []
S3 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2007-02-12 18:04]
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\system32\DRIVERS\sonyhcs.sys [2001-11-05 09:23]
S3 st3wolf;st3wolf;C:\WINDOWS\system32\DRIVERS\st3wolf.sys []
S3 TBU11;Turtle Beach USB MIDI 1x1 Driver;C:\WINDOWS\system32\Drivers\tbu11.sys [2003-03-06 10:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51a29504-22b1-11dc-a30a-000d726a5edb}]
\Shell\AutoRun\command - F:\Startup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{780b614d-2177-11da-9f1e-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-03-05 02:25:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-08 21:53:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, Rootkit scan 2008-03-08 15:48:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\501fbfk7]
"ImagePath"="\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\3JIcD"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-08 15:53:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 21:53:41
.
2008-02-13 03:23:11 --- E O F ---


and the most updated hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:14 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {20B845BF-450F-4C1E-AF60-3CC380CDE328} (get_atlcom Class) - O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - O16 - DPF: {705EC6D4-B138-4079-A307-EF13E40C2416} (InstallerWeb Control) - O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - O20 - Winlogon Notify: winjvl32 - winjvl32.dll (file missing)
O21 - SSODL: BootCheck - {2549d529-b026-4e89-a8a7-48bfe137b121} - (no file)
O21 - SSODL: zip - {eec79bda-1d3f-4852-8d53-86a49c44a95e} - (no file)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9263 bytes
 
Upvote 0 Downvote
it worked! I can get back into control panel again! Thanks!!!!
 
Upvote 0 Downvote
there's more to fix!


I see you are runnning Avir and comodo with Trend micro's suite, this is very nad and will cause you problems, either keep Trend micro and uninstall the other two or keep them and unionstall Trend as they will conflict and cause you problems!


Go to add/remove and unistlal all viewpoint programs as they are spyware!


* Copy the entire contents of the Quote Box below to Notepad.
* Name the file as CFScript.txt
* Change the Save as Type to All Files
* and Save it on the desktop


File::
C:\WINDOWS\system32\DFA1B5E320.sys
C:\WINDOWS\system32\F4CAD6D6F8.sys


Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjvl32]
winjvl32.dll

Folder::
C:\Program Files\Viewpoint


Driver::
DFA1B5E320
F4CAD6D6F8
Click to expand...

Save this as CFScript.txt, in the same location as ComboFix.exe


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall






Download AVG Anti-Spyware



* Once you have downloaded AVG Anti-spyware, locate the icon on the desktop
and double-click it to launch the set up program.
* Once the setup is complete you will need run AVG and update the definition
files.
* On the main screen select the icon "Update" then select the "Update now"
link.
* Next select the "Start Update" button, the update will start and a
progress bar will show the updates being installed.
* Once the update has completed select the "Scanner" icon at the top of the
screen, then select the "Settings" tab.
* Once in the Settings screen click on "Recommended actions" and then select
"Delete"
* Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"


Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that
later in safe mode.





* Click here to download ATF Cleaner by Atribune and save it to your
desktop.



* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords,
please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords,
please click No at the prompt.
* Click Exit on the Main menu to close the program.


* Click here for info on how to boot to safe mode if you don't already know
how.




* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:



have hijack this fix these entries. close all browsers and programmes before
clicking FIX.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) -
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - O20 - Winlogon Notify: winjvl32 - winjvl32.dll (file missing)
O21 - SSODL: BootCheck - {2549d529-b026-4e89-a8a7-48bfe137b121} - (no file)
O21 - SSODL: zip - {eec79bda-1d3f-4852-8d53-86a49c44a95e} - (no file)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe





Run AVG Anti-Spyware!

# IMPORTANT: Do not open any other windows or programs while AVG is scanning
as it may interfere with the scanning process:
# Launch AVG Anti-spyware by double-clicking the icon on your desktop.
# Select the "Scanner" icon at the top and then the "Scan" tab then click on
"Complete System Scan".
# AVG will now begin the scanning process. Be patient this may take a little
time.
Once the scan is complete do the following:
# If you have any infections you will prompted, then select "Apply all
actions"
# Next select the "Reports" icon at the top.
# Select the "Save report as" button in the lower left hand of the screen
and save it to a text file on your system (make sure to remember where you
saved that file, this is important).
# Close AVG and reboot your system back into Normal Mode.






Note: this is a stand alone, it doesn't install to start/programmes.

Download Mwav,



double click on it and it will extract to C:\kaspersky. Click
on the kaspersky folder and click on Kavupd, a black dos window will open
and it will update the programme for you, be patient it will take 5-10
minutes to download the new definitions. Once it's updated, click on
mwavscan
to launch the programme.

Use the defaults of:

Memory
startup folders
Registry
system folders
services

Choose drive , all drives and, click scan all files
and then click scan/clean. After it finishes scanning and cleaning post
the log here with a new hijack this log.

Note: this is a very thorough scanner, it might take anything up to an hour
or more, depending on how many drives you have and how badly infected your
pc is.



Highlight the section of Mwav which says " virus log information "
which lists infected items and hold CTRL + C to Copy then paste it here. The
I just need the infected items list.



Post a new hijack this, the combo, the Mwav scan log and the AVg antispware log!




Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News News
Police: Do as we say and not as we do!
Replies
4
Views
471
goombawaho
goombawaho
DrB0b
  • Locked
  • Question Question
Crytowall 3.0 and How I dealt with it
Replies
7
Views
762
DrB0b
DrB0b
kjv1611
  • Locked
  • Question Question
POS Malware Infections Detection and Protection
Replies
0
Views
273
kjv1611
kjv1611
Kjonnnn
  • Locked
  • Question Question
Virus and Code 31 connection Has
Replies
4
Views
383
Kjonnnn
Kjonnnn
nconick
  • Locked
  • Question Question
SEP 12.5 and Avaya Aura Contact Center 6.2 exceptions, etc.
Replies
0
Views
236
nconick
nconick

Part and Inventory Search

Sponsor

Back
Top