Control panel/task manager disabled - Win security alert pop-up - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Control panel/task manager disabled - Win security alert pop-up

#1 joones

  • Group: Member
  • Posts: 6
  • Joined: 22-November 07

Posted 26 November 2007 - 09:07 AM

My computer is haunted by some spyware I'm unable to remove by myself, and I would really appreciate some help from you.

I have gone through all steps in your malware cleaning guide, but this one will not let go. Other posts describes somewhat similar problem, but the proposed solutions is, from what I can see, custom made.

The windows security popup is coming every 5 minutes and my control panel is disabled.

I've run the AVG, superantispyware and the combofix. When I have run the combofix everything works fine until I reboot.

Below is the Panda report and the hijackthis report, and I would highly appreciate your assistance, thanks :-)


Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Joakim\Skrivebord\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Joakim\Skrivebord\ComboFix.exe[nircmd.cfexe]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\jrh\Programdata\Sun\Java\Deployment\cache\6.0\2\55916a82-74f182f7[Matrix.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\jrh\Programdata\Sun\Java\Deployment\cache\6.0\7\28779c47-75ff1348[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\jrh\Programdata\Sun\Java\Deployment\cache\6.0\7\28779c47-75ff1348[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\jrh\Programdata\Sun\Java\Deployment\cache\6.0\7\28779c47-75ff1348[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\jrh\Programdata\Sun\Java\Deployment\cache\6.0\7\28779c47-75ff1348[NewURLClassLoader.class]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\jrh\Skrivebord\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\jrh\Skrivebord\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:27, on 2007-11-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\bin\ZANDA.EXE
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\RealVNC\WinVNC.EXE
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Norman\Npm\bin\ZLH.EXE
C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\timoty.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\internet explorer\iexplore.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intra2.scanrope.int/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Programfiler\RealVNC\WinVNC.EXE" -servicehelper
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_0_9 -reboot 1
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: setings.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189147112107
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189147103802
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.ms...ine/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scanrope.int
O17 - HKLM\Software\..\Telephony: DomainName = scanrope.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scanrope.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = scanrope.int
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxyyax - byxyyax.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: NBService - Nero AG - C:\Programfiler\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Programfiler\Fellesfiler\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Virtual Network Computing (WinVNC) - RealVNC Ltd. - C:\Programfiler\RealVNC\WinVNC.EXE

--
End of file - 7906 bytes

#2 Tal

  • Group: Retired Staff
  • Posts: 2,138
  • Joined: 21-October 06

Posted 26 November 2007 - 09:59 AM

Hello joones, welcome to GeeksToGo! :)

My name is Tal, and I will be assisting you in the process of removing malware from your computer. I am going through your logs now, and I'll be back soon with instrcutions on how to proceed.

As I'm still in training, my replies to you have to be approved before posting, so please excuse delays between replies.

Tal.

#3 Tal

  • Group: Retired Staff
  • Posts: 2,138
  • Joined: 21-October 06

Posted 26 November 2007 - 12:42 PM

Hello joones,

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:
  • Please don't be afraid to ask questions! :) No question is considered dumb here. It's better to be safe than sorry!
  • Please follow the steps excatly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you witness a certain entry or program you're unsure about, please don't hesitate to ask! :)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Note: It's likely that the two logs won't fit into one post. If so, please post extra.txt in a seperate post.

#4 joones

  • Group: Member
  • Posts: 6
  • Joined: 22-November 07

Posted 27 November 2007 - 01:17 AM

Hello Tal, thanks for helping. Please find my logs below.

Deckard's System Scanner v20071014.68
Run by jrh on 2007-11-27 08:11:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2007-11-27 07:11:39 UTC - RP118 - Deckard's System Scanner Restore Point
2: 2007-11-26 12:51:56 UTC - RP117 - Removed Java™ 6 Update 3
1: 2007-11-26 10:49:26 UTC - RP116 - Før skanning


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as jrh.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:12, on 2007-11-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\bin\ZANDA.EXE
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\RealVNC\WinVNC.EXE
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\msanton.exe
C:\WINDOWS\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Norman\Npm\bin\ZLH.EXE
C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\jrh\Skrivebord\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jrh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intra2.scanrope.int/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Programfiler\RealVNC\WinVNC.EXE" -servicehelper
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_0_9 -reboot 1
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: setings.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189147112107
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189147103802
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.ms...ine/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scanrope.int
O17 - HKLM\Software\..\Telephony: DomainName = scanrope.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scanrope.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = scanrope.int
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxyyax - byxyyax.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: NBService - Nero AG - C:\Programfiler\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Programfiler\Fellesfiler\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Virtual Network Computing (WinVNC) - RealVNC Ltd. - C:\Programfiler\RealVNC\WinVNC.EXE

--
End of file - 7893 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\programfiler\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\programfiler\superantispyware\saskutil.sys
R2 TBPanel - c:\windows\system32\drivers\tbpanel.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 SASENUM - c:\programfiler\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 catchme - c:\docume~1\joakim\lokale~1\temp\catchme.sys (file missing)
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 WinVNC (Virtual Network Computing) - "c:\programfiler\realvnc\winvnc.exe" -service <Not Verified; RealVNC Ltd.; RealVNC Ltd. - WinVNC>

S3 NBService - c:\programfiler\nero\nero 7\nero backitup\nbservice.exe
S3 SolidWorks Licensing Service - "c:\programfiler\fellesfiler\solidworks shared\service\solidworkslicensing.exe" <Not Verified; SolidWorks; SolidWorks Licensing Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-11-26 08:00:22 416 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{DA085411-2BD9-4667-B3FD-F0EECD1283FB}.job


-- Files created between 2007-10-27 and 2007-11-27 -----------------------------

2007-11-26 12:54:21 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-23 08:36:00 1545623 --a------ C:\ComboFix.exe
2007-11-22 16:02:21 0 d-------- C:\Programfiler\Trend Micro
2007-11-22 12:37:07 0 d-------- C:\Programfiler\SUPERAntiSpyware
2007-11-22 10:57:24 2726 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-22 07:56:58 6144 --a------ C:\WINDOWS\system32\timoty.exe
2007-11-22 07:56:58 6144 --a------ C:\WINDOWS\system32\msanton.exe
2007-11-22 07:56:58 289280 --a------ C:\WINDOWS\system32\libcurl.dll <Not Verified; The cURL library, http://curl.haxx.se/; The cURL library>
2007-11-15 13:52:24 0 d-------- C:\WINDOWS\setup.pss
2007-11-15 13:52:04 0 d-------- C:\WINDOWS\setupupd
2007-11-14 08:27:13 6470 ---hs---- C:\WINDOWS\system32\pstwa.bak1
2007-11-13 16:28:03 0 d-------- C:\Programfiler\Virtual Earth 3D
2007-11-07 15:22:35 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2007-11-07 15:22:01 0 d-------- C:\Programfiler\Realtek
2007-11-07 15:21:55 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>


-- Find3M Report ---------------------------------------------------------------

2007-11-26 15:05:25 0 d-------- C:\Programfiler\RealVNC
2007-11-26 13:52:02 0 d-------- C:\Programfiler\Fellesfiler
2007-11-22 12:37:07 0 d-------- C:\Documents and Settings\jrh\Programdata\SUPERAntiSpyware.com
2007-11-22 12:36:45 0 d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard
2007-11-19 08:34:54 38487 --a------ C:\Documents and Settings\jrh\Programdata\Microsoft Excel.ADR
2007-11-15 15:03:38 0 d-------- C:\Documents and Settings\jrh\Programdata\Grisoft
2007-11-14 08:28:20 0 d-------- C:\Documents and Settings\jrh\Programdata\ultra
2007-11-07 15:23:12 442250 --a------ C:\WINDOWS\system32\perfh014.dat
2007-11-07 15:23:12 79670 --a------ C:\WINDOWS\system32\perfc014.dat
2007-11-07 15:22:01 0 d--h----- C:\Programfiler\InstallShield Installation Information
2007-10-25 07:42:44 0 d-------- C:\Programfiler\Fellesfiler\Adobe
2007-10-25 07:42:44 0 d-------- C:\Documents and Settings\jrh\Programdata\Adobe
2007-10-11 13:23:55 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2007-10-09 06:57:38 0 d-------- C:\Programfiler\Microsoft Silverlight
2007-09-27 14:16:24 151552 --a------ C:\WINDOWS\system32\xRaidAPI.dll <Not Verified; JMicron Technology Corp.; JMB36X RAID API Dynamic Link Library>
2007-09-27 14:16:23 1966080 --a------ C:\WINDOWS\system32\xRaidSetup.exe <Not Verified; JMicron Technology Corp.; JMicron JMB36X RAID Configurer>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="C:\WINDOWS\TBPanel.exe" [2006-08-31 10:47]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 12:26]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 12:26]
"Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-08-09 13:40]
"Acrobat Assistant 7.0"="C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52]
"WinVNC"="C:\Programfiler\RealVNC\WinVNC.exe" [2003-03-05 13:49]
"NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-09-27 14:16]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 18:30 C:\WINDOWS\RTHDCPL.exe]
"!AVG Anti-Spyware"="C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"version"="C:\WINDOWS\system32\timoty.exe" [2007-11-22 07:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"updateMgr"="C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 15:45]
"froody"="C:\WINDOWS\system32\timoty.exe" [2007-11-22 07:56]
"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\jrh\Start-meny\Programmer\Oppstart\
setings.exe [2007-11-22 07:56:58]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2007-07-02 08:17:08]
startup.exe [2007-11-22 07:56:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\system32\msanton.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyyax]
byxyyax.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2007-11-27 08:12:57 ------------

#5 joones

  • Group: Member
  • Posts: 6
  • Joined: 22-November 07

Posted 27 November 2007 - 01:18 AM

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Norwegian

CPU 0: Intel® Core™2 CPU 6300 @ 1.86GHz
CPU 1: Intel® Core™2 CPU 6300 @ 1.86GHz
Percentage of Memory in Use: 20%
Physical Memory (total/avail): 2046.42 MiB / 1633.55 MiB
Pagefile Memory (total/avail): 3939.29 MiB / 3687.12 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.84 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 232.88 GiB total, 215.91 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
S: is Network (NTFS)

\\.\PHYSICALDRIVE0 - SATA ST325062 SCSI Disk Device - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installerbart filsystem - 232.88 GiB - C:

\\.\PHYSICALDRIVE1 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE2 -

\\.\PHYSICALDRIVE3 -

\\.\PHYSICALDRIVE4 - Generic STORAGE DEVICE USB Device



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

AV: Norman Virus Control ver. 5.90 v5.90 (Norman ASA) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\jrh\Programdata
CLIENTNAME=Console
CommonProgramFiles=C:\Programfiler\Fellesfiler
COMPUTERNAME=JRH-SSC2
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\jrh
HOMESHARE=\\ssc-01\jrh
LOGONSERVER=\\SSC-01
NpmLib=C:\Norman\Npm\bin
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Norman\Npm\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Programfiler
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\jrh\LOKALE~1\Temp
TMP=C:\DOCUME~1\jrh\LOKALE~1\Temp
USERDNSDOMAIN=SCANROPE.INT
USERDOMAIN=ANDEBY
USERNAME=jrh
USERPROFILE=C:\Documents and Settings\jrh
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Joakim (admin)
anja (admin)
jrh (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Programfiler\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 7.0.9 Standard --> msiexec /I {AC76BA86-1033-0000-BA7E-000000000002}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
AVG Anti-Spyware 7.5 --> C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Compatibility Pack for 2007 Office --> MsiExec.exe /X{90120000-0020-0414-0000-0000000FF1CE}
eDrawings 2008 --> MsiExec.exe /I{6B8512B9-A3FC-42BB-B782-A77874B87CC2}
EXPERTool --> RunDll32 Setupapi.dll,InstallHinfSection TB.Remove 4 TBNT4.inf
HijackThis 2.0.2 --> "C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hurtigreparasjon for Windows XP (KB914440) --> "C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hurtigreparasjon for Windows XP (KB935448) --> "C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
JMB36X Raid Configurer --> RunDll32 C:\PROGRA~1\FELLES~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Programfiler\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\setup.exe" -l0x9 -removeonly
Microsoft Base Smart Card Cryptographic Service Provider-pakke --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130414-6000-11D3-8CFE-0150048383C9}
Microsoft Office Project Standard 2003 --> MsiExec.exe /I{913A0414-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120414-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MultiPlus --> MsiExec.exe /I{3390656A-32D6-4035-AEA4-E11A189CEDA5}
Nero 7 Essentials --> MsiExec.exe /X{DB4C031D-B2F8-47F1-A274-59A8F3B61044}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Oppdatering for Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB920342) --> "C:\WINDOWS\$NtUninstallKB920342$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB925720) --> "C:\WINDOWS\$NtUninstallKB925720$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB925876) --> "C:\WINDOWS\$NtUninstallKB925876$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB933360) --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PolarClock3 Screen Saver --> C:\WINDOWS\system32\PolarClock3.scr /u
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Sikkerhetsoppdatering for Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB923789) --> C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Sikkerhetsoppdatering for Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB933566) --> "C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
SUPERAntiSpyware Professional --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Virtual Earth 3D (Beta) --> MsiExec.exe /I{D76D1828-BBA0-4BD9-8181-5ACC617DC5F2}
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Messenger --> MsiExec.exe /I{B4C75EAB-B1B8-4120-B9AF-0852EAE4A434}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Presentation Foundation Language Pack (NOR) --> MsiExec.exe /X{B0534960-A7E2-4FFD-8E27-51B4B188633F}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows Workflow Foundation NO Language Pack --> MsiExec.exe /I{42F46A4E-1662-473F-A210-C5BB3BD385CC}
Windows XP hurtigreparasjon - KB873339 --> C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP hurtigreparasjon - KB885835 --> C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP hurtigreparasjon - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP hurtigreparasjon - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP hurtigreparasjon - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP hurtigreparasjon - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP hurtigreparasjon - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP hurtigreparasjon - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
XML Paper Specification Shared Components Language Pack 1.0 --> "C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type3572 / Warning
Event Submitted/Written: 11/26/2007 05:04:33 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows kan ikke laste ut register filen for klasser. Den er fortsatt i bruk av andre programmer eller andre tjenester. Filen lastes ut når den ikke lenger er i bruk.

Event Record #/Type3562 / Success
Event Submitted/Written: 11/26/2007 04:26:55 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type3561 / Error
Event Submitted/Written: 11/26/2007 02:48:16 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Den automatiske sertifikatregistreringen for lokalt system kan ikke kontakte Active Directory (0x8007054b). Det angitte domenet finnes ikke eller kan ikke kontaktes.
Registreringen blir ikke utført.

Event Record #/Type3560 / Error
Event Submitted/Written: 11/26/2007 02:47:18 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows kan ikke oppnå domenekontrollernavnet for datamaskinnettverket. (Det angitte domenet finnes ikke eller kan ikke kontaktes. ). Gruppepolicybehandling er avbrutt.

Event Record #/Type3558 / Error
Event Submitted/Written: 11/26/2007 02:47:16 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows kan ikke oppnå domenekontrollernavnet for datamaskinnettverket. (Det angitte domenet finnes ikke eller kan ikke kontaktes. ). Gruppepolicybehandling er avbrutt.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type7152 / Error
Event Submitted/Written: 11/26/2007 02:49:21 PM
Event ID/Source: 29 / W32Time
Event Description:
Tidsleverandøren NtpClient er konfigurert til å hente tid fra en eller flere
tidskilder. Ingen av kildene er imidlertid tilgjengelig for øyeblikket.
Det vil ikke bli gjort forsøk på å nå en kilde på 14 minutter.
NtpClient har ingen kilde for nøyaktig tid.

Event Record #/Type7151 / Warning
Event Submitted/Written: 11/26/2007 02:49:21 PM
Event ID/Source: 14 / W32Time
Event Description:
Tidsleverandøren NtpClient kunne ikke finne en domenekontroller å bruke som
tidskilde. NtpClient prøver igjen om 15 minutter.

Event Record #/Type7133 / Error
Event Submitted/Written: 11/26/2007 02:47:16 PM
Event ID/Source: 5719 / NETLOGON
Event Description:
Ingen domenekontroller er tilgjengelig for domene ANDEBY på grunn av følgende feil:
%%1311

Kontroller at datamaskinen er koblet til nettverket og prøv på nytt. Hvis problemet vedvarer, kontak systemansvarlig.

Event Record #/Type7129 / Error
Event Submitted/Written: 11/26/2007 02:46:22 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM fikk feilen "%%1084" ved forsøk på å starte tjenesten EventSystem med argument ""
for å kunne kjøre server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type7128 / Error
Event Submitted/Written: 11/26/2007 02:45:12 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM fikk feilen "%%1084" ved forsøk på å starte tjenesten netman med argument ""
for å kunne kjøre server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}



-- End of Deckard's System Scanner: finished at 2007-11-27 08:12:57 ------------

#6 Tal

  • Group: Retired Staff
  • Posts: 2,138
  • Joined: 21-October 06

Posted 27 November 2007 - 08:57 AM

Hello joones,

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:
  • Please don't be afraid to ask questions! :) No question is considered dumb here. It's better to be safe than sorry!
  • Please follow the steps excatly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you witness a certain entry or program you're unsure about, please don't hesitate to ask! :)
Step1 : Correcting entries with HijackThis

Please re-open HijackThis and click Scan. Put a check next to the following entries presented in the window: (Do NOT click Fix yet!)

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - Winlogon Notify: byxyyax - byxyyax.dll (file missing)


Now, close all other windows but HijackThis, including Explorer windows (folders) and this window, and click Fix. Note: It is vital you close all other windows, otherwise the fix will not succeed.

Restart your computer.

Step2 : Deleting files with OTMoveIt

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\msanton.exe
    C:\WINDOWS\system32\timoty.exe



  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.

Step3 : Registry Fix

Now let's fix the issue not allowing you access to the Task Manager and Control Panel.

Before we start the registry fix, we need to backup the registry in case anything goes wrong. This is a very simple and quick process :)

To backup your registry, click Start > Run > Type regedit into the box > Click OK > In the window that shows up, click File > Export... > Name the file RegistryBackup > Save it in a convenient location such as your desktop.

Please open a new Notepad document (Note: Other text editors will not work) and paste the following code into it, starting from REGEDIT4:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoControlPanel" =dword:00000000
"NoWindowsUpdate" =dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Now, click File > Save As... > Change the File Type to All Files > Name the file RegFix1.reg > Save it on your desktop.

Once you've saved it, please double click it. A window should pop up - Click Yes to merge the information with the registry.

Step4 : Scanning with DSS

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.Note: It's likely that the two logs won't fit into one post. If so, please post extra.txt in a seperate post.
Summary

In your next reply, please include the following:
  • OTMoveIt results;
  • DSS main.txt and extra.txt. Note: There is no need to include a new HijackThis log as DSS automatically scans with HijackThis for you.
Regards,

Tal :)

#7 joones

  • Group: Member
  • Posts: 6
  • Joined: 22-November 07

Posted 27 November 2007 - 10:11 AM

The file I created in notepad won't merge with the registry, it says that the file is no registry script and that only binary registry files can be imported...

#8 joones

  • Group: Member
  • Posts: 6
  • Joined: 22-November 07

Posted 28 November 2007 - 01:29 AM

Hi Tal, I fixed the registry.

-------------
The only this from the moveit log was this:
Created on 11-27-2007 16:13:19
--------------

------------------------------------

Here's the log from DSS, but only the main.txt was generated.

-----------------------------------




Deckard's System Scanner v20071014.68
Run by jrh on 2007-11-28 08:24:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as jrh.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:24, on 2007-11-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\bin\ZANDA.EXE
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\RealVNC\WinVNC.EXE
C:\Norman\Npm\bin\NJEEVES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Norman\Npm\bin\ZLH.EXE
C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Documents and Settings\jrh\Skrivebord\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jrh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intra2.scanrope.int/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Programfiler\RealVNC\WinVNC.EXE" -servicehelper
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_0_9 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189147112107
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189147103802
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.ms...ine/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scanrope.int
O17 - HKLM\Software\..\Telephony: DomainName = scanrope.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scanrope.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = scanrope.int
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: NBService - Nero AG - C:\Programfiler\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Programfiler\Fellesfiler\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Virtual Network Computing (WinVNC) - RealVNC Ltd. - C:\Programfiler\RealVNC\WinVNC.EXE

--
End of file - 7458 bytes

-- Files created between 2007-10-28 and 2007-11-28 -----------------------------

2007-11-26 12:54:21 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-23 08:36:00 1545623 --a------ C:\ComboFix.exe
2007-11-22 16:02:21 0 d-------- C:\Programfiler\Trend Micro
2007-11-22 12:37:07 0 d-------- C:\Programfiler\SUPERAntiSpyware
2007-11-22 10:57:24 2726 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-22 07:56:58 289280 --a------ C:\WINDOWS\system32\libcurl.dll <Not Verified; The cURL library, http://curl.haxx.se/; The cURL library>
2007-11-15 13:52:24 0 d-------- C:\WINDOWS\setup.pss
2007-11-15 13:52:04 0 d-------- C:\WINDOWS\setupupd
2007-11-14 08:27:13 6470 ---hs---- C:\WINDOWS\system32\pstwa.bak1
2007-11-13 16:28:03 0 d-------- C:\Programfiler\Virtual Earth 3D
2007-11-07 15:22:35 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2007-11-07 15:22:01 0 d-------- C:\Programfiler\Realtek
2007-11-07 15:21:55 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>


-- Find3M Report ---------------------------------------------------------------

2007-11-26 15:05:25 0 d-------- C:\Programfiler\RealVNC
2007-11-26 13:52:02 0 d-------- C:\Programfiler\Fellesfiler
2007-11-22 12:37:07 0 d-------- C:\Documents and Settings\jrh\Programdata\SUPERAntiSpyware.com
2007-11-22 12:36:45 0 d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard
2007-11-19 08:34:54 38487 --a------ C:\Documents and Settings\jrh\Programdata\Microsoft Excel.ADR
2007-11-15 15:03:38 0 d-------- C:\Documents and Settings\jrh\Programdata\Grisoft
2007-11-14 08:28:20 0 d-------- C:\Documents and Settings\jrh\Programdata\ultra
2007-11-07 15:23:12 442250 --a------ C:\WINDOWS\system32\perfh014.dat
2007-11-07 15:23:12 79670 --a------ C:\WINDOWS\system32\perfc014.dat
2007-11-07 15:22:01 0 d--h----- C:\Programfiler\InstallShield Installation Information
2007-10-25 07:42:44 0 d-------- C:\Programfiler\Fellesfiler\Adobe
2007-10-25 07:42:44 0 d-------- C:\Documents and Settings\jrh\Programdata\Adobe
2007-10-11 13:23:55 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2007-10-09 06:57:38 0 d-------- C:\Programfiler\Microsoft Silverlight
2007-09-27 14:16:24 151552 --a------ C:\WINDOWS\system32\xRaidAPI.dll <Not Verified; JMicron Technology Corp.; JMB36X RAID API Dynamic Link Library>
2007-09-27 14:16:23 1966080 --a------ C:\WINDOWS\system32\xRaidSetup.exe <Not Verified; JMicron Technology Corp.; JMicron JMB36X RAID Configurer>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="C:\WINDOWS\TBPanel.exe" [2006-08-31 10:47]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 12:26]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 12:26]
"Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-08-09 13:40]
"Acrobat Assistant 7.0"="C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52]
"WinVNC"="C:\Programfiler\RealVNC\WinVNC.exe" [2003-03-05 13:49]
"NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-09-27 14:16]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 18:30 C:\WINDOWS\RTHDCPL.exe]
"!AVG Anti-Spyware"="C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 13:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"updateMgr"="C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 15:45]
"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2007-07-02 08:17:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2007-11-28 08:25:17 ------------

#9 Tal

  • Group: Retired Staff
  • Posts: 2,138
  • Joined: 21-October 06

Posted 01 December 2007 - 01:39 PM

Hi Joost,

I am sorry for the delay, I've been out of town today.

Before we start the registry fix, we need to backup the registry in case anything goes wrong. This is a very simple and quick process :)

To backup your registry, click Start > Run > Type regedit into the box > Click OK > In the window that shows up, click File > Export... > Name the file RegistryBackup > Save it in a convenient location such as your desktop.

Please open a new Notepad document (Note: Other text editors will not work) and paste the following code into it, starting from REGEDIT4:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=dword:00000000
"NoWindowsUpdate"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Now, click File > Save As... > Change the File Type to All Files > Name the file RegFix1.reg > Save it on your desktop.

Once you've saved it, please double click it. A window should pop up - Click Yes to merge the information with the registry.

Please include a new DSS log in your next reply.

Regards

Tal :)

#10 joones

  • Group: Member
  • Posts: 6
  • Joined: 22-November 07

Posted 12 December 2007 - 03:35 AM

Hi again Tal. I'm not sure if you noticed but I attached my DSS log i my previous post. Anyway, I did a fresh scan and attached below.

Many thanks!








Deckard's System Scanner v20071014.68
Run by jrh on 2007-12-12 10:26:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as jrh.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26, on 12.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\bin\ZANDA.EXE
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\RealVNC\WinVNC.EXE
C:\Norman\Npm\bin\NJEEVES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Norman\Npm\bin\ZLH.EXE
C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\internet explorer\iexplore.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Programfiler\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\MSN Messenger\usnsvc.exe
C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\jrh\Skrivebord\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jrh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intra2.scanrope.int/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Programfiler\RealVNC\WinVNC.EXE" -servicehelper
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189147112107
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189147103802
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.ms...ine/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = scanrope.int
O17 - HKLM\Software\..\Telephony: DomainName = scanrope.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = scanrope.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = scanrope.int
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: NBService - Nero AG - C:\Programfiler\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Programfiler\Fellesfiler\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Virtual Network Computing (WinVNC) - RealVNC Ltd. - C:\Programfiler\RealVNC\WinVNC.EXE

--
End of file - 7674 bytes

-- Files created between 2007-11-12 and 2007-12-12 -----------------------------

2007-11-26 12:54:21 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-23 08:36:00 1545623 --a------ C:\ComboFix.exe
2007-11-22 16:02:21 0 d-------- C:\Programfiler\Trend Micro
2007-11-22 12:37:07 0 d-------- C:\Programfiler\SUPERAntiSpyware
2007-11-22 10:57:24 2726 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-15 13:52:24 0 d-------- C:\WINDOWS\setup.pss
2007-11-15 13:52:04 0 d-------- C:\WINDOWS\setupupd
2007-11-14 08:27:13 6470 ---hs---- C:\WINDOWS\system32\pstwa.bak1
2007-11-13 16:28:03 0 d-------- C:\Programfiler\Virtual Earth 3D


-- Find3M Report ---------------------------------------------------------------

2007-12-10 08:56:25 0 d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard
2007-12-10 08:56:24 0 d-------- C:\Documents and Settings\jrh\Programdata\SUPERAntiSpyware.com
2007-11-26 15:05:25 0 d-------- C:\Programfiler\RealVNC
2007-11-26 13:52:02 0 d-------- C:\Programfiler\Fellesfiler
2007-11-19 08:34:54 38487 --a------ C:\Documents and Settings\jrh\Programdata\Microsoft Excel.ADR
2007-11-15 15:03:38 0 d-------- C:\Documents and Settings\jrh\Programdata\Grisoft
2007-11-14 08:28:20 0 d-------- C:\Documents and Settings\jrh\Programdata\ultra
2007-11-07 15:23:12 442250 --a------ C:\WINDOWS\system32\perfh014.dat
2007-11-07 15:23:12 79670 --a------ C:\WINDOWS\system32\perfc014.dat
2007-11-07 15:22:01 0 d-------- C:\Programfiler\Realtek
2007-11-07 15:22:01 0 d--h----- C:\Programfiler\InstallShield Installation Information
2007-10-25 07:42:44 0 d-------- C:\Programfiler\Fellesfiler\Adobe
2007-10-25 07:42:44 0 d-------- C:\Documents and Settings\jrh\Programdata\Adobe
2007-10-11 13:23:55 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2007-09-27 14:16:24 151552 --a------ C:\WINDOWS\system32\xRaidAPI.dll <Not Verified; JMicron Technology Corp.; JMB36X RAID API Dynamic Link Library>
2007-09-27 14:16:23 1966080 --a------ C:\WINDOWS\system32\xRaidSetup.exe <Not Verified; JMicron Technology Corp.; JMicron JMB36X RAID Configurer>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="C:\WINDOWS\TBPanel.exe" [31.08.2006 10:47]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [19.04.2007 12:26]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [19.04.2007 12:26]
"Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [09.08.2007 13:40]
"Acrobat Assistant 7.0"="C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [12.01.2006 19:52]
"WinVNC"="C:\Programfiler\RealVNC\WinVNC.exe" [05.03.2003 13:49]
"NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [01.03.2007 14:57]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [27.09.2007 14:16]
"RTHDCPL"="RTHDCPL.EXE" [16.10.2007 18:30 C:\WINDOWS\RTHDCPL.exe]
"!AVG Anti-Spyware"="C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11.06.2007 10:25]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [04.08.2004 13:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 13:00]
"updateMgr"="C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [30.03.2006 15:45]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [02.07.2007 08:17:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2007-12-12 10:27:20 ------------

Share this topic:


Page 1 of 1