Can someone here analyze my Hijack log please? [F]

[soarwitheagles]

Hi again. Ok, I installed, updated, and ran all programs in the exact order given my Osris in the How to Remove Spyware document. Whew, what a job! Thanks again Os!

Now I am posting the Hijack log too.

Can you please check it for me and let me know if there are anymore problems?

I found several trojan horses and also a crack program. I am pretty sure AVG removed them, but the system is still slow and continues to consistently kick me off and other computers off our local network.

Here is my Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:46:46, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Owner\Desktop\Moms Clean Up Programs\HiJackThis.exe
C:\Documents and Settings\Owner\Desktop\Moms Clean Up Programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn6\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-21-1707882242-1971481716-257188867-1011\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'QBDataServiceUser17')
O4 - S-1-5-21-1707882242-1971481716-257188867-1011 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'QBDataServiceUser17')
O4 - S-1-5-21-1707882242-1971481716-257188867-1011 User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'QBDataServiceUser17')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://ra.intuit.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} - http://ra.intuit.com/sdccommon/download/ssrc.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5135/mcfscan.cab
O16 - DPF: {FC6703A7-5B7E-4f58-BE6D-2693AA3906AE} (HP Content Update) - http://h30155.www3.hp.com/ediags/hpna/66/install/gtdownhp.cab?1,0,0,94
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = teamiw
O17 - HKLM\Software\..\Telephony: DomainName = teamiw
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = teamiw
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = teamiw
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 7060 bytes

Thank you,

Freddy

 

[techpro5238]

Re: Can someone here analyze my Hijack log please? [N]

Hi Soarwitheagles,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

 

[soarwitheagles]

Re: Can someone here analyze my Hijack log please? [N]

Hi Soarwitheagles,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

TechPro,

Thank you for your handy info. I would like to ask Osris or Makavelli for confirmation before doing so.

Mak or Os, can you confirm for me?

Thanks,

Freddy

 

[techpro5238]

Re: Can someone here analyze my Hijack log please? [P]

Hi Soarwitheagles,

You need no confirmation Though you might think I'm new here, I've been certified as a Security Team member and my advice can be trusted to the fullest extent.

I did spend a long while training to learn this stuff you know. If you need a second opinion I'm sure they can assist you

 

[soarwitheagles]

Re: Can someone here analyze my Hijack log please? [P]

Hi Soarwitheagles,

You need no confirmation Though you might think I'm new here, I've been certified as a Security Team member and my advice can be trusted to the fullest extent.

I did spend a long while training to learn this stuff you know. If you need a second opinion I'm sure they can assist you

Tech Pro,

Thank you for the heads up. I am sorry, perhaps I was just being overly cautious. I have not been to this site for a few months and before most of the interaction was with Os, Mak, Eric, and Peter. This was the first time I saw you online here and the instructions did say to be careful about adjusting stuff if it is not from one of the security team members or....well, I can't remember exactly how they worded it now. But I guess some people were giving advice that caused further havoc.

I want to say thanks for looking at my Hijack this post and giving me further instructions.

I will try it now and see how it works.

Thanks again and please do not misunderstand me...I was just trying to avoid obtaining poor advice from a well meaning person that could further the problem. Now I realize you are certified and can be fully trusted.

Thanks again!

Frettin' Freddy

 

[techpro5238]

Re: Can someone here analyze my Hijack log please? [P]

Easy misunderstanding .. nothing to be sorry about. Just follow up that instruction and lets get a bit more info about this computer so we can make some better fixes

 

[soarwitheagles]

Tech Pro,

I hit the download button for the dss.exe file, but the save file button remains grayed out when I attempt to download it from techforum. I also forgot to mention I am working on my mom's computer...so the info at the bottom of my posts reflect my personal system I have at home. I am visiting my mom and dad and trying to help them resolve their computer issues. My mom has a Compaq Presario S5400NX. She is running XP Home edition with a SP2.

She has 1.5 gigs of ram [I think she added a gig because it says on the front 512mb ram. Basically it is stock, she has kept it the same pretty much right out of the box. I just did a search on dss.exe and I discovered it is a form of malware. The software required to discover it and remove it is called Prevx CSI. Can someone help me understand what the [P] behind my heading is?

Can someone help me understand what the [P] behind my heading is? Does it stand for PASS, PEE ON IT, PUTRID, OR PUKE? Are you sure about my downloading dss.exe? Please explain further. Is there any other way I could down load it?

 

[Redmo0n]

Re: Can someone here analyze my Hijack log please? [P]

Nice quadruple post.

Dss (Decard System Scanner) is a safe tool that helps techpro look deeper into your computer, so he can see malware in the deep, dark, unhijackthisfindable spots.

The site that says it's malware is incorrect, or is referring to a infection with a similar name or an infection which can hijack the dss program.

 

[techpro5238]

Re: Can someone here analyze my Hijack log please? [P]

Hello Soarwitheagles,

@RedMo0n: Good reply.

I hit the download button for the dss.exe file, but the save file button remains grayed out when I attempt to download it from techforum.

Click on that window and click on the Save button and wait for it to highlight. If not, try your system browser (Internet Explorer) to download it.

I also forgot to mention I am working on my mom's computer...so the info at the bottom of my posts reflect my personal system I have at home. I am visiting my mom and dad and trying to help them resolve their computer issues. My mom has a Compaq Presario S5400NX. She is running XP Home edition with a SP2.

She has 1.5 gigs of ram I think she added a gig because it says on the front 512mb ram. Basically it is stock, she has kept it the same pretty much right out of the box.

Everything that I need will show up on the DSS Logs. Unless I ask you for information, then please don't give extra logs or data about your computer.

I just did a search on dss.exe and I discovered it is a form of malware. The software required to discover it and remove it is called Prevx CSI.

Are you sure about my downloading dss.exe?

As RedMo0n had said, this is what I was going to say. Most likely you misunderstood the text, or it showed up as a false-positive. It's sometimes named a false positive because it creates system checkpoints, and works with the registry.

Can someone help me understand what the [P] behind my heading is? Does it stand for PASS, PEE ON IT, PUTRID, OR PUKE?

The [P] on your thread, was of my own idea and it helps analysts here know who is getting helped. Your thread is Pending on being clean.

Asking to many questions makes this process long and drawn out, so please just reply back with the logs and not research every single fix I post. There all completely safe, and created by malware removal experts to help people like you.

 

[soarwitheagles]

Main txt. from dss

Tech Pro,

Sorry for using too many words.

Here is the Main txt. from DDS.

I will post the extra in the next post.

Thanks,

Freddy

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-25 11:36:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
109: 2008-06-25 18:36:25 UTC - RP1895 - Deckard's System Scanner Restore Point
108: 2008-06-24 08:43:40 UTC - RP1894 - System Checkpoint
107: 2008-06-23 07:59:49 UTC - RP1893 - Removed Medal of Honor Allied Assault
106: 2008-06-23 06:23:59 UTC - RP1892 - Installed AVG Free 8.0
105: 2008-06-23 05:14:24 UTC - RP1891 - Removed Java(TM) SE Runtime Environment 6 Update 1


-- First Restore Point --
1: 2008-03-27 20:25:51 UTC - RP1787 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:30, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\winlogon.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\DOCUME~1\Owner\Desktop\MOMSCL~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn6\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-21-1707882242-1971481716-257188867-1009\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'scott')
O4 - HKUS\S-1-5-21-1707882242-1971481716-257188867-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'scott')
O4 - HKUS\S-1-5-21-1707882242-1971481716-257188867-1009\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'scott')
O4 - HKUS\S-1-5-21-1707882242-1971481716-257188867-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'scott')
O4 - HKUS\S-1-5-21-1707882242-1971481716-257188867-1009\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'scott')
O4 - HKUS\S-1-5-21-1707882242-1971481716-257188867-1011\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'QBDataServiceUser17')
O4 - S-1-5-21-1707882242-1971481716-257188867-1011 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'QBDataServiceUser17')
O4 - S-1-5-21-1707882242-1971481716-257188867-1011 User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'QBDataServiceUser17')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://ra.intuit.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} - http://ra.intuit.com/sdccommon/download/ssrc.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5135/mcfscan.cab
O16 - DPF: {FC6703A7-5B7E-4f58-BE6D-2693AA3906AE} (HP Content Update) - http://h30155.www3.hp.com/ediags/hpna/66/install/gtdownhp.cab?1,0,0,94
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = teamiw
O17 - HKLM\Software\..\Telephony: DomainName = teamiw
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = teamiw
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = teamiw
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 7642 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>

S0 black - c:\windows\system32\drivers\blackdrv.sys (file missing)
S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
S3 Ad-Watch Real-Time Scanner (AW Real-Time Scanner) - c:\windows\system32\drivers\awrtpd.sys <Not Verified; Lavasoft AB; Ad-Watch Beta>
S3 Ad-Watch Registry Filter (Ad-Watch Registry Kernel Filter) - c:\windows\system32\drivers\awrtrd.sys <Not Verified; Lavasoft AB; Ad-Watch Registry Protection>
S3 fixustor - c:\windows\system32\drivers\fixustor.sys <Not Verified; Genesys Logic; USB storage patch driver>
S3 LHidUsbK (Logitech SetPoint USB Receiver device driver) - c:\windows\system32\drivers\lhidusbk.sys <Not Verified; Logitech, Inc.; Logitech SetPoint(TM)>
S3 PalmUSBD - c:\windows\system32\drivers\palmusbd.sys (file missing)
S3 RapFile - c:\windows\system32\drivers\rapfile.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>
S3 RapNet - c:\windows\system32\drivers\rapnet.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>
S3 STV673 (WebCam II) - c:\windows\system32\drivers\stv673.sys <Not Verified; STMicroelectronics; ST-VIBU STV673 Camera Driver>
S3 XIRLINK (IBM PC Camera) - c:\windows\system32\drivers\c-itnt.sys <Not Verified; Xirlink, Inc; Xirlink Digital Video PC Camera>
S4 LMouKE (Logitech SetPoint Mouse Filter Driver) - c:\windows\system32\drivers\lmouke.sys (file missing)
S4 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\ids-di~1\20061113.031\symidsco.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 QBCFMonitorService (QuickBooks Database Manager Service) - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows>

S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-25 and 2008-06-25 -----------------------------

2008-06-24 21:11:13 0 d-------- C:\Documents and Settings\scott\Application Data\Macromedia
2008-06-24 21:11:13 0 d-------- C:\Documents and Settings\scott\Application Data\Adobe
2008-06-24 21:07:03 0 d-------- C:\Documents and Settings\scott\Application Data\Talkback
2008-06-24 21:06:46 0 d-------- C:\Documents and Settings\scott\Application Data\Mozilla
2008-06-24 01:27:40 0 dr------- C:\Documents and Settings\scott\My Documents
2008-06-24 01:27:40 0 d-------- C:\Documents and Settings\scott\Application Data\AVGTOOLBAR
2008-06-23 10:21:46 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-23 00:52:44 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-06-23 00:11:08 0 d-------- C:\VundoFix Backups
2008-06-22 23:51:54 0 d--h----- C:\$AVG8.VAULT$
2008-06-22 23:50:13 1526 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-22 23:48:09 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-22 23:48:09 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-22 23:48:09 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-22 23:48:09 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-22 23:42:13 0 d-------- C:\Program Files\MSConfig CleanUp
2008-06-22 23:39:02 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-06-22 23:39:02 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-06-22 23:39:02 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2008-06-22 23:39:02 153088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-06-22 23:39:02 75264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-06-22 23:39:01 0 d-------- C:\Program Files\Trojan Remover
2008-06-22 23:39:01 0 d-------- C:\Documents and Settings\Owner\Application Data\Simply Super Software
2008-06-22 23:39:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-22 23:37:37 0 d-------- C:\Program Files\CCleaner
2008-06-22 23:37:13 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-22 23:37:13 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-22 23:37:08 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-22 23:24:07 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-22 23:24:07 0 d-------- C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-06-22 23:24:00 0 d-------- C:\Program Files\AVG
2008-06-22 23:23:59 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-22 00:58:04 1160 --a------ C:\WINDOWS\mozver.dat
2008-06-22 00:56:54 0 d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-06-07 10:22:14 0 d-------- C:\Documents and Settings\Owner\Application Data\ACD Systems
2008-06-02 13:09:18 16 --a------ C:\WINDOWS\system32\syspvm-03.dll
2008-06-02 13:09:17 0 d-------- C:\Program Files\MVP Software


-- Find3M Report ---------------------------------------------------------------

2008-06-23 16:40:58 0 d-------- C:\Program Files\Common Files\Scanner
2008-06-23 16:40:41 0 d-------- C:\Program Files\Yahoo!
2008-06-23 11:38:00 93184 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-06-22 23:35:45 0 d-------- C:\Program Files\Common Files
2008-06-22 23:20:01 0 d-------- C:\Documents and Settings\Owner\Application Data\McAfee
2008-06-22 22:14:43 0 d-------- C:\Program Files\Java
2008-06-22 14:40:25 0 d-------- C:\Program Files\Real
2008-06-22 14:39:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-22 14:36:47 0 d-------- C:\Program Files\HP
2008-06-22 14:36:31 0 d-------- C:\Program Files\Hewlett-Packard
2008-06-22 14:27:43 0 d-------- C:\Program Files\PC-Doctor for Windows
2008-06-22 14:21:38 0 d-------- C:\Program Files\Click'N Design 3D (V5)
2008-05-14 16:29:34 0 d-------- C:\Documents and Settings\Owner\Application Data\GameHouse
2008-05-14 16:27:19 0 d-------- C:\Documents and Settings\Owner\Application Data\Eyeblaster
2008-05-01 12:22:37 0 d-------- C:\Program Files\CrossLoop
2008-04-09 10:30:44 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-04-09 10:30:44 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-03-27 22:05:41 96577 --a------ C:\WINDOWS\hpqins16.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/22/2008 23:24 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/22/2008 23:24]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [06/03/2008 20:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 00:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [03/27/2007 15:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04b74c36-9d34-11db-978e-0050da616570}]
AutoRun\command- G:\LaunchU3.exe -a




-- Hosts -----------------------------------------------------------------------

192.168.1.4 HP001560495FD5
192.168.1.3 HP0017A4225C1B
192.168.1.4 HP00187160CCDA


-- End of Deckard's System Scanner: finished at 2008-06-25 11:40:30 ------------