Definitely have malware :(

**CamaroJeff** · 2009-10-04, 16:29

i know, utorrent can be a nasty program

i have deleted that program several times as it may have caused problems in the past. needless to say i havent used that program in a couple of years. i have removed the program again.

combofix has been run and heres its report. a new dds will be posted shortly.

ComboFix 09-10-03.01 - Spiderman 10/04/2009 9:27.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.159 [GMT -4:00]
Running from: c:\documents and settings\Spiderman\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Spiderman\Application Data\wiaserva.log
c:\documents and settings\Spiderman\Start Menu\Programs\Startup\ikowin32.exe
c:\program files\Common\_helper.dll
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\program files\Shared\lib.dll
c:\program files\Shared\lib.sig
c:\temp\abW9
c:\temp\abW9\tPho.log
c:\windows\abahakucadic.dll
c:\windows\aborerew.dll
c:\windows\abozemiz.dll
c:\windows\acaderotegixiv.dll
c:\windows\acavakadevi.dll
c:\windows\acerimuquj.dll
c:\windows\adafegizutaz.dll
c:\windows\adexipab.dll
c:\windows\adowegumesawe.dll
c:\windows\aduyamuk.dll
c:\windows\agaqatuza.dll
c:\windows\ajakigat.dll
c:\windows\ajayelovawubixax.dll
c:\windows\ajibatidedug.dll
c:\windows\ajocetuw.dll
c:\windows\alewanulamolimar.dll
c:\windows\alotakob.dll
c:\windows\amezawuf.dll
c:\windows\amifepohebafi.dll
c:\windows\amikulej.dll
c:\windows\amukupugebudax.dll
c:\windows\anelizodowurafox.dll
c:\windows\anurituci.dll
c:\windows\apegupiditemekok.dll
c:\windows\aqugojudoyatupek.dll
c:\windows\arihexop.dll
c:\windows\arubawutilesol.dll
c:\windows\asicolal.dll
c:\windows\atezosowuwu.dll
c:\windows\atomanap.dll
c:\windows\avanepoza.dll
c:\windows\avezaxifivufep.dll
c:\windows\avukejubetovapuz.dll
c:\windows\awaworucato.dll
c:\windows\awayofik.dll
c:\windows\aweqasoqege.dll
c:\windows\awequmofut.dll
c:\windows\awiritadumo.dll
c:\windows\axinirumecahalev.dll
c:\windows\ayimapiq.dll
c:\windows\download
c:\windows\ebajurij.dll
c:\windows\ebimizih.dll
c:\windows\ebocoroj.dll
c:\windows\ecefotoc.dll
c:\windows\edilaref.dll
c:\windows\edojolij.dll
c:\windows\eduhovoj.dll
c:\windows\efemirux.dll
c:\windows\egayiyoh.dll
c:\windows\eheriwesozo.dll
c:\windows\ehigozux.dll
c:\windows\ejerivehamiro.dll
c:\windows\ejeruzifuloru.dll
c:\windows\ejidiwoxewofes.dll
c:\windows\ejodafaw.dll
c:\windows\ejotilarej.dll
c:\windows\ekesuyeg.dll
c:\windows\ekoboneravasam.dll
c:\windows\eleharuculihi.dll
c:\windows\eleqafarip.dll
c:\windows\elujewuj.dll
c:\windows\enebebaguwimu.dll
c:\windows\enuxusum.dll
c:\windows\epulifipuluk.dll
c:\windows\eqamoyes.dll
c:\windows\eqavafidelujolij.dll
c:\windows\evayasomizih.dll
c:\windows\ewedigojeruqa.dll
c:\windows\ewihedil.dll
c:\windows\ewizotuqo.dll
c:\windows\ewolorom.dll
c:\windows\ewovuzitoha.dll
c:\windows\exapejid.dll
c:\windows\exelowunikazubi.dll
c:\windows\eximifora.dll
c:\windows\exovevukov.dll
c:\windows\eyogudorayeher.dll
c:\windows\eyudobuvo.dll
c:\windows\gcdx.dll
c:\windows\ibimapiqiyonox.dll
c:\windows\ibotuwef.dll
c:\windows\ibuwunoz.dll
c:\windows\icopevubeqo.dll
c:\windows\idogezorijegozu.dll
c:\windows\idujizuqu.dll
c:\windows\ifereweha.dll
c:\windows\ifidevac.dll
c:\windows\ifiyuruwokuqisal.dll
c:\windows\ifocoxicakihev.dll
c:\windows\ifogafek.dll
c:\windows\ijuxorigeg.dll
c:\windows\ikenalepetiyo.dll
c:\windows\imawiloji.dll
c:\windows\imujoxuc.dll
c:\windows\imunesey.dll
c:\windows\Installer\11195550.msp
c:\windows\Installer\3970c5.msp
c:\windows\Installer\73330d.msp
c:\windows\Installer\9dbd7d7.msp
c:\windows\Installer\f876ad4.msi
c:\windows\Installer\f876adc.msi
c:\windows\Installer\f876ae4.msi
c:\windows\Installer\f876af1.msi
c:\windows\Installer\f876af9.msi
c:\windows\Installer\f876b01.msi
c:\windows\inutezezuquj.dll
c:\windows\ipopuficuzuhi.dll
c:\windows\iqafovah.dll
c:\windows\iqejinur.dll
c:\windows\iqokilomi.dll
c:\windows\irakarat.dll
c:\windows\irenufuq.dll
c:\windows\isitibuxer.dll
c:\windows\itecigitulob.dll
c:\windows\itedowubucu.dll
c:\windows\iwewogij.dll
c:\windows\iwisefubemob.dll
c:\windows\ixikerevafidel.dll
c:\windows\ixitikapawogep.dll
c:\windows\ixiyetasoyu.dll
c:\windows\ixuqeduk.dll
c:\windows\iyatahixowetohe.dll
c:\windows\msstd.dll
c:\windows\msto.dll
c:\windows\obawulevefi.dll
c:\windows\obe.dll
c:\windows\obiwiyel.dll
c:\windows\odajezoweqoh.dll
c:\windows\odehusucam.dll
c:\windows\ofazowem.dll
c:\windows\ofeholuh.dll
c:\windows\oferesox.dll
c:\windows\ofofafawi.dll
c:\windows\ofoqusiwoj.dll
c:\windows\ofuvozeraz.dll
c:\windows\ogakupujaxakuqe.dll
c:\windows\ogipucovotuket.dll
c:\windows\oheqazejo.dll
c:\windows\ojipevubeqovuzi.dll
c:\windows\ojuqafar.dll
c:\windows\okecuvuhoxuquxoj.dll
c:\windows\okehazuyosegefim.dll
c:\windows\okucuzuhifuci.dll
c:\windows\olemopajeboy.dll
c:\windows\olenelanavecazu.dll
c:\windows\oliyonidopumam.dll
c:\windows\olumodet.dll
c:\windows\omelolac.dll
c:\windows\omiyeviw.dll
c:\windows\onehebaf.dll
c:\windows\opohugil.dll
c:\windows\opunevif.dll
c:\windows\oqegovagifobaw.dll
c:\windows\oraluwen.dll
c:\windows\orehifuc.dll
c:\windows\orejulowu.dll
c:\windows\osutiles.dll
c:\windows\oteqesuhelehizu.dll
c:\windows\ovadurayapeva.dll
c:\windows\oviloqetuguzele.dll
c:\windows\owebalikoqatu.dll
c:\windows\oxenozum.dll
c:\windows\oxumopuduy.dll
c:\windows\oyolaloc.dll
c:\windows\system32\aston.mt
c:\windows\system32\comrepl.exe
c:\windows\system32\drivers\3e3b0e9.sys
c:\windows\system32\mcrh.tmp
c:\windows\ubejefiq.dll
c:\windows\ubelerih.dll
c:\windows\ucagosixaxeteted.dll
c:\windows\ucelesolas.dll
c:\windows\ucezitoha.dll
c:\windows\ucijumuqobo.dll
c:\windows\ucikiwikisoxe.dll
c:\windows\ucoyenev.dll
c:\windows\udexusumo.dll
c:\windows\udociluvunebur.dll
c:\windows\ufihilofej.dll
c:\windows\ufirubohojafabi.dll
c:\windows\ufiyosegef.dll
c:\windows\ugifiwuz.dll
c:\windows\ugiholur.dll
c:\windows\uhikorilowadil.dll
c:\windows\uhinufeworitulus.dll
c:\windows\uhodesuvaruk.dll
c:\windows\uhoyiger.dll
c:\windows\ukayewecig.dll
c:\windows\ukicagayusaqitih.dll
c:\windows\ukifefeqacolal.dll
c:\windows\ukonirumecah.dll
c:\windows\ukoyuzubizeb.dll
c:\windows\unuhovehula.dll
c:\windows\unuwevev.dll
c:\windows\upotepin.dll
c:\windows\upuyosamavab.dll
c:\windows\uracusezejoher.dll
c:\windows\urewixanimi.dll
c:\windows\uribiyov.dll
c:\windows\urocawaj.dll
c:\windows\urucozis.dll
c:\windows\urufixej.dll
c:\windows\usoniwulaqo.dll
c:\windows\usotolix.dll
c:\windows\usoxivaz.dll
c:\windows\utodiqatarive.dll
c:\windows\utogofor.dll
c:\windows\uvajivanoq.dll
c:\windows\uvamibah.dll
c:\windows\uvikuwafonut.dll
c:\windows\uwapalir.dll
c:\windows\uwemavab.dll
c:\windows\uwodewiy.dll
c:\windows\uxatigokidonot.dll
c:\windows\uxeturet.dll
c:\windows\uxosuloromazizu.dll
c:\windows\uxucubalepi.dll
c:\windows\uyazoquqisefac.dll
c:\windows\uyezizaz.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_3e3b0e9

((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-04 14:11 . 2009-10-04 14:11 11554 ----a-w- c:\windows\egoxowalif.dll
2009-09-12 19:11 . 2009-09-12 19:11 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-04 17:15 . 2009-09-12 19:11 -------- d-----w- c:\documents and settings\Bobo\Local Settings\Application Data\{7774A5C0-4F5A-4A25-A039-29FB6B2E855C}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 13:44 . 2009-06-23 12:15 -------- d-----w- c:\program files\Shared
2009-10-04 13:44 . 2009-03-31 21:56 -------- d-----w- c:\program files\Common
2009-10-04 13:21 . 2002-08-29 10:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-10-04 12:15 . 2009-08-28 01:45 120 ----a-w- c:\windows\Ulujoqafarip.dat
2009-09-30 00:02 . 2005-12-30 00:37 -------- d-----w- c:\program files\Common Files\KnifeEdge
2009-09-14 21:38 . 2005-07-13 03:08 -------- d-----w- c:\program files\Program Files
2009-09-12 19:10 . 2009-03-15 00:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-03 03:58 . 2004-07-09 22:13 118440 ----a-w- c:\documents and settings\Spiderman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 21:35 . 2009-08-25 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\10983904
2009-08-06 21:57 . 2009-08-06 21:57 -------- d-----w- c:\program files\MSBuild
2009-08-06 21:56 . 2009-08-06 21:56 -------- d-----w- c:\program files\Reference Assemblies
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl(3)(3).dll
2009-07-14 03:43 . 2004-08-11 05:45 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2006-11-25 07:57 . 2006-11-25 07:57 482 ----a-w- c:\program files\Del.js
2005-08-21 16:42 . 2005-06-27 23:17 905 -c--a-w- c:\program files\uninstal.log
2006-01-11 06:41 . 2004-08-29 00:07 56 --sh--r- c:\windows\SYSTEM32\6BBF71BA10.sys
2006-09-24 00:47 . 2004-08-29 00:07 10856 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-05-12 6729728]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\SYSTEM32\nvmctray.dll [2005-05-12 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli carcpc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^clippy.exe]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\clippy.exe
backup=c:\windows\pss\clippy.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^Magnifier.lnk]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\Magnifier.lnk
backup=c:\windows\pss\Magnifier.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Insider"=c:\program files\Insider\Insider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"runner1"=c:\windows\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
"QuickTime Task"="c:\program files\QuickTime\bak\qttask.exe" -atboottime
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\SYSTEM32\\lxczcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\FRegister.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\BCGUpdate.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Summitsoft Products.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\BCGFonts.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Splash_LDS.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Splash Series 1_Oct132008.exe"=

S3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [8/13/2006 9:48 AM 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\SYSTEM32\DRIVERS\BrParImg.sys [8/13/2006 9:48 AM 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\SYSTEM32\DRIVERS\BrParwdm.sys [8/13/2006 9:48 AM 39552]
S3 BrSerWDM;Brother Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [8/13/2006 9:48 AM 60416]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\SPIDER~1\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\SPIDER~1\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 SaiNtSub;SaiNtSub;c:\windows\SYSTEM32\DRIVERS\SaiNtSub.sys [2/4/2005 10:28 PM 19200]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.98rock.com/cc-common/babes/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - hxxp://download.newaol.com/bkpromo/download/PerformerSetup.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-Ksebuhey - c:\windows\urufixej.dll
AddRemove-Viewpoint Manager - c:\program files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 10:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1665667976-894762885-3311537992-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\NTMARTA.DLL

- - - - - - - > 'lsass.exe'(608)
c:\windows\carcpc.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3540)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\carcpc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\windows\SYSTEM32\lxczcoms.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-10-04 10:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 14:17
ComboFix2.txt 2007-11-30 03:16

Pre-Run: 4,740,100,096 bytes free
Post-Run: 4,988,645,376 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
406 --- E O F --- 2009-08-27 21:59

**CamaroJeff** · 2009-10-04, 16:33

heres the dds log.

DDS (Ver_09-09-29.01) - NTFSx86
Run by Spiderman at 10:30:41.29 on Sun 10/04/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.244 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Spiderman\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.98rock.com/cc-common/babes/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: dsWebAllowBHO Class: {2f85d76c-0569-466f-a488-493e6bd0e955} - c:\program files\windows desktop search\dsWebAllow.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
dRunOnce: [RunNarrator] Narrator.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {205FF73B-CA67-11D5-99DD-444553540000} - hxxp://66.154.44.68/cam/Install.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - hxxp://chat.yahoo.com/cab/yacsui.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} - hxxps://cs7b.instantservice.com/jars/customerxsigned42.cab
DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - hxxp://download.newaol.com/bkpromo/download/PerformerSetup.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
LSA: Notification Packages = scecli carcpc.dll

============= SERVICES / DRIVERS ===============

R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service --> c:\windows\system32\lxczcoms.exe -service [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2006-8-13 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2006-8-13 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2006-8-13 39552]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2006-8-13 60416]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\spider~1\locals~1\temp\dmskssrh.sys --> c:\docume~1\spider~1\locals~1\temp\DMSKSSRh.sys [?]
S3 SaiNtSub;SaiNtSub;c:\windows\system32\drivers\SaiNtSub.sys [2005-2-4 19200]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
UnknownUnknown 3e3b0e9;3e3b0e9; [x]

=============== Created Last 30 ================

2009-10-04 10:16 11,520 a------- c:\windows\ifocolaloc.dll
2009-10-04 10:11 11,554 a------- c:\windows\egoxowalif.dll
2009-10-04 09:23 <DIR> a-dshr-- C:\cmdcons
2009-10-04 09:20 229,888 a------- c:\windows\PEV.exe
2009-10-04 09:20 161,792 a------- c:\windows\SWREG.exe
2009-10-04 09:20 98,816 a------- c:\windows\sed.exe
2009-09-12 15:11 <DIR> --d----- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-10-04 09:21 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-10-04 09:21 182,656 -------- c:\windows\system32\drivers\ndis.sys
2009-07-19 09:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl(3)(3).dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 09:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2007-03-29 09:13 87,608 a------- c:\docume~1\spider~1\applic~1\ezpinst.exe
2007-03-29 09:13 47,360 a------- c:\docume~1\spider~1\applic~1\pcouffin.sys
2006-11-25 03:57 482 a------- c:\program files\Del.js
2005-08-21 12:42 905 ac------ c:\program files\uninstal.log
2004-07-09 19:24 784 a------- c:\docume~1\spider~1\applic~1\mpauth.dat
2006-01-11 02:41 56 ---shr-- c:\windows\system32\6BBF71BA10.sys
2006-09-23 20:47 10,856 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-09 23:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020920090210\index.dat

============= FINISH: 10:31:40.98 ===============

**CamaroJeff** · 2009-10-04, 16:34

also, if needed, the attach.txt log that accompanies. computer is running faster already too.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/9/2004 6:12:37 PM
System Uptime: 10/4/2009 9:53:49 AM (1 hours ago)

Motherboard: Dell Computer Corp. | | 0C2425
Processor: Intel(R) Celeron(R) CPU 2.50GHz | Microprocessor | 2491/400mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 4.678 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96E-E325-11CE-BFC1-08002BE10318}
Description: Plug and Play Monitor
Device ID: DISPLAY\DELD002\4&328453E3&0&80861100&00&02
Manufacturer: (Standard monitor types)
Name: Plug and Play Monitor
PNP Device ID: DISPLAY\DELD002\4&328453E3&0&80861100&00&02
Service:

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) 537EP V9x DFV PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&3B1CAF2B&0&30F0
Manufacturer: Intel Corporation
Name: Intel(R) 537EP V9x DFV PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&3B1CAF2B&0&30F0
Service: Modem

Class GUID: {4D36E980-E325-11CE-BFC1-08002BE10318}
Description: Floppy disk drive
Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&C4AE404&0&0
Manufacturer: (Standard floppy disk drives)
Name: Floppy disk drive
PNP Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&C4AE404&0&0
Service: flpydisk

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM TV Tuner (Microsoft)
Device ID: ROOT\LEGACY_ATITUNEP\0000
Manufacturer:
Name: ATI WDM TV Tuner (Microsoft)
PNP Device ID: ROOT\LEGACY_ATITUNEP\0000
Service: ATITUNEP

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM TV Audio Crossbar (Microsoft)
Device ID: ROOT\LEGACY_ATIXSAUDIO\0000
Manufacturer:
Name: ATI WDM TV Audio Crossbar (Microsoft)
PNP Device ID: ROOT\LEGACY_ATIXSAUDIO\0000
Service: ATIXSAudio

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM Specialized MVD Codec (Microsoft)
Device ID: ROOT\LEGACY_MVDCODEC\0000
Manufacturer:
Name: ATI WDM Specialized MVD Codec (Microsoft)
PNP Device ID: ROOT\LEGACY_MVDCODEC\0000
Service: MVDCODEC

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ATI WDM Specialized PCD Codec (Microsoft)
Device ID: ROOT\LEGACY_PCDCODEC\0000
Manufacturer:
Name: ATI WDM Specialized PCD Codec (Microsoft)
PNP Device ID: ROOT\LEGACY_PCDCODEC\0000
Service: PCDCODEC

==== System Restore Points ===================

RP536: 9/11/2009 6:08:04 PM - Restore Operation
RP537: 9/12/2009 3:07:10 PM - Restore Operation
RP538: 9/13/2009 3:49:33 PM - System Checkpoint
RP539: 9/14/2009 4:58:05 PM - System Checkpoint
RP540: 9/15/2009 5:29:48 PM - System Checkpoint
RP541: 9/16/2009 6:30:49 PM - System Checkpoint
RP542: 9/17/2009 7:03:11 PM - System Checkpoint
RP543: 9/18/2009 7:29:50 PM - System Checkpoint
RP544: 9/19/2009 8:57:54 PM - System Checkpoint
RP545: 9/20/2009 9:29:33 PM - System Checkpoint
RP546: 9/21/2009 9:36:49 PM - System Checkpoint
RP547: 9/22/2009 11:56:59 PM - System Checkpoint
RP548: 9/24/2009 12:34:10 AM - System Checkpoint
RP549: 9/25/2009 1:02:38 AM - System Checkpoint
RP550: 9/26/2009 2:02:31 AM - System Checkpoint
RP551: 9/27/2009 3:02:46 AM - System Checkpoint
RP552: 9/28/2009 4:02:32 AM - System Checkpoint
RP553: 9/29/2009 7:45:36 AM - System Checkpoint
RP554: 9/30/2009 8:44:28 AM - System Checkpoint
RP555: 10/1/2009 9:44:27 AM - System Checkpoint
RP556: 10/2/2009 10:44:17 AM - System Checkpoint
RP557: 10/3/2009 11:21:28 AM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint
AC3Filter (remove only)
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
AOL Instant Messenger
AutoUpdate
Banctec Service Agreement
Battlefield 2(TM)
Bejeweled 2 Deluxe 1.0
Big Fish Games Client
Bookworm Deluxe 1.03
Broadcom Management Programs
Business Card Generator Fonts
Business Card Shop
Chutes and Ladders
Critical Update for Windows Media Player 11 (KB959772)
dBpoweramp DSP Effects
Deer Avenger
Dell Driver Reset Tool
Dell Networking Guide
Dell Solution Center
DivX Codec
DVDSentry
Dyno2000 Version 3.10
ffdshow [rev 1324] [2007-07-01]
Google Video Player
GTAIII
HarryThompson.com - Webjal Patcher
Help and Support Customization
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hot Rod Garage to Glory
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
ieSpell
Intel(R) 537EP V9x DFV PCI Modem
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
IrfanView (remove only)
Java 2 Runtime Environment, SE v1.4.2
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
Lexmark 1200 Series
Lexmark 640 Series
Lexmark Fax Solutions
Macromedia Flash Player
Macromedia Shockwave Player
MathPlayer
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires Gold
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MicroStaff WINASPI
Mobsters Superbot
Modem Event Monitor
MS Access 97 SP2
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MyJAL MediaPAL
Mystery Case Files: Madame Fate ™
Need For Speed Hot Pursuit 2
Network Play System (Patching)
NVIDIA Drivers
ObjectDock
PeerGuardian 2.0
PowerDVD
QuickTime
R/C Pilot Simulator
RealFlight G3 R/C Simulator
RealFlight Simulator
RealPlayer
Saitek Configuration Software
Saitek NT Controller Drivers
Samsung CamCorder Driver
Samsung Video Codec 1.1 Uninstall
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Shockwave
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SpywareBlaster v3.5.1
TVersity Codec Pack 1.1
TVersity Media Server 0.9.11.4 beta
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB968389)
Viewpoint Media Player
Visual FoxPro ODBC Driver
WavePad Uninstall
WebFldrs XP
Webjal install by HarryThompson.com
Windows Desktop Search
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
ZoneAlarm Spy Blocker

==== Event Viewer Messages From Past Week ========

9/29/2009 8:00:52 PM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
9/29/2009 6:59:20 AM, error: Service Control Manager [7034] - The TVersityMediaServer service terminated unexpectedly. It has done this 1 time(s).
9/29/2009 6:40:53 AM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The system cannot find the file specified.
9/29/2009 6:40:53 AM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The system cannot find the file specified.
9/27/2009 9:15:15 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
9/27/2009 9:00:15 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
10/4/2009 9:26:46 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.

==== End Of File ===========================

**Blade81** · 2009-10-04, 17:56

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://forums.spybot.info/showthread.php?p=339991#post339991
Driver::
3e3b0e9
Collect::
c:\windows\carcpc.dll
File::
c:\windows\ifocolaloc.dll
c:\windows\egoxowalif.dll
c:\windows\Ulujoqafarip.dat
c:\program files\Del.js
DDS::
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"runner1"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Uninstall old Adobe Reader versions and get the latest one (9.1 + updates 9.1.2 and 9.1.3 for it) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Do you necessary need Adobe Acrobat 5.0? If not, I strongly recommend to uninstall it since it's badly outdated.

Uninstall your current shockwave player and get the fresh one here if needed.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 16.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

**CamaroJeff** · 2009-10-04, 19:04

heres the fresh combofix log after pasting the text file. will be doing the following steps shortly.

ComboFix 09-10-03.01 - Spiderman 10/04/2009 12:31.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.240 [GMT -4:00]
Running from: c:\documents and settings\Spiderman\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Spiderman\Desktop\CFScript.txt

FILE ::
"c:\program files\Del.js"
"c:\windows\egoxowalif.dll"
"c:\windows\ifocolaloc.dll"
"c:\windows\Ulujoqafarip.dat"

file zipped: c:\windows\carcpc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\program files\Common\_helper.sig
c:\program files\Del.js
c:\program files\Shared
c:\windows\carcpc.dll
c:\windows\egoxowalif.dll
c:\windows\ifocolaloc.dll
c:\windows\okaleriweso.dll
c:\windows\system32\dsound3dd.dll
c:\windows\Ulujoqafarip.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-09-12 19:11 . 2009-09-12 19:11 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-04 17:15 . 2009-09-12 19:11 -------- d-----w- c:\documents and settings\Bobo\Local Settings\Application Data\{7774A5C0-4F5A-4A25-A039-29FB6B2E855C}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 13:21 . 2002-08-29 10:00 182656 ------w- c:\windows\system32\drivers\ndis.sys
2009-09-30 00:02 . 2005-12-30 00:37 -------- d-----w- c:\program files\Common Files\KnifeEdge
2009-09-14 21:38 . 2005-07-13 03:08 -------- d-----w- c:\program files\Program Files
2009-09-12 19:10 . 2009-03-15 00:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-03 03:58 . 2004-07-09 22:13 118440 ----a-w- c:\documents and settings\Spiderman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 21:35 . 2009-08-25 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\10983904
2009-08-06 21:57 . 2009-08-06 21:57 -------- d-----w- c:\program files\MSBuild
2009-08-06 21:56 . 2009-08-06 21:56 -------- d-----w- c:\program files\Reference Assemblies
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl(3)(3).dll
2009-07-14 03:43 . 2004-08-11 05:45 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2005-08-21 16:42 . 2005-06-27 23:17 905 -c--a-w- c:\program files\uninstal.log
2006-01-11 06:41 . 2004-08-29 00:07 56 --sh--r- c:\windows\SYSTEM32\6BBF71BA10.sys
2006-09-24 00:47 . 2004-08-29 00:07 10856 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-04_14.11.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-04 16:44 . 2009-10-04 16:44 40960 c:\windows\temp\rtdrvmon.exe
- 2009-10-04 13:54 . 2009-10-04 13:54 40960 c:\windows\temp\rtdrvmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-05-12 6729728]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\SYSTEM32\nvmctray.dll [2005-05-12 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^clippy.exe]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\clippy.exe
backup=c:\windows\pss\clippy.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^Magnifier.lnk]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\Magnifier.lnk
backup=c:\windows\pss\Magnifier.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Spiderman^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\Spiderman\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Insider"=c:\program files\Insider\Insider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\bak\qttask.exe" -atboottime
"nwiz"=nwiz.exe /install

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\SYSTEM32\\lxczcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\FRegister.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\BCGUpdate.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Summitsoft Products.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\BCGFonts.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Splash_LDS.exe"=
"c:\\Program Files\\Summitsoft\\Business Card Shop\\Splash Series 1_Oct132008.exe"=

S3 brfilt;Brother MFC Filter Driver;c:\windows\SYSTEM32\DRIVERS\BrFilt.sys [8/13/2006 9:48 AM 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\SYSTEM32\DRIVERS\BrParImg.sys [8/13/2006 9:48 AM 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\SYSTEM32\DRIVERS\BrParwdm.sys [8/13/2006 9:48 AM 39552]
S3 BrSerWDM;Brother Serial driver;c:\windows\SYSTEM32\DRIVERS\BrSerWdm.sys [8/13/2006 9:48 AM 60416]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\SPIDER~1\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\SPIDER~1\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 SaiNtSub;SaiNtSub;c:\windows\SYSTEM32\DRIVERS\SaiNtSub.sys [2/4/2005 10:28 PM 19200]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.98rock.com/cc-common/babes/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - hxxp://download.newaol.com/bkpromo/download/PerformerSetup.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 12:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1665667976-894762885-3311537992-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4052)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\windows\SYSTEM32\lxczcoms.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-10-04 12:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 16:54
ComboFix2.txt 2009-10-04 14:17
ComboFix3.txt 2007-11-30 03:16

Pre-Run: 4,962,119,680 bytes free
Post-Run: 4,930,002,944 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
166 --- E O F --- 2009-08-27 21:59

**Blade81** · 2009-10-04, 19:37

will be doing the following steps shortly.

Ok. Please see also if you can find a zip file with name beginning as [4]-Submit. Upload it here. Kindly include a link to this topic in the message.

**CamaroJeff** · 2009-10-04, 20:13

i ran a search for said file ([4]-Submit) through win rar and came up with zero results. are there any other methods to find this file if its present?

currently im attepmting to update java. i get to the step of clicking "the link to download Windows Offline Installation with or without Multi-language and save to your desktop" and i do not find the link to update offline. should i continue with the installation that the site suggests? all other steps have been completed successfully.

i cannot express how much i appreciate your help in this matter. the computer is running much better already but i know there are more steps to follow. im patiently awaiting further instructions to ensure things go as they should

**Blade81** · 2009-10-04, 21:21

Sorry, I should had been more specific. See if you can find .zip file beginning with that name in c:\qoobox\quarantine folder.

**CamaroJeff** · 2009-10-05, 23:38

i found and submitted the [4]-Submit zip file, it was right where you said it was.

im still not sure what to do with the offline installation for java though, i still dont find a link for it. should i continue with the method the site gives me? i have not done the ATF cleaner or the Kaspersky scan yet because of the java update issue. should i continue on with the rest of the steps without updating java?

**CamaroJeff** · 2009-10-06, 13:24

alright, i figured the java update out once i found the correct link

i will be finishing up the rest after i get home from work today.

Thread: Definitely have malware :(

Thread Tools

Display

Posting Permissions