Jump to content

cpm637

Members
  • Posts

    3
  • Joined

  • Last visited

Reputation

0 Neutral
  1. I ran the cfscript with the ComboFix.exe. Thanks again, --cpm637 ComboFix Log: ComboFix 09-01-21.04 - Owner 2009-01-24 13:41:11.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.513 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 ))))))))))))))))))))))))))))))) . 2009-09-25 14:54 . 2008-12-26 01:16 <DIR> d-------- c:\program files\Swypeout Battle Racing 2009-09-25 14:54 . 2007-10-01 10:29 186,592 --a------ c:\windows\system32\drivers\windrvr6.sys 2009-01-24 10:33 . 2009-01-24 10:33 <DIR> d-------- c:\documents and settings\Family\Application Data\OpenOffice.org 2009-01-24 00:23 . 2009-01-24 00:23 <DIR> d-------- c:\program files\Trend Micro 2009-01-21 21:36 . 2006-07-01 00:30 <DIR> d-------- c:\documents and settings\Family\WINDOWS 2009-01-21 21:36 . 2007-11-09 23:13 <DIR> d-------- c:\documents and settings\Family\Application Data\Symantec 2009-01-21 21:36 . 2009-01-22 21:02 <DIR> d-------- c:\documents and settings\Family\Application Data\Spare Backup 2009-01-21 21:36 . 2007-11-09 23:11 <DIR> d-------- c:\documents and settings\Family\Application Data\SampleView 2009-01-21 21:36 . 2009-01-21 21:42 <DIR> d-------- c:\documents and settings\Family 2009-01-21 21:30 . 2006-07-01 00:30 <DIR> d-------- c:\documents and settings\Guest\WINDOWS 2009-01-21 21:30 . 2007-11-09 23:13 <DIR> d-------- c:\documents and settings\Guest\Application Data\Symantec 2009-01-21 21:30 . 2009-01-21 21:45 <DIR> d-------- c:\documents and settings\Guest\Application Data\Spare Backup 2009-01-21 21:30 . 2007-11-09 23:11 <DIR> d-------- c:\documents and settings\Guest\Application Data\SampleView 2009-01-21 21:30 . 2009-01-21 21:45 <DIR> d-------- c:\documents and settings\Guest 2009-01-21 20:47 . 2009-01-21 20:47 <DIR> d-------- c:\documents and settings\Administrator.EMACHINE2\Application Data\SUPERAntiSpyware.com 2009-01-16 23:08 . 2009-01-23 21:39 1,104 --a------ c:\windows\mdknolan 2009-01-16 21:31 . 2009-01-16 21:31 <DIR> d-------- c:\documents and settings\Owner\Application Data\Viewpoint 2009-01-11 21:01 . 2009-01-21 21:49 <DIR> d-------- c:\program files\Quicken 2009-01-11 21:01 . 2009-01-11 21:01 <DIR> d-------- c:\program files\Common Files\Intuit 2009-01-11 21:01 . 2009-01-11 21:01 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0 2009-01-11 21:01 . 2009-01-11 21:01 <DIR> d-------- c:\documents and settings\Owner\Application Data\Intuit 2009-01-11 21:01 . 2008-11-11 16:32 3,523,872 --a------ c:\windows\system32\cdintf300.dll 2009-01-11 21:01 . 2008-11-11 16:32 1,848,608 --a------ c:\windows\system32\acXMLParser.dll 2009-01-11 21:01 . 2009-01-21 21:49 165 --a------ c:\windows\QUICKEN.INI 2009-01-11 21:00 . 2009-01-11 21:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Intuit 2009-01-06 21:32 . 2009-01-06 21:58 <DIR> d-------- c:\documents and settings\Owner\Application Data\FxFotoDB 2009-01-06 21:31 . 2009-01-06 21:31 <DIR> d-------- c:\program files\FxFoto 2009-01-04 20:08 . 2009-01-04 20:10 <DIR> d-------- c:\documents and settings\Owner\Application Data\Windows Live Writer 2009-01-04 01:21 . 2009-01-04 01:31 <DIR> d-------- c:\windows\system32\CatRoot_bak 2008-12-31 21:15 . 2008-11-17 22:49 <DIR> d-------- c:\documents and settings\Owner\Application Data\Move Networks 2008-12-31 13:36 . 2008-12-31 13:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-31 13:36 . 2008-12-31 13:36 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes 2008-12-31 13:36 . 2008-12-31 13:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-31 13:36 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-31 13:36 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-30 11:42 . 2008-12-30 11:42 <DIR> d-------- c:\documents and settings\Owner\Application Data\WildTangent 2008-12-30 11:18 . 2008-12-30 11:18 <DIR> d-------- c:\documents and settings\Owner\Application Data\OpenOffice.org 2008-12-30 00:01 . 2008-12-30 00:01 <DIR> d-------- c:\program files\OpenOffice.org 3 2008-12-30 00:01 . 2008-12-30 00:01 <DIR> d-------- c:\program files\JRE 2008-12-29 13:43 . 2009-01-21 23:01 <DIR> d-------- c:\program files\Moneydance 2008-12-29 13:43 . 2008-12-29 13:50 <DIR> d-------- c:\documents and settings\Owner\.moneydance 2008-12-27 23:30 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll 2008-12-27 23:30 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll 2008-12-27 23:30 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui 2008-12-27 19:41 . 2008-12-27 21:20 152,088 --a------ C:\img2-001.raw 2008-12-27 18:56 . 2007-04-10 16:46 1,966,696 --a------ c:\windows\system32\drivers\VX3000.sys 2008-12-27 18:56 . 2007-04-10 16:46 709,992 --a------ c:\windows\vVX3000.exe 2008-12-27 18:56 . 2007-04-10 16:46 476,520 --a------ c:\windows\vVX3000.dll 2008-12-27 18:56 . 2007-04-10 16:46 202,088 --a------ c:\windows\system32\LCCoin14.dll 2008-12-27 18:56 . 2007-04-10 16:46 185,704 --a------ c:\windows\system32\cVX3000.dll 2008-12-27 18:56 . 2007-04-10 16:46 111,976 --a------ c:\windows\VX3000.dll 2008-12-27 18:56 . 2007-04-10 16:46 15,498 --a------ c:\windows\VX3000.ini 2008-12-27 18:56 . 2007-04-10 16:46 13,023 --a------ c:\windows\VX3000.src 2008-12-27 18:54 . 2008-12-27 18:55 <DIR> d-------- c:\program files\Microsoft LifeCam 2008-12-27 18:51 . 2008-12-27 18:51 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition 2008-12-27 18:51 . 2008-12-27 20:15 <DIR> d-------- c:\documents and settings\Owner\Contacts 2008-12-27 18:51 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll 2008-12-27 18:45 . 2008-12-29 15:59 <DIR> d-------- c:\program files\Windows Live 2008-12-27 18:45 . 2008-12-27 18:50 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller 2008-12-27 18:45 . 2008-12-27 18:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller 2008-12-26 16:03 . 2008-12-26 16:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-12-26 15:55 . 2006-07-01 00:30 <DIR> d-------- c:\documents and settings\Administrator.EMACHINE2\WINDOWS 2008-12-26 15:55 . 2007-11-09 23:13 <DIR> d-------- c:\documents and settings\Administrator.EMACHINE2\Application Data\Symantec 2008-12-26 15:55 . 2008-02-01 17:37 <DIR> d-------- c:\documents and settings\Administrator.EMACHINE2\Application Data\Spare Backup 2008-12-26 15:55 . 2007-11-09 23:11 <DIR> d-------- c:\documents and settings\Administrator.EMACHINE2\Application Data\SampleView 2008-12-26 15:55 . 2008-12-26 15:55 <DIR> d-------- c:\documents and settings\Administrator.EMACHINE2 2008-12-26 15:52 . 2009-01-21 18:15 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-12-26 15:52 . 2008-12-26 15:52 <DIR> d-------- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com 2008-12-26 01:25 . 2008-12-26 15:52 <DIR> d-------- C:\FixIT 2008-12-26 01:08 . 2008-12-26 01:08 <DIR> d-------- c:\program files\CCleaner . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-05 09:16 --------- d-----w c:\program files\Spybot - Search & Destroy 2009-01-24 05:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-01-24 01:05 --------- d-----w c:\documents and settings\Owner\Application Data\Spare Backup 2009-01-12 02:01 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-30 16:42 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent 2008-12-30 13:18 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys 2008-12-28 01:44 --------- d-----w c:\program files\Google 2008-12-26 20:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-12-26 09:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg8 2008-12-23 18:23 --------- d-----w c:\documents and settings\All Users\Application Data\PopCap 2008-12-23 15:23 --------- d-----w c:\program files\QuickTime 2008-12-19 13:24 --------- d-----w c:\program files\Common Files\Adobe 2008-11-11 21:32 1,721,712 ----a-w c:\windows\system32\inetclnt.dll 2007-11-10 04:36 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat 2008-07-10 04:36 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070920080710\index.dat . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\Owner\.moneydance ---- 2009-01-21 23:01 7147 --a------ c:\documents and settings\Owner\.moneydance\config.dict 2009-01-21 23:01 44 --a------ c:\documents and settings\Owner\.moneydance\errlog.txt 2008-12-29 15:55 39355 --a------ c:\documents and settings\Owner\.moneydance\fmodules\updater.mxt ---- Directory of c:\windows\mdknolan ---- c:\windows\mdknolan\ ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\998a8d7f-f2e0-41dd-a940-ff6025f9a863.exe" [2008-12-04 1809648] "QuickenScheduledUpdates"="c:\program files\Quicken\bagent.exe" [2009-01-09 87328] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-11-29 58928] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-28 1261336] "cwcptray"="c:\program files\ContentWatch\Internet Protection\cwtray.exe" [2008-05-05 413968] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912] "VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992] "nwiz"="nwiz.exe" [2006-10-31 c:\windows\system32\nwiz.exe] "RTHDCPL"="RTHDCPL.EXE" [2007-09-27 c:\windows\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2007-08-03 c:\windows\SkyTel.exe] c:\documents and settings\Family\Start Menu\Programs\Startup\ OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-31 14:03 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-09 97928] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408] R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-09 875288] R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-09 231704] R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-09 76040] R4 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [2008-07-12 1042192] R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-18 24652] S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-06-30 69692] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{510a823f-d0fd-11dc-8372-806d6172696f}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5229887d-8f3f-11dc-8e1c-806d6172696f}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 . Contents of the 'Scheduled Tasks' folder 2008-07-12 c:\windows\Tasks\Ad-Aware 2008.job - c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe [2008-07-12 14:22] 2009-01-24 c:\windows\Tasks\Spybots Search & Destroy.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 08:42] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=W3644 uInternet Settings,ProxyOverride = <local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 LSP: c:\windows\system32\cwalsp.dll DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} - hxxps://m1.oeconn.com/XTSAC.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-24 13:42:11 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\DJZERO] @DACL=(02 0000) "LTM"=hex:00,00,00,00,00,00,00,00 "CDY"=hex:00,00,00,00,00,00,00,00 "CNT"=dword:00000000 [HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\JKWL] @DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\metajuan] @DACL=(02 0000) "LTM"=hex:00,00,00,00,00,00,00,00 "CDY"=hex:00,00,00,00,00,00,00,00 "CNT"=dword:00000000 "LBL"=hex:05,7a,a9,24,31,7c,c9,01 "MN"=hex:01,00,00,00 [HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\meta_mg] @DACL=(02 0000) "LTM"=hex:00,00,00,00,00,00,00,00 "CDY"=hex:00,00,00,00,00,00,00,00 "CNT"=dword:00000000 [HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\profiling4] @DACL=(02 0000) "LTM"=hex:00,00,00,00,00,00,00,00 "CDY"=hex:00,00,00,00,00,00,00,00 "CNT"=dword:00000000 [HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\superjuan] @DACL=(02 0000) "LTM"=hex:65,b4,43,93,31,7c,c9,01 "CDY"=hex:00,00,00,00,00,00,00,00 "CNT"=dword:00000004 [HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\TrackDJuan] @DACL=(02 0000) "LTM"=hex:00,00,00,00,00,00,00,00 "CDY"=hex:00,00,00,00,00,00,00,00 "CNT"=dword:00000000 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "NoChange"="1" "Installed"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" @="" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(672) c:\program files\SUPERAntiSpyware\SASWINLO.DLL - - - - - - - > 'lsass.exe'(728) c:\windows\system32\cwalsp.dll c:\windows\system32\wxbase28u_vc_CW.dll . Completion time: 2009-01-24 13:43:22 ComboFix-quarantined-files.txt 2009-01-24 18:43:20 ComboFix2.txt 2009-01-24 16:13:16 Pre-Run: 137,954,512,896 bytes free Post-Run: 137,964,052,480 bytes free 263 --- E O F --- 2008-12-29 21:00:00 HijackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:44:02 PM, on 1/24/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\ContentWatch\Internet Protection\cwtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\998a8d7f-f2e0-41dd-a940-ff6025f9a863.exe C:\Program Files\Quicken\bagent.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\imapi.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W3644 R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe O4 - HKCU\..\Run: [Power2GoExpress] NA O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\998a8d7f-f2e0-41dd-a940-ff6025f9a863.exe O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://m1.oeconn.com/XTSAC.cab O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://m1.oeconn.com/msrdp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 6863 bytes
  2. Thanks for the quick reply, here are the combofix log and the new hijackthis log. --cpm637 ComboFix Log: ComboFix 09-01-21.04 - Owner 2009-01-24 11:08:03.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.457 [GMT -5:00] Running from: c:\documents and settings\Owner\My Documents\Downloads\combofix\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\pwdyqosc.ini c:\windows\system32\tttcjuma.ini c:\windows\Tasks\yfjydlsm.job D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV.SYS ((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 ))))))))))))))))))))))))))))))) . 2009-09-25 14:54 . 2008-12-26 01:16 <DIR> d-------- c:\program files\Swypeout Battle Racing 2009-09-25 14:54 . 2007-10-01 10:29 186,592 --a------ c:\windows\system32\drivers\windrvr6.sys 2009-01-24 10:33 . 2009-01-24 10:33 <DIR> d-------- c:\documents and settings\Family\Application Data\OpenOffice.org 2009-01-24 00:23 . 2009-01-24 00:23 <DIR> d-------- c:\program files\Trend Micro 2009-01-21 21:36 . 2006-07-01 00:30 <DIR> d-------- c:\documents and settings\Family\WINDOWS 2009-01-21 21:36 . 2007-11-09 23:13 <DIR> d-------- c:\documents and settings\Family\Application Data\Symantec 2009-01-21 21:36 . 2009-01-22 21:02 <DIR> d-------- c:\documents and settings\Family\Application Data\Spare Backup 2009-01-21 21:36 . 2007-11-09 23:11 <DIR> d-------- c:\documents and settings\Family\Application Data\SampleView 2009-01-21 21:36 . 2009-01-21 21:42 <DIR> d-------- c:\documents and settings\Family 2009-01-21 21:30 . 2006-07-01 00:30 <DIR> d-------- c:\documents and settings\Guest\WINDOWS 2009-01-21 21:30 . 2007-11-09 23:13 <DIR> d-------- c:\documents and settings\Guest\Application Data\Symantec 2009-01-21 21:30 . 2009-01-21 21:45 <DIR> d-------- c:\documents and settings\Guest\Application Data\Spare Backup 2009-01-21 21:30 . 2007-11-09 23:11 <DIR> d-------- c:\documents and settings\Guest\Application Data\SampleView 2009-01-21 21:30 . 2009-01-21 21:45 <DIR> d-------- c:\documents and settings\Guest 2009-01-21 20:47 . 2009-01-21 20:47 <DIR> d-------- c:\documents and settings\Administrator.EMACHINE2\Application Data\SUPERAntiSpyware.com 2009-01-16 23:08 . 2009-01-23 21:39 1,104 --a------ c:\windows\mdknolan 2009-01-16 21:31 . 2009-01-16 21:31 <DIR> d-------- c:\documents and settings\Owner\Application Data\Viewpoint 2009-01-11 21:01 . 2009-01-21 21:49 <DIR> d-------- c:\program files\Quicken 2009-01-11 21:01 . 2009-01-11 21:01 <DIR> d-------- c:\program files\Common Files\Intuit 2009-01-11 21:01 . 2009-01-11 21:01 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0 2009-01-11 21:01 . 2009-01-11 21:01 <DIR> d-------- c:\documents and settings\Owner\Application Data\Intuit 2009-01-11 21:01 . 2008-11-11 16:32 3,523,872 --a------ c:\windows\system32\cdintf300.dll 2009-01-11 21:01 . 2008-11-11 16:32 1,848,608 --a------ c:\windows\system32\acXMLParser.dll 2009-01-11 21:01 . 2009-01-21 21:49 165 --a------ c:\windows\QUICKEN.INI 2009-01-11 21:00 . 2009-01-11 21:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Intuit 2009-01-06 21:32 . 2009-01-06 21:58 <DIR> d-------- c:\documents and settings\Owner\Application Data\FxFotoDB 2009-01-06 21:31 . 2009-01-06 21:31 <DIR> d-------- c:\program files\FxFoto 2009-01-04 20:08 . 2009-01-04 20:10 <DIR> d-------- c:\documents and settings\Owner\Application Data\Windows Live Writer 2009-01-04 01:21 . 2009-01-04 01:31 <DIR> d-------- c:\windows\system32\CatRoot_bak 2008-12-31 21:15 . 2008-11-17 22:49 <DIR> d-------- c:\documents and settings\Owner\Application Data\Move Networks 2008-12-31 13:36 . 2008-12-31 13:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-31 13:36 . 2008-12-31 13:36 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes 2008-12-31 13:36 . 2008-12-31 13:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-31 13:36 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-31 13:36 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-30 11:42 . 2008-12-30 11:42 <DIR> d-------- c:\documents and settings\Owner\Application Data\WildTangent 2008-12-30 11:18 . 2008-12-30 11:18 <DIR> d-------- c:\documents and settings\Owner\Application Data\OpenOffice.org 2008-12-30 00:01 . 2008-12-30 00:01 <DIR> d-------- c:\program files\OpenOffice.org 3 2008-12-30 00:01 . 2008-12-30 00:01 <DIR> d-------- c:\program files\JRE 2008-12-29 13:43 . 2009-01-21 23:01 <DIR> d-------- c:\program files\Moneydance 2008-12-29 13:43 . 2008-12-29 13:50 <DIR> d-------- c:\documents and settings\Owner\.moneydance 2008-12-27 23:30 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll 2008-12-27 23:30 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll 2008-12-27 23:30 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui 2008-12-27 19:41 . 2008-12-27 21:20 152,088 --a------ C:\img2-001.raw 2008-12-27 18:56 . 2007-04-10 16:46 1,966,696 --a------ c:\windows\system32\drivers\VX3000.sys 2008-12-27 18:56 . 2007-04-10 16:46 709,992 --a------ c:\windows\vVX3000.exe 2008-12-27 18:56 . 2007-04-10 16:46 476,520 --a------ c:\windows\vVX3000.dll 2008-12-27 18:56 . 2007-04-10 16:46 202,088 --a------ c:\windows\system32\LCCoin14.dll 2008-12-27 18:56 . 2007-04-10 16:46 185,704 --a------ c:\windows\system32\cVX3000.dll 2008-12-27 18:56 . 2007-04-10 16:46 111,976 --a------ c:\windows\VX3000.dll 2008-12-27 18:56 . 2007-04-10 16:46 15,498 --a------ c:\windows\VX3000.ini 2008-12-27 18:56 . 2007-04-10 16:46 13,023 --a------ c:\windows\VX3000.src 2008-12-27 18:54 . 2008-12-27 18:55 <DIR> d-------- c:\program files\Microsoft LifeCam 2008-12-27 18:51 . 2008-12-27 18:51 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition 2008-12-27 18:51 . 2008-12-27 20:15 <DIR> d-------- c:\documents and settings\Owner\Contacts 2008-12-27 18:51 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll 2008-12-27 18:45 . 2008-12-29 15:59 <DIR> d-------- c:\program files\Windows Live 2008-12-27 18:45 . 2008-12-27 18:50 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller 2008-12-27 18:45 . 2008-12-27 18:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller 2008-12-26 16:03 . 2008-12-26 16:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-12-26 15:55 . 2006-07-01 00:30 <DIR> d-------- c:\documents and settings\Administrator.EMACHINE2\WINDOWS 2008-12-26 15:55 . 2007-11-09 23:13 <DIR> d-------- c:\documents and settings\Administrator.EMACHINE2\Application Data\Symantec 2008-12-26 15:55 . 2008-02-01 17:37 <DIR> d-------- c:\documents and settings\Administrator.EMACHINE2\Application Data\Spare Backup 2008-12-26 15:55 . 2007-11-09 23:11 <DIR> d-------- c:\documents and settings\Administrator.EMACHINE2\Application Data\SampleView 2008-12-26 15:55 . 2008-12-26 15:55 <DIR> d-------- c:\documents and settings\Administrator.EMACHINE2 2008-12-26 15:52 . 2009-01-21 18:15 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-12-26 15:52 . 2008-12-26 15:52 <DIR> d-------- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com 2008-12-26 01:25 . 2008-12-26 15:52 <DIR> d-------- C:\FixIT 2008-12-26 01:08 . 2008-12-26 01:08 <DIR> d-------- c:\program files\CCleaner . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-05 09:16 --------- d-----w c:\program files\Spybot - Search & Destroy 2009-01-24 05:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-01-24 01:05 --------- d-----w c:\documents and settings\Owner\Application Data\Spare Backup 2009-01-12 02:01 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-30 16:42 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent 2008-12-30 13:18 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys 2008-12-28 01:44 --------- d-----w c:\program files\Google 2008-12-26 20:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-12-26 09:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg8 2008-12-23 18:23 --------- d-----w c:\documents and settings\All Users\Application Data\PopCap 2008-12-23 15:23 --------- d-----w c:\program files\QuickTime 2008-12-19 13:24 --------- d-----w c:\program files\Common Files\Adobe 2007-11-10 04:36 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat 2008-07-10 04:36 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070920080710\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\998a8d7f-f2e0-41dd-a940-ff6025f9a863.exe" [2008-12-04 1809648] "QuickenScheduledUpdates"="c:\program files\Quicken\bagent.exe" [2009-01-09 87328] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-11-29 58928] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-28 1261336] "cwcptray"="c:\program files\ContentWatch\Internet Protection\cwtray.exe" [2008-05-05 413968] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912] "VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992] "nwiz"="nwiz.exe" [2006-10-31 c:\windows\system32\nwiz.exe] "RTHDCPL"="RTHDCPL.EXE" [2007-09-27 c:\windows\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2007-08-03 c:\windows\SkyTel.exe] c:\documents and settings\Family\Start Menu\Programs\Startup\ OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-31 14:03 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-09 97928] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408] R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-09 875288] R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-09 231704] R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-09 76040] R4 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [2008-07-12 1042192] R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-18 24652] S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-06-30 69692] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{510a823f-d0fd-11dc-8372-806d6172696f}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5229887d-8f3f-11dc-8e1c-806d6172696f}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 . Contents of the 'Scheduled Tasks' folder 2008-07-12 c:\windows\Tasks\Ad-Aware 2008.job - c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe [2008-07-12 14:22] 2009-01-24 c:\windows\Tasks\Spybots Search & Destroy.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 08:42] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Aim6 - (no file) HKLM-Run-BigFix - c:\program files\Bigfix\bigfix.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=W3644 uInternet Settings,ProxyOverride = <local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 LSP: c:\windows\system32\cwalsp.dll DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} - hxxps://m1.oeconn.com/XTSAC.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-24 11:10:49 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\DJZERO] @DACL=(02 0000) "LTM"=hex:00,00,00,00,00,00,00,00 "CDY"=hex:00,00,00,00,00,00,00,00 "CNT"=dword:00000000 [HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\JKWL] @DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\metajuan] @DACL=(02 0000) "LTM"=hex:00,00,00,00,00,00,00,00 "CDY"=hex:00,00,00,00,00,00,00,00 "CNT"=dword:00000000 "LBL"=hex:05,7a,a9,24,31,7c,c9,01 "MN"=hex:01,00,00,00 [HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\meta_mg] @DACL=(02 0000) "LTM"=hex:00,00,00,00,00,00,00,00 "CDY"=hex:00,00,00,00,00,00,00,00 "CNT"=dword:00000000 [HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\profiling4] @DACL=(02 0000) "LTM"=hex:00,00,00,00,00,00,00,00 "CDY"=hex:00,00,00,00,00,00,00,00 "CNT"=dword:00000000 [HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\superjuan] @DACL=(02 0000) "LTM"=hex:65,b4,43,93,31,7c,c9,01 "CDY"=hex:00,00,00,00,00,00,00,00 "CNT"=dword:00000004 [HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\TrackDJuan] @DACL=(02 0000) "LTM"=hex:00,00,00,00,00,00,00,00 "CDY"=hex:00,00,00,00,00,00,00,00 "CNT"=dword:00000000 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "NoChange"="1" "Installed"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" @="" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(672) c:\program files\SUPERAntiSpyware\SASWINLO.DLL - - - - - - - > 'lsass.exe'(728) c:\windows\system32\cwalsp.dll c:\windows\system32\wxbase28u_vc_CW.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Microsoft LifeCam\MSCamS32.exe c:\windows\system32\nvsvc32.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\program files\CyberLink\Shared Files\RichVideo.exe c:\windows\system32\rundll32.exe c:\program files\AVG\AVG8\avgrsx.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-01-24 11:13:15 - machine was rebooted ComboFix-quarantined-files.txt 2009-01-24 16:13:13 Pre-Run: 137,932,005,376 bytes free Post-Run: 137,984,159,744 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 285 --- E O F --- 2008-12-29 21:00:00 HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:15:16 AM, on 1/24/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\ContentWatch\Internet Protection\cwtray.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\998a8d7f-f2e0-41dd-a940-ff6025f9a863.exe C:\Program Files\Quicken\bagent.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W3644 R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe O4 - HKCU\..\Run: [Power2GoExpress] NA O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\998a8d7f-f2e0-41dd-a940-ff6025f9a863.exe O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://m1.oeconn.com/XTSAC.cab O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://m1.oeconn.com/msrdp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 6844 bytes
  3. I've got the MS Juan Registry Keys that I cannot remove. I've attached the MalwareBytes and HijackThis logs. Thanks in advance for your assistance, --cpm637 MalwareBytes Log: Malwarebytes' Anti-Malware 1.31 Database version: 1585 Windows 5.1.2600 Service Pack 2 1/24/2009 12:33:20 AM mbam-log-2009-01-24 (00-33-20).txt Scan type: Quick Scan Objects scanned: 61813 Time elapsed: 3 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Delete on reboot. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HijackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:34:31 AM, on 1/24/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\ContentWatch\Internet Protection\cwtray.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\vVX3000.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\998a8d7f-f2e0-41dd-a940-ff6025f9a863.exe C:\Program Files\Quicken\bagent.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W3644 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W3644 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=W3644 R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [bigFix] c:\program files\Bigfix\bigfix.exe /atstartup O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [Power2GoExpress] NA O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\998a8d7f-f2e0-41dd-a940-ff6025f9a863.exe O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://m1.oeconn.com/XTSAC.cab O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://m1.oeconn.com/msrdp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll fzxvhj.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 7442 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.