PDA

View Full Version : "Safe" for years and now (need help, hijack log incl)...



user1997
2008-02-11, 23:08
Hello. Thanks in advance for helping.

I use Avast, Zonealarm, and Ad-Aware SE.

I tried to do the things in "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance). I'm serious about this and ready to work.

I tried to use Kaspersky Online Scanner and it didn't work. I use Firefox and Internet Explorer doesn't work.

I downloaded Spybot-S&D but when I tried to install it, it gave me an error after it was saying "File: updallocator.php (1 of 1)" and "Status: Connecting to 66.153.203.218". Zonealarm asked me to give setup permission and I accepted.

I downloaded the new Hijackthis and created a log. I put it at the bottom of this.

My main problem is as of about 3 months ago I can no longer see pictures in email in my Outlook 2000 (9.0.0.2711) and Internet Explorer 6 doesn't work any longer. I have been using Firefox for over a year though but I'm uncomfortable that IE6 doesn't work.

It started after I downloaded a program off www.download.com to disguise my IP address. I did a lot of research and it's earlier version was even advertised by Zonealarm's company. The program was buggy and I didn't end up using it. Plus it did the same to my friend's computer who downloaded it at the same time. (At least it got him to finally start using Firefox, he hates change hahaha.)

Also as of last night when I tried to remove and reinstall Internet Explorer my harddrive seems to be "doing something" constantly. I could be paranoid though.

I don't think I was successful in removing IE6 but I did reinstall it by running the download I got off the Microsoft website. Pictures are still missing and IE6 doesn't work.

Here is my log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:24 PM, on 2/11/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Avast4\aswUpdSv.exe
C:\Avast4\ashServ.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Avast4\ashWebSv.exe
C:\Avast4\ashMaiSv.exe
C:\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PowerDVD\PDVDServ.exe
C:\Audigy 2 ZS\Surround Mixer\CTSysVol.exe
C:\Audigy 2 ZS\DVDAudio\CTDVDDet.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Avast4\ashDisp.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\iPod\bin\iPodService.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\WINNT\system32\wuauclt.exe
C:\ZoneAlarm\zlclient.exe
C:\Creative MediaSource\RemoteControl\RcMan.exe
C:\Program Files\FreeMem Standard\freemem.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Nikon PictureProject\NkbMonitor.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 66.153.203.218:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RemoteControl] C:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Audigy 2 ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Audigy 2 ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [82.tmp] C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\82.tmp.exe
O4 - HKLM\..\Run: [82.tmp.exe] C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\82.tmp.exe
O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB002" /M "Stylus CX6600"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Creative MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [DVDBitSetter] C:/Documents and Settings/Matthew/Desktop/dvdbitsetter2113/dvdbitsetter.exe -apply
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\freemem.exe" Startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Policies\Explorer\Run: [{E84EB572-031D-1033-0404-011124040001}] "C:\Program Files\Common Files\{E84EB572-031D-1033-0404-011124040001}\Update.exe" mc-110-12-0000103
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Microsoft Outlook.lnk = C:\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {33333333-3333-4444-3333-555555555555} - ms-its:mhtml:file://d:\foo.mht!http://kscorporations.com//style.css::/open.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 9453 bytes

little eagle
2008-02-17, 16:10
Close all programs leaving only HijackThis running. Place a check against each of the following,

O4 - HKLM\..\Run: [82.tmp] C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\82.tmp.exe
O4 - HKLM\..\Run: [82.tmp.exe] C:\DOCUME~1\MATTHE~1\LOCALS~1\Temp\82.tmp.exe
O16 - DPF: {33333333-3333-4444-3333-555555555555} - ms-its:mhtml:file://d:\foo.mht!http://kscorporations.com//style.css::/open.exe
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/...lowActiveX.CAB

Click on Fix Checked when finished and exit HijackThis.

-------------------------

Download and run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)

----------------------

Click HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan

* You need to use IE to run this scan
* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

user1997
2008-02-17, 19:29
Thanks!

I killed those entries and ran ATF Cleaner for Main and Firefox. But I still can't use IE for Panda's ActiveScan. When I open IE I'll put in a website and it says "Opening page (website URL)..." for about 20-30 seconds then says "The page cannot be displayed".

I'm still not seeing pictures in Outlook emails.

What should I do?

user1997
2008-02-17, 20:41
I just got Spybot - S&D to install. I unchecked "immediately update" and then it installed. I'm about to do Search for Updates.

It says "Spybot-S&D has detected that your Internet Explorer is set to use a proxy... If you want to use the same proxy as Internet Explorer please click button below.". I didn't like the way that sounded and I DID NOT click the button to use the proxy.

I ran the updater successfully.

I immunized all the Internet Explorer options. Not Firefox yet.

I'm about to reboot my computer in Safe Mode and run it. I'll post a new hijackthis log after.

user1997
2008-02-17, 22:49
I ran Spybot in safe mode and got rid of:

FunWeb
FunWebProducts
MyWay.MyWebSearch
MyWebSearch
Virtumonde

I did not delete these until further research:

Alexa Related
WildTangent

I ran it twice and only the two I didn't delete remained.

After a little research it seems I don't want Alexa Related. But it also seems people can't remove it. I'm going to wait till further assistance.

I'm going to post a new hijackthis in my next post in case you need it.

user1997
2008-02-17, 22:52
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:44 PM, on 2/17/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Avast4\aswUpdSv.exe
C:\Avast4\ashServ.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\Explorer.EXE
C:\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PowerDVD\PDVDServ.exe
C:\Audigy 2 ZS\DVDAudio\CTDVDDet.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Avast4\ashDisp.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\iTunes\iTunesHelper.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\ZoneAlarm\zlclient.exe
C:\Creative MediaSource\RemoteControl\RcMan.exe
C:\Avast4\ashWebSv.exe
C:\Program Files\FreeMem Standard\freemem.exe
C:\Avast4\ashMaiSv.exe
C:\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Nikon PictureProject\NkbMonitor.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 66.153.203.218:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RemoteControl] C:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Audigy 2 ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Audigy 2 ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB002" /M "Stylus CX6600"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Creative MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [DVDBitSetter] C:/Documents and Settings/Matthew/Desktop/dvdbitsetter2113/dvdbitsetter.exe -apply
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\freemem.exe" Startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [{E84EB572-031D-1033-0404-011124040001}] "C:\Program Files\Common Files\{E84EB572-031D-1033-0404-011124040001}\Update.exe" mc-110-12-0000103
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Microsoft Outlook.lnk = C:\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 9501 bytes

little eagle
2008-02-18, 01:48
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net



2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

user1997
2008-02-18, 04:19
Thanks for your time. I greatly appreciate this.

I used ComboFix. As the computer was logging off and shutting down for a reboot I got a warning that the registry is too small and running out of space. What should I do about that?

When it rebooted, the first part of the ComboFix screen said "The system can not find the specified file." (May not be exact quote but pretty close.) It seemed to continue to do what it needed to do.

Also on a side note, right on C:\ I have had the following files which I believe are bad: BOTLOAD, BOTSETUP, JOKSETUP, MESETUP, and WERTSETUP.

Still can't use Internet Explorer, still can't see pictures in Outlook.

Here are my logs: (WHEREVER IT SAYS "MATTHEW" I CHANGED AWAY FROM MY FULL NAME)

ComboFix 08-02-18.1 - Matthew 02/17/2008 17:31:40.1 - NTFSx86
Running from: C:\Documents and Settings\Matthew\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\{E84EB~1
C:\WINNT\system32\drivers\215RevHDD.exe
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-17 17:38 . 08-02-17 17:38 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_5b0.dat
2008-02-17 10:04 . 08-02-17 10:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-12 09:19 . 08-02-12 09:19 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2a4.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 01:39 --------- d-----w C:\Documents and Settings\Matthew\Application Data\nView_Wallpaper
2008-02-18 01:38 --------- d-----w C:\Program Files\SpeedFan
2008-02-17 20:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-03 22:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 22:31 --------- d-----w C:\Program Files\PictureProject In Touch Downloader
2008-01-03 22:31 --------- d-----w C:\Program Files\Common Files\Nikon
2008-01-03 22:30 --------- d-----w C:\Program Files\Nikon PictureProject
2008-01-03 22:30 --------- d-----w C:\Documents and Settings\Matthew\Application Data\Nikon
2008-01-03 22:29 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2008-01-03 22:28 --------- d-----w C:\Program Files\Panorama Maker 3
2007-12-23 18:51 --------- d-----w C:\Program Files\ZoneAlarmSB
2006-09-22 11:50 1,728,000 ----a-w C:\WINNT\Internet Logs\xDB43.tmp
2006-05-09 19:32 3,264,000 ----a-w C:\WINNT\Internet Logs\xDB41.tmp
2006-05-09 19:32 1,373,184 ----a-w C:\WINNT\Internet Logs\xDB42.tmp
2006-04-17 07:47 12,104,718 ----a-w C:\WINNT\Internet Logs\tvDebug.zip
2006-01-08 08:40 2,681,856 ----a-w C:\WINNT\Internet Logs\xDB7C.tmp
2005-07-18 16:21 2,692,096 ----a-w C:\WINNT\Internet Logs\xDB40.tmp
2005-07-18 16:18 3,100,672 ----a-w C:\WINNT\Internet Logs\xDB3F.tmp
2005-06-15 23:42 762,368 ----a-w C:\WINNT\Internet Logs\xDB3E.tmp
2005-06-15 23:42 2,545,152 ----a-w C:\WINNT\Internet Logs\xDB3D.tmp
2005-06-14 06:56 26,624 ----a-w C:\WINNT\Internet Logs\xDB3C.tmp
2005-06-14 06:56 2,527,232 ----a-w C:\WINNT\Internet Logs\xDB3B.tmp
2005-06-14 06:31 2,658,304 ----a-w C:\WINNT\Internet Logs\xDB3A.tmp
2005-06-14 06:31 2,527,232 ----a-w C:\WINNT\Internet Logs\xDB39.tmp
2005-05-06 17:58 2,447,360 ----a-w C:\WINNT\Internet Logs\xDB37.tmp
2005-05-06 17:49 29,184 ----a-w C:\WINNT\Internet Logs\xDB38.tmp
2005-05-04 17:31 2,443,264 ----a-w C:\WINNT\Internet Logs\xDB35.tmp
2005-05-04 17:11 2,688,512 ----a-w C:\WINNT\Internet Logs\xDB36.tmp
2005-04-30 01:55 2,449,408 ----a-w C:\WINNT\Internet Logs\xDB34.tmp
2005-04-29 05:01 2,443,776 ----a-w C:\WINNT\Internet Logs\xDB33.tmp
2005-04-23 07:04 2,438,144 ----a-w C:\WINNT\Internet Logs\xDB32.tmp
2005-04-21 08:19 2,432,000 ----a-w C:\WINNT\Internet Logs\xDB31.tmp
2005-03-08 00:15 302,592 ----a-w C:\WINNT\Internet Logs\xDB30.tmp
2005-03-08 00:15 2,015,232 ----a-w C:\WINNT\Internet Logs\xDB2F.tmp
2005-03-04 22:14 1,611,264 ----a-w C:\WINNT\Internet Logs\xDB2E.tmp
2005-03-04 21:48 2,014,208 ----a-w C:\WINNT\Internet Logs\xDB2D.tmp
2005-02-14 20:20 2,831,872 ----a-w C:\WINNT\Internet Logs\xDB2C.tmp
2005-02-14 19:40 1,955,328 ----a-w C:\WINNT\Internet Logs\xDB2B.tmp
2005-01-28 23:46 2,506,240 ----a-w C:\WINNT\Internet Logs\xDB2A.tmp
2005-01-28 23:46 1,889,280 ----a-w C:\WINNT\Internet Logs\xDB29.tmp
2005-01-19 08:58 280,576 ----a-w C:\WINNT\Internet Logs\xDB28.tmp
2005-01-19 08:58 1,763,840 ----a-w C:\WINNT\Internet Logs\xDB27.tmp
2005-01-13 23:35 1,646,080 ----a-w C:\WINNT\Internet Logs\xDB26.tmp
2005-01-13 23:31 1,761,792 ----a-w C:\WINNT\Internet Logs\xDB25.tmp
2005-01-06 22:48 1,724,928 ----a-w C:\WINNT\Internet Logs\xDB23.tmp
2005-01-06 22:48 1,048,064 ----a-w C:\WINNT\Internet Logs\xDB24.tmp
2005-01-01 05:48 2,432,000 ----a-w C:\WINNT\Internet Logs\xDB22.tmp
2005-01-01 05:48 1,716,736 ----a-w C:\WINNT\Internet Logs\xDB21.tmp
2004-12-16 23:05 1,711,616 ----a-w C:\WINNT\Internet Logs\xDB1F.tmp
2004-12-16 23:05 1,179,648 ----a-w C:\WINNT\Internet Logs\xDB20.tmp
2004-12-12 08:23 843,264 ----a-w C:\WINNT\Internet Logs\xDB1E.tmp
2004-12-12 08:22 1,672,192 ----a-w C:\WINNT\Internet Logs\xDB1D.tmp
2004-12-10 15:11 2,726,400 ----a-w C:\WINNT\Internet Logs\xDB1C.tmp
2004-12-10 15:04 1,691,648 ----a-w C:\WINNT\Internet Logs\xDB1B.tmp
2004-11-28 23:23 17,408 ----a-w C:\WINNT\Internet Logs\xDB1A.tmp
2004-11-28 23:21 1,649,152 ----a-w C:\WINNT\Internet Logs\xDB19.tmp
2004-11-28 22:58 1,529,856 ----a-w C:\WINNT\Internet Logs\xDB18.tmp
2004-11-28 22:50 1,649,152 ----a-w C:\WINNT\Internet Logs\xDB17.tmp
2004-11-12 10:26 820,736 ----a-w C:\WINNT\Internet Logs\xDB16.tmp
2004-11-12 10:26 1,613,824 ----a-w C:\WINNT\Internet Logs\xDB15.tmp
2004-10-30 02:41 88,064 ----a-w C:\WINNT\Internet Logs\xDB14.tmp
2004-10-30 02:41 1,561,088 ----a-w C:\WINNT\Internet Logs\xDB13.tmp
2004-10-24 18:29 1,556,480 ----a-w C:\WINNT\Internet Logs\xDB11.tmp
2004-10-24 17:52 1,476,096 ----a-w C:\WINNT\Internet Logs\xDB12.tmp
2004-10-04 18:29 738,816 ----a-w C:\WINNT\Internet Logs\xDB10.tmp
2004-10-04 18:29 1,536,000 ----a-w C:\WINNT\Internet Logs\xDBF.tmp
2004-09-22 21:44 998,400 ----a-w C:\WINNT\Internet Logs\xDBD.tmp
2004-09-22 21:44 237,568 ----a-w C:\WINNT\Internet Logs\xDBE.tmp
2004-09-20 04:08 170,496 ----a-w C:\WINNT\Internet Logs\xDBC.tmp
2004-09-20 03:52 995,328 ----a-w C:\WINNT\Internet Logs\xDBB.tmp
2004-09-18 04:14 997,888 ----a-w C:\WINNT\Internet Logs\xDB9.tmp
2004-09-18 04:14 455,168 ----a-w C:\WINNT\Internet Logs\xDBA.tmp
2004-09-14 01:02 978,432 ----a-w C:\WINNT\Internet Logs\xDB7.tmp
2004-09-14 01:02 1,440,768 ----a-w C:\WINNT\Internet Logs\xDB8.tmp
2004-08-30 03:49 952,320 ----a-w C:\WINNT\Internet Logs\xDB5.tmp
2004-08-30 03:49 168,448 ----a-w C:\WINNT\Internet Logs\xDB6.tmp
2004-08-29 00:46 932,352 ----a-w C:\WINNT\Internet Logs\xDB3.tmp
2004-08-29 00:46 74,752 ----a-w C:\WINNT\Internet Logs\xDB4.tmp
2004-08-28 17:27 932,352 ----a-w C:\WINNT\Internet Logs\xDB1.tmp
2004-08-28 17:27 2,637,312 ----a-w C:\WINNT\Internet Logs\xDB2.tmp
2004-08-05 02:27 271 ---h--w C:\Program Files\desktop.ini
2004-08-05 02:27 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
07-12-23 10:51 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [07-12-23 10:51 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="C:\Creative MediaSource\RemoteControl\RcMan.exe" [03-10-08 15:35 139264]
"RemoteControl"="" []
"DVDBitSetter"="C:/Documents and Settings/Matthew/Desktop/dvdbitsetter2113/dvdbitsetter.exe" []
"FreeMem Pro"="C:\Program Files\FreeMem Standard\freemem.exe" [00-10-10 23:39 388608]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [07-09-29 12:22 50528]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [07-12-06 23:33 8720384]
"AIM"="C:\AIM\aim.exe" [05-08-05 15:08 67160]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [07-03-27 14:22 4670968]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Easy CD Creator 5\DirectCD\DirectCD.exe" [04-08-29 11:44 684032]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 C:\WINNT\system32\mobsync.exe]
"RemoteControl"="C:\PowerDVD\PDVDServ.exe" [03-10-31 18:42 32768]
"CTSysVol"="C:\Audigy 2 ZS\Surround Mixer\CTSysVol.exe" [03-09-17 09:43 57344]
"CTDVDDET"="C:\Audigy 2 ZS\DVDAudio\CTDVDDet.EXE" [03-06-18 00:00 45056]
"CTHelper"="CTHELPER.EXE" [03-10-05 22:57 24576 C:\WINNT\system32\CTHELPER.EXE]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [02-12-03 17:06 45056]
"UpdReg"="C:\WINNT\UpdReg.EXE" [00-05-11 00:00 90112]
"RemoteCenter"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 00:11 132496]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [06-03-09 14:29 7561216]
"nwiz"="nwiz.exe" [06-03-09 14:29 1519616 C:\WINNT\system32\nwiz.exe]
"avast!"="C:\Avast4\ashDisp.exe" [07-12-04 05:00 79224]
"NvMediaCenter"="C:\WINNT\system32\NvMcTray.dll" [06-03-09 14:29 86016]
"iTunesHelper"="C:\iTunes\iTunesHelper.exe" [06-06-14 15:24 278528]
"QuickTime Task"="C:\QuickTime\qttask.exe" [07-04-27 08:41 282624]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [07-04-19 20:24 1169744]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [07-04-19 20:38 1945688]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [07-04-19 20:29 149024]
"EPSON Stylus CX6600 Series"="C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATI9EA.exe" [04-03-01 03:00 98304]
"ZoneAlarm Client"="C:\ZoneAlarm\zlclient.exe" [07-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [07-12-06 23:33 8720384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 186640]

C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\
SpeedFan.lnk - C:\Program Files\SpeedFan\speedfan.exe [2006-02-08 13:38:36 2510336]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Outlook.lnk - C:\WINNT\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe [2004-08-08 21:02:53 104960]
NkbMonitor.exe.lnk - C:\Program Files\Nikon PictureProject\NkbMonitor.exe [2008-01-03 14:29:50 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{E84EB572-031D-1033-0404-011124040001}"= "C:\Program Files\Common Files\{E84EB572-031D-1033-0404-011124040001}\Update.exe" mc-110-12-0000103

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll 06-08-31 21:49 140048 C:\WINNT\system32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau relog_ap

R0 SI3112;SiI-3512 SATALink Controller;C:\WINNT\system32\DRIVERS\SI3112.sys [06-04-18 10:55 ]
R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\system32\DRIVERS\SONYPVM1.SYS [00-05-27 03:37 ]
R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [04-08-29 11:44 ]
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [07-12-04 06:56 ]
R2 ONSIO;ONSIO;C:\WINNT\SYSTEM32\DRIVERS\ONSIO.SYS [98-09-14 07:41 ]
R2 PfDetNT;PfDetNT;C:\WINNT\system32\drivers\PfModNT.sys [03-03-04 23:07 ]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [07-01-04 13:38 ]
S0 SMPLSCSI;SMPLSCSI;C:\WINNT\system32\drivers\SMPLSCSI.SYS [98-08-01 11:00 ]
S3 scsiscan;SCSI Scanner Driver;C:\WINNT\system32\DRIVERS\scsiscan.sys [99-09-25 09:36 ]
S3 SMCSMC WirelessUSB(SMC2662W)(R);SMC SMC WirelessUSB(SMC2662W)(R) Service for SMC EZ Connect Wireless USB Adapter(SMC2662W);C:\WINNT\system32\DRIVERS\Net62151.sys [03-07-23 12:03 ]
S3 sussma10;Susteen Universal Serial Port driver;C:\WINNT\system32\DRIVERS\sussma10.SYS [03-02-05 09:39 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 17:38:08
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Avast4\aswUpdSv.exe
C:\Avast4\ashServ.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Avast4\ashWebSv.exe
C:\Avast4\ashMaiSv.exe
C:\WINNT\system32\rundll32.exe
C:\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-17 17:45:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-18 01:45:04
.
2008-02-12 22:46:41 --- E O F ---

user1997
2008-02-18, 04:20
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:15 PM, on 2/17/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Avast4\aswUpdSv.exe
C:\Avast4\ashServ.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PowerDVD\PDVDServ.exe
C:\Audigy 2 ZS\Surround Mixer\CTSysVol.exe
C:\Audigy 2 ZS\DVDAudio\CTDVDDet.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Avast4\ashDisp.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Avast4\ashWebSv.exe
C:\iTunes\iTunesHelper.exe
C:\Avast4\ashMaiSv.exe
C:\WINNT\system32\rundll32.exe
C:\iPod\bin\iPodService.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\ZoneAlarm\zlclient.exe
C:\Creative MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nikon PictureProject\NkbMonitor.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 66.153.203.218:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RemoteControl] C:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Audigy 2 ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Audigy 2 ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB002" /M "Stylus CX6600"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Creative MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [DVDBitSetter] C:/Documents and Settings/Matthew/Desktop/dvdbitsetter2113/dvdbitsetter.exe -apply
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\freemem.exe" Startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [{E84EB572-031D-1033-0404-011124040001}] "C:\Program Files\Common Files\{E84EB572-031D-1033-0404-011124040001}\Update.exe" mc-110-12-0000103
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Microsoft Outlook.lnk = C:\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 9356 bytes

little eagle
2008-02-18, 04:30
In Add/Remove programs click on these and press *remove* if listed:
Viewpoint

----------------------------

Download and run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)


----------------


Then download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

user1997
2008-02-18, 09:03
I removed Viewpoint Media Player.

I ran ATF Cleaner.

I downloaded and installed Malwarebytes' Anti-Malware, but I could not update. It says the version is 2008-02-10. I tried all three mirrors twice and no luck, and allowed it through Zonealarm. I'll try tomorrow.

Thanks for all your help.

little eagle
2008-02-18, 23:37
I'll try tomorrow.
Will be here :)

user1997
2008-02-18, 23:42
Tried it again and couldn't update. Ideas?

user1997
2008-02-19, 01:00
And what should I do about the registry size warning? Are these programs messing with it? Should I raise the limit? I remember seeing something where I can control the registry size, but after digging around for a few minutes I don't remember where it is.

little eagle
2008-02-19, 03:28
If I remember right.

1. Right click on the "My Computer" icon normally located in the upper left corner of your screen.
2. Select the "Properties" option on the menu.
3. Select the "Advanced" tab (far right tab) on the "System Properties" tabbed dialog box.
4. Click on the "Performance Options" button.

I don't remember the settings for 2000 but I think it is 150% of you memory.

user1997
2008-02-19, 04:20
Damn I was in there too! I didn't think the registry control was one button away. I think that rule you quoted is for the Virtual Memory. Mine is set at 1024mb so I'll leave it. I'm sure I changed that awhile ago after reading an article on it.

My current registry size is 37mb. My maximum is set to 55mb. I'm going to just about double it to an even 100mb.

Why can't I update Malwarebytes' Anti-Malware?

little eagle
2008-02-19, 13:40
Why can't I update Malwarebytes' Anti-Malware?Might be your firewall, disable it before updating. After which enable it.