Deckard's System Scanner v20071014.68 Run by Administrator on 2008-08-03 11:49:14 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Administrator.exe) --------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:49:16 AM, on 8/3/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINNT\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\nvsvc32.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\WINNT\system32\wuauclt.exe C:\Documents and Settings\Administrator\Desktop\dss.exe C:\DOCUME~1\ADMINI~1\Desktop\ADMINI~1.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D54A328E-8780-4909-9546-AF34E4262E90}: NameServer = 208.67.222.222,208.67.220.220 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe -- End of file - 6615 bytes -- Files created between 2008-07-03 and 2008-08-03 ----------------------------- 2008-08-03 10:32:57 0 d--h----- C:\$AVG8.VAULT$ 2008-08-03 10:14:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes 2008-08-03 10:14:03 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-03 10:14:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-03 01:00:16 0 d-------- C:\WINNT\system32\drivers\Avg 2008-08-03 01:00:06 0 d-------- C:\Program Files\AVG 2008-08-03 01:00:05 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-08-02 12:51:37 0 d-------- C:\fsaua.data 2008-08-01 21:48:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-08-01 21:48:10 0 d-------- C:\WINNT\system32\Kaspersky Lab 2008-08-01 17:48:43 0 d--h----- C:\WINNT\PIF 2008-07-31 22:30:36 0 d-------- C:\cmdcons 2008-07-31 19:51:20 68096 --a------ C:\WINNT\zip.exe 2008-07-31 19:51:20 49152 --a------ C:\WINNT\VFind.exe 2008-07-31 19:51:20 212480 --a------ C:\WINNT\swxcacls.exe 2008-07-31 19:51:20 136704 --a------ C:\WINNT\swsc.exe 2008-07-31 19:51:20 161792 --a------ C:\WINNT\swreg.exe 2008-07-31 19:51:20 98816 --a------ C:\WINNT\sed.exe 2008-07-31 19:51:20 80412 --a------ C:\WINNT\grep.exe 2008-07-31 19:51:20 89504 --a------ C:\WINNT\fdsv.exe 2008-07-30 22:07:36 0 d--h----- C:\WINNT\system32\GroupPolicy 2008-07-30 21:16:33 0 d-------- C:\Program Files\a-squared Anti-Malware 2008-07-30 20:01:33 0 d-------- C:\Program Files\Trend Micro -- Find3M Report --------------------------------------------------------------- 2008-08-03 10:13:42 0 d-------- C:\Program Files\FlashGet 2008-08-03 03:11:40 0 d-------- C:\Program Files\Warcraft III 2008-08-02 20:22:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent 2008-08-02 17:52:23 0 d-------- C:\Program Files\Common Files 2008-07-30 22:43:39 0 d-------- C:\Program Files\free-downloads.net 2008-07-10 20:08:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla 2008-07-02 22:15:55 97595 --a------ C:\WINNT\War3Unin.dat 2008-07-02 21:36:33 2829 --a------ C:\WINNT\War3Unin.pif 2008-07-02 21:36:33 139264 --a------ C:\WINNT\War3Unin.exe 2008-06-29 15:33:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\SPORE Creature Creator 2008-06-17 23:07:11 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-06-17 23:07:11 0 d-------- C:\Program Files\Electronic Arts 2008-06-17 18:08:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\Realtime Soft 2008-06-17 18:00:40 8 --a------ C:\WINNT\system32\nvModes.dat -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PHIME2002ASync"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.exe" [08/03/2004 10:32 PM] "PHIME2002A"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.exe" [08/03/2004 10:32 PM] "nwiz"="nwiz.exe" [12/05/2007 12:41 AM C:\WINNT\system32\nwiz.exe] "NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [12/05/2007 12:41 AM] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [04/11/2007 03:32 PM C:\WINNT\KHALMNPR.Exe] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [08/03/2008 01:00 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [08/04/2004 12:56 AM] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 12:54 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}"= C:\WINNT\system32\wyrsdj.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 relog_ap [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" -- End of Deckard's System Scanner: finished at 2008-08-03 11:49:30 ------------