Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Multiple programs opens and unable to start in Safe Mode [RESOLVED]

Started by Briannola , Feb 18 2008 01:58 AM

This topic is locked

#1
Briannola

Posted 18 February 2008 - 01:58 AM

Member

Member
50 posts

I have a problem where my mouse will launch programs multiple times without me clicking on the icons (10 to 30 or more of the applications open and start giving errors). I have figured out a way to prevent the multiple programs from opening temporarily. If I press the windows key and open the first program using the keyboard, I can then use the mouse to open other programs. If I don't do that first, what ever icon I pass the mouse pointer over, suddenly starts to launch multiple times until the computer can't open any more. I wanted to start my computer in safe mode to troubleshoot but the computer does not show the screen to press F8 anymore. Windows will start normally but when I press F8 when I think it should bring me to the safe mode screen, I get "Reboot and select proper boot device or insert boot media in selected boot device and press any key." I can get to safe mode by going to msconfig but not the normal way at startup. The problem exits in safe mode also.

I thought I might have a virus/malware problem but I have run Symantec AV and AVG and come up with no virus. I have also run Ad-aware, Spyware blaster, AVG AS, super-Anti Spyware and online Active Panda scan and have only come up with minor cookie spyware that I have deleted. All are updated. Now everything comes up clear but I have the same problems. A strange thing is that when I start the computer, the screen flickers but does not show the screen that allows me to go to safe mode. I wanted to try and repair WinXP (SP2) with the system disk. I set the bios to boot from the CDROM drive, but when I start the computer, it flickers but will not boot up - and gives the error "Reboot and select proper boot device or insert boot media in selected boot device and press any key." I used the original WinXP disk and I know it is a good disk but it will not boot from the CDROM.

So, in addition to the multiple programs opening when I pass the mouse pointer over an icon, the computer will not allow me to start in safe mode or boot from the Windows XP CD. Not because the CDROM or disk is damaged. They both work fine when windows is already loaded. When I boot in normal mode, I can autorun disk with the CDROM so the CDROM works.

Here is my HJT log. How do I fix this? Is this a virus that my AV software does not recognize?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:50 PM, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Linksys\WUSB300N\WLService.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/channel/START
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.aka...vex-2.2.3.2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Unknown owner - C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe (file missing)
O23 - Service: Promise RAID message agent (RAIDmAgt) - Unknown owner - C:\Program Files\Promise\Utility\MsgAgt.exe (file missing)
O23 - Service: Promise RAID message server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise\Utility\MsgSvr.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: WUSB300NSvc - Unknown owner - C:\Program Files\Linksys\WUSB300N\WLService.exe

--
End of file - 7643 bytes

#2
Rorschach112

Posted 22 February 2008 - 06:22 AM

Ralphie

Retired Staff
47,710 posts

Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#3
Briannola

Posted 23 February 2008 - 12:13 AM

Member

Topic Starter
Member
50 posts

Thanks for the help.

Here are the DSS main txt and extra txt. Kaspersky show 0 viruses, 0 infections, and 0 suspicious files.

Deckard's System Scanner v20071014.68
Run by Brian on 2008-02-22 20:17:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 4 Restore Point(s) --
4: 2008-02-23 04:18:07 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2008-02-22 05:13:56 UTC - RP3 - Software Distribution Service 3.0
2: 2008-02-18 09:34:56 UTC - RP2 - System Checkpoint
1: 2008-02-17 08:04:55 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as Brian.exe) -----------------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-22 20:19:09
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Linksys\WUSB300N\WLService.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\VPTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Netstuff\AntiVirus\DSS\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.aka...vex-2.2.3.2.cab
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Unknown owner - C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: Promise RAID message agent (RAIDmAgt) - Unknown owner - C:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: Promise RAID message server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise\Utility\MsgSvr.exe
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: WUSB300NSvc - Unknown owner - C:\Program Files\Linksys\WUSB300N\WLService.exe

--
End of file - 7629 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 DVDVRRdr_xp - c:\windows\system32\drivers\dvdvrrdr_xp.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 EL2000 (3Com 3C2000x EtherLink XL Adapter) - c:\windows\system32\drivers\el2k_xp.sys <Not Verified; 3Com Corporation; 3Com Gigabit NIC (3C2000 Family)>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>
R3 MRVW245 (Linksys Wireless-N USB Network Adapter WUSB300N) - c:\windows\system32\drivers\mrvw245.sys <Not Verified; Marvell Semiconductor, Inc; Device driver for Marvell 802.11n NIC>

S3 NSNDIS5 (NSNDIS5 NDIS Protocol Driver) - c:\windows\system32\nsndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); NetStumbler>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 WUSB300NSvc - "c:\program files\linksys\wusb300n\wlservice.exe" "wusb300n.exe" <Not Verified; ; WLService>

S2 PinnacleSys.MediaServer (Pinnacle Systems Media Service) - "c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe" (file missing)
S2 RAIDmAgt (Promise RAID message agent) - "c:\program files\promise\utility\msgagt.exe" (file missing)
S2 RAIDmSvr (Promise RAID message server) - "c:\program files\promise\utility\msgsvr.exe" (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description: WinXP Promise FastTrak 378 ™ Controller
Device ID: PCI\VEN_105A&DEV_3373&SUBSYS_80F51043&REV_02\4&2E98101C&0&20F0
Manufacturer: Promise Technology
Name: WinXP Promise FastTrak 378 ™ Controller
PNP Device ID: PCI\VEN_105A&DEV_3373&SUBSYS_80F51043&REV_02\4&2E98101C&0&20F0
Service: fasttx2k

-- Scheduled Tasks -------------------------------------------------------------

2008-02-22 17:49:23 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job

-- Files created between 2008-01-22 and 2008-02-22 -----------------------------

2008-02-16 21:59:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-16 13:49:06 0 d-------- C:\XPCD
2008-02-16 00:40:31 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-02-16 00:40:25 0 d-------- C:\Program Files\Security Task Manager
2008-02-09 20:50:55 0 d-------- C:\Program Files\NavFit98A
2008-02-09 20:50:48 286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
2008-02-09 20:50:46 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-02-09 19:03:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-09 19:00:23 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-02-09 19:00:23 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-02-09 19:00:23 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-02-09 19:00:23 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-02-09 19:00:23 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-02-09 19:00:23 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-02-09 19:00:23 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-02-09 19:00:23 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-02-09 19:00:23 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-02-09 19:00:23 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-02-09 19:00:23 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-02-09 19:00:23 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-02-09 19:00:23 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-02-09 19:00:23 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-02-09 19:00:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-02-09 18:42:05 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2008-02-09 09:32:34 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-02-09 00:42:46 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-08 23:03:41 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-08 23:03:32 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-08 23:03:31 0 d-------- C:\Documents and Settings\Brian\Application Data\SUPERAntiSpyware.com
2008-02-08 21:57:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-08 20:33:31 0 d-------- C:\Documents and Settings\Brian\Application Data\Grisoft
2008-02-08 20:28:00 0 d-------- C:\WINDOWS\pss
2008-02-08 18:56:51 0 d-------- C:\Program Files\Trend Micro
2008-02-07 21:21:50 0 d-------- C:\Program Files\uTorrent
2008-02-07 21:21:33 0 d-------- C:\Documents and Settings\Brian\Application Data\uTorrent
2008-02-07 20:25:15 0 d-------- C:\Program Files\Windows Defender
2008-02-07 19:14:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-07 19:10:35 0 d-------- C:\Program Files\SpywareBlaster
2008-02-05 22:47:05 0 d-------- C:\Program Files\Common Files\Adobe

-- Find3M Report ---------------------------------------------------------------

2008-02-22 20:01:11 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-21 23:34:05 40 --a------ C:\WINDOWS\system32\profile.dat
2008-02-14 22:23:13 0 d-------- C:\Documents and Settings\Brian\Application Data\SuperNZB
2008-02-08 23:02:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-05 22:47:05 0 d-------- C:\Program Files\Common Files
2008-01-26 12:53:24 65536 --a------ C:\WINDOWS\IFinst27.exe
2008-01-21 17:20:50 0 d-------- C:\Program Files\Linksys EasyLink Advisor
2008-01-21 17:20:48 0 d--h----- C:\Documents and Settings\Brian\Application Data\GTek
2008-01-14 22:14:18 0 d-------- C:\Documents and Settings\Brian\Application Data\Media Player Classic
2008-01-14 21:46:30 0 d-------- C:\Program Files\Smallvideosoft
2008-01-13 16:57:00 0 d-------- C:\Program Files\SuperNZB
2008-01-13 16:23:52 0 d-------- C:\Program Files\7-Zip
2008-01-12 19:42:26 0 d-------- C:\Documents and Settings\Brian\Application Data\Pinnacle Systems
2008-01-12 19:21:47 0 d-------- C:\Documents and Settings\Brian\Application Data\InstallShield
2008-01-12 19:11:02 0 d-------- C:\Documents and Settings\Brian\Application Data\Download Manager
2008-01-12 18:28:44 0 d-------- C:\Program Files\proDAD
2008-01-12 17:11:52 0 d-------- C:\Program Files\AdorageI-GfxDatas
2008-01-12 17:10:44 0 d-------- C:\Program Files\AdorageI-SAL
2008-01-12 16:56:46 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-12 16:34:33 0 d-------- C:\Program Files\Pinnacle
2008-01-12 16:31:37 0 d-------- C:\Program Files\Microsoft SQL Server
2008-01-12 16:24:33 0 d-------- C:\Program Files\SmartSound Software
2008-01-12 16:23:43 0 d-------- C:\Program Files\QuickTime
2008-01-12 16:21:43 95 --a------ C:\AUTOEXEC.BAT
2008-01-12 16:12:44 0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-12 16:03:43 0 d-------- C:\Documents and Settings\Brian\Application Data\Roxio
2008-01-12 12:00:15 0 d-------- C:\Program Files\DivxManager
2008-01-08 18:35:41 0 d-------- C:\Program Files\AVStoDVD
2008-01-08 18:25:44 0 d-------- C:\Program Files\AviSynth 2.5
2008-01-08 18:19:00 0 d-------- C:\Program Files\Lavasoft
2008-01-08 17:15:36 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-01-08 17:15:31 0 d-------- C:\Program Files\AVS4YOU
2008-01-08 17:04:37 0 d-------- C:\Documents and Settings\Brian\Application Data\AVS4YOU
2008-01-08 15:22:55 0 d-------- C:\Program Files\DirectVobSub
2008-01-07 15:40:40 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-01-04 21:43:15 0 d-------- C:\Program Files\Network Stumbler
2007-12-29 22:45:54 0 d-------- C:\Program Files\WinASO
2007-12-29 18:07:09 0 d-------- C:\Program Files\Common Files\Roxio Shared
2007-12-29 18:06:12 0 d-------- C:\Program Files\Roxio
2007-12-29 10:27:25 0 d-------- C:\Program Files\NDAS
2007-12-28 22:06:41 0 d-------- C:\Program Files\FlashGet
2007-12-28 22:05:17 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-12-27 21:33:30 0 d-------- C:\Program Files\HooTech
2007-12-22 09:21:12 0 d-------- C:\Program Files\SamsonSoft
2007-12-15 14:18:15 0 -rahs---- C:\MSDOS.SYS
2007-12-15 14:18:15 0 -rahs---- C:\IO.SYS
2007-12-15 14:18:15 0 --a------ C:\CONFIG.SYS
2007-12-15 14:15:05 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-12-15 06:06:37 62 --ahs---- C:\Documents and Settings\Brian\Application Data\desktop.ini
2007-12-03 16:34:26 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-11-29 12:52:32 60273 --a------ C:\WINDOWS\system32\pthreadGC2.dll <Not Verified; Open Source Software community project; >

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 01:25 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [03/14/2007 07:49 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [05/29/2003 04:28 PM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [05/30/2003 09:42 AM]
"Ptipbmf"="ptipbmf.dll" [06/20/2003 03:06 PM C:\WINDOWS\system32\ptipbmf.dll]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [11/21/2006 05:38 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [11/27/2007 5:06:54 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DLLPN"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2099df08-d6dd-11dc-ad11-001a70af9c59}]
Auto\command- sal.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58c1aec6-d850-11dc-ad15-000c6e63080d}]
Auto\command- sal.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dd9a12f-b677-11dc-accd-001a70af9c59}]
Auto\command- sal.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

-- End of Deckard's System Scanner: finished at 2008-02-22 20:20:06 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.06GHz
CPU 1: Intel® Pentium® 4 CPU 3.06GHz
Percentage of Memory in Use: 70%
Physical Memory (total/avail): 510.73 MiB / 149.51 MiB
Pagefile Memory (total/avail): 1249.05 MiB / 704.27 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.34 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 465.75 GiB total, 357.68 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD5000AAKS-65YGA0 - 465.76 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 465.75 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FirewallDisableNotify is set.

FW: Symantec Client Firewall v8.7.4.110 (Symantec Corporation)
AV: Symantec AntiVirus Corporate Edition v10.1.6.6000 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Brian\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BRIAN-MEDIA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Brian
LOGONSERVER=\\BRIAN-MEDIA
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Pinnacle\Shared Files;C:\Program Files\Pinnacle\Shared Files\Filter
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Brian\LOCALS~1\Temp
TMP=C:\DOCUME~1\Brian\LOCALS~1\Temp
USERDOMAIN=BRIAN-MEDIA
USERNAME=Brian
USERPROFILE=C:\Documents and Settings\Brian
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Brian (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
AVStoDVD --> C:\Program Files\AVStoDVD\uninstall.exe
Combined Community Codec Pack 2007-07-22 --> "C:\Program Files\Combined Community Codec Pack\unins000.exe"
CWORKS --> MsiExec.exe /I{4C1FACAF-0F15-4F91-B958-FC1D40915EAE}
DirectVobSub (remove only) --> "C:\Program Files\DirectVobSub\uninstall.exe"
Drivers Install For Linksys Easylink Advisor --> MsiExec.exe /I{A1960A82-DB70-474D-A86B-FA74466103C6}
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
ffdshow [rev 1685] [2007-12-06] --> "C:\Program Files\Combined Community Codec Pack\Filters\FFDShow\unins000.exe"
Freez FLV to AVI/MPEG/WMV Converter --> "C:\Program Files\Smallvideosoft\Freez FLV to AVI MPEG WMV Converter\unins000.exe"
Freez FLV to MP3 Converter --> "C:\Program Files\Smallvideosoft\Freez FLV to MP3 Converter\unins000.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Linksys EasyLink Advisor 1.6 (0032) --> rundll32 C:\PROGRA~1\LINKSY~1\AUInst.dll,ExUninstall
Linksys Wireless-N USB Network Adapter WUSB300N --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DCD3471D-4DDA-4DC2-8B9F-A662D0C362AC}\Setup.exe" -l0x9
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Microsoft Access 2002 Runtime --> MsiExec.exe /I{901C0409-6000-11D3-8CFE-0050048383C9}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft SQL Server Desktop Engine (PINNACLESYS) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NavFit98A --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\NavFit98A\ST6UNST.LOG"
NDAS Software 3.20.1528 --> MsiExec.exe /I{738B6229-A2BF-49BB-92C6-5328F49DAACD}
Network Stumbler 0.4.0 (remove only) --> "C:\Program Files\Network Stumbler\uninst.exe"
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Pinnacle Instant DVD Recorder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}\setup.exe" -l0x9 UNINSTALL
Pinnacle MediaServer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{460CE8B9-6EC2-458A-90D4-691631ECE9D9}\setup.exe" -l0x9 UNINSTALL
proDAD Heroglyph 2.5 --> "C:\Program Files\proDAD\Heroglyph-2.5\uninstall.exe" uninstall spcp PATHVERSION 2.5 MAINNAME Heroglyph
Promise Array Management --> C:\WINDOWS\System32\rundll32.exe ptistp.dll,UninstSCUtility C:\Program Files\Promise\Utility;Uninst Promise Array Management.isu;Promise Array Management
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
Roxio Easy Media Creator 7 Basic DVD Edition --> MsiExec.exe /I{747D1B34-A1FC-4EF3-A6AE-E86F39CEFDE5}
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Studio 10 --> "C:\Program Files\InstallShield Installation Information\{3CB05291-F546-458E-A796-B5BCF5A3CDC4}\Setup2.exe" -l0x9 UNINSTALL
Studio 10 Bonus DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6A012D9C-2E2E-405A-B87C-E909F5297C3F}\Setup.exe" -l0x9 UNINSTALL
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SuperNZB v3.2.0 --> "C:\Program Files\SuperNZB\unins000.exe"
Symantec Client Security --> MsiExec.exe /I{D0E46FF4-2775-4BD9-9467-B62B702D470E}
Uninstall DivxManager --> "C:\WINDOWS\IFinst27.exe" -UC:\Program Files\DivxManager\IFU9.inf
WinASO Registry Optimizer 3.1 --> "C:\Program Files\WinASO\Registry Optimizer 3.1\unins000.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
XML Paper Specification Shared Components Pack 1.0 -->
ZIP Reader 8.00.0018 --> MsiExec.exe /I{856C155E-4A74-4041-B026-04F96FFD1BCD}

-- Application Event Log -------------------------------------------------------

Event Record #/Type15902 / Error
Event Submitted/Written: 02/22/2008 08:05:34 PM
Event ID/Source: 45 / Symantec AntiVirus
Event Description:
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (PID 1848)
Time: Friday, February 22, 2008 8:05:34 PM

Event Record #/Type15901 / Error
Event Submitted/Written: 02/22/2008 08:05:34 PM
Event ID/Source: 45 / Symantec AntiVirus
Event Description:
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (PID 1848)
Time: Friday, February 22, 2008 8:05:34 PM

Event Record #/Type15900 / Error
Event Submitted/Written: 02/22/2008 08:05:34 PM
Event ID/Source: 45 / Symantec AntiVirus
Event Description:
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (PID 1848)
Time: Friday, February 22, 2008 8:05:34 PM

Event Record #/Type15899 / Error
Event Submitted/Written: 02/22/2008 08:05:34 PM
Event ID/Source: 45 / Symantec AntiVirus
Event Description:
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (PID 1848)
Time: Friday, February 22, 2008 8:05:34 PM

Event Record #/Type15898 / Error
Event Submitted/Written: 02/22/2008 08:05:34 PM
Event ID/Source: 45 / Symantec AntiVirus
Event Description:
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Event Info: Set Information Process
Action Taken: Blocked
Actor Process: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (PID 1848)
Time: Friday, February 22, 2008 8:05:34 PM

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type11698 / Warning
Event Submitted/Written: 02/22/2008 08:14:31 PM
Event ID/Source: 20 / Print
Event Description:
Printer Driver Canon i960 for Windows NT x86 Version-3 was added or updated. Files:- CNMDR5c.DLL, CNMUI5c.DLL, CNMCP5c.DLL, CNMMH5c.HLP, CNMD55c.DLL, CNMUR5c.DLL, CNMSR5c.DLL, CNMIN5c.INI, CNMPI5c.DLL, CNMSM5c.EXE, CNMSS5c.SMR, CNMSD5c.EXE, CNMSQ5c.EXE, CNMSH5c.HLP, CNMSH5c.CNT, CNMUB5c.DLL, CNMOP5c.DLL, CNMSB5c.DLL, CNMMH5c.CNT, CNB_1920.TBL, CNMP05c.DAT, CNMP15c.DAT, CNMP25c.DAT, CNMFU5c.DLL, CNMPV5c.EXE, CNMPH5c.HLP, CNMPH5c.CNT.

Event Record #/Type11670 / Error
Event Submitted/Written: 02/22/2008 05:47:14 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
fasttx2k

Event Record #/Type11669 / Error
Event Submitted/Written: 02/22/2008 05:47:14 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Pinnacle Systems Media Service service failed to start due to the following error:
%%2

Event Record #/Type11668 / Error
Event Submitted/Written: 02/22/2008 05:47:14 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Promise RAID message server service failed to start due to the following error:
%%2

Event Record #/Type11667 / Error
Event Submitted/Written: 02/22/2008 05:47:14 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Promise RAID message agent service failed to start due to the following error:
%%2

-- End of Deckard's System Scanner: finished at 2008-02-22 20:20:06 ------------

#4
Rorschach112

Posted 23 February 2008 - 07:52 AM

Ralphie

Retired Staff
47,710 posts

Hello

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
C:\WINDOWS\IFinst27.exe
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

purity
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2099df08-d6dd-11dc-ad11-001a70af9c59}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58c1aec6-d850-11dc-ad15-000c6e63080d}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dd9a12f-b677-11dc-accd-001a70af9c59}

Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Reboot and post a new DSS log

#5
Briannola

Posted 23 February 2008 - 12:16 PM

Member

Topic Starter
Member
50 posts

Thanks again. I will run the processes you sent to me but I want to pass this info. I decided to run Kaspersky again and there is a log for the second run. Not sure why there was not one before. Anyway, here it is:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 23, 2008 10:06:55 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/02/2008
Kaspersky Anti-Virus database records: 576240
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 68395
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:56:33

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02072008-202523.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Client Firewall\System.log Object is locked skipped
C:\Documents and Settings\Brian\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D7DD1D3B-CFB3-430A-A2FD-8B08F96E8E8D} Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\History\History.IE5\MSHist012008022220080223\index.dat Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Temp\~DFCC67.tmp Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Temp\~DFCC72.tmp Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Brian\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Brian\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\master.mdf Object is locked skipped
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\model.mdf Object is locked skipped
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\modellog.ldf Object is locked skipped
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Data\templog.ldf Object is locked skipped
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SAVRT\0306NAV~.TMP Object is locked skipped
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SAVRT\0810NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8E1D7583-E1D2-4BD2-85B3-7B9833D149A2}\RP4\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\profile.dat Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_368.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7d4.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#6
Briannola

Posted 23 February 2008 - 02:11 PM

Member

Topic Starter
Member
50 posts

Here is the OTMoveIt2 results and the new DSS log. There was no DSS extra log this time. Is that normal?

C:\WINDOWS\IFinst27.exe moved successfully.
[Custom Input]
< purity >
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2099df08-d6dd-11dc-ad11-001a70af9c59} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2099df08-d6dd-11dc-ad11-001a70af9c59}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58c1aec6-d850-11dc-ad15-000c6e63080d} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58c1aec6-d850-11dc-ad15-000c6e63080d}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dd9a12f-b677-11dc-accd-001a70af9c59} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dd9a12f-b677-11dc-accd-001a70af9c59}\\ deleted successfully.

OTMoveIt2 v1.0.20 log created on 02232008_113429

Deckard's System Scanner v20071014.68
Run by Brian on 2008-02-23 12:00:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 79% (more than 75%).
Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as Brian.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:42 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Linksys\WUSB300N\WLService.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\Netstuff\AntiVirus\DSS\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Brian.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.aka...vex-2.2.3.2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Unknown owner - C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe (file missing)
O23 - Service: Promise RAID message agent (RAIDmAgt) - Unknown owner - C:\Program Files\Promise\Utility\MsgAgt.exe (file missing)
O23 - Service: Promise RAID message server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise\Utility\MsgSvr.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: WUSB300NSvc - Unknown owner - C:\Program Files\Linksys\WUSB300N\WLService.exe

--
End of file - 7844 bytes

-- Files created between 2008-01-23 and 2008-02-23 -----------------------------

2008-02-23 10:44:02 0 drahs---- C:\autorun.inf
2008-02-22 20:24:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-22 20:24:39 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-16 21:59:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-16 13:49:06 0 d-------- C:\XPCD
2008-02-16 00:40:31 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-02-16 00:40:25 0 d-------- C:\Program Files\Security Task Manager
2008-02-09 20:50:55 0 d-------- C:\Program Files\NavFit98A
2008-02-09 20:50:48 286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
2008-02-09 20:50:46 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-02-09 19:03:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-09 19:00:23 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-02-09 19:00:23 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-02-09 19:00:23 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-02-09 19:00:23 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-02-09 19:00:23 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-02-09 19:00:23 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-02-09 19:00:23 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-02-09 19:00:23 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-02-09 19:00:23 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-02-09 19:00:23 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-02-09 19:00:23 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-02-09 19:00:23 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-02-09 19:00:23 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-02-09 19:00:23 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-02-09 19:00:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-02-09 18:42:05 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2008-02-09 09:32:34 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-02-09 00:42:46 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-08 23:03:41 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-08 23:03:32 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-08 23:03:31 0 d-------- C:\Documents and Settings\Brian\Application Data\SUPERAntiSpyware.com
2008-02-08 21:57:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-08 20:33:31 0 d-------- C:\Documents and Settings\Brian\Application Data\Grisoft
2008-02-08 20:28:00 0 d-------- C:\WINDOWS\pss
2008-02-08 18:56:51 0 d-------- C:\Program Files\Trend Micro
2008-02-07 21:21:50 0 d-------- C:\Program Files\uTorrent
2008-02-07 21:21:33 0 d-------- C:\Documents and Settings\Brian\Application Data\uTorrent
2008-02-07 20:25:15 0 d-------- C:\Program Files\Windows Defender
2008-02-07 19:14:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-07 19:10:35 0 d-------- C:\Program Files\SpywareBlaster
2008-02-05 22:47:05 0 d-------- C:\Program Files\Common Files\Adobe

-- Find3M Report ---------------------------------------------------------------

2008-02-23 11:39:41 40 --a------ C:\WINDOWS\system32\profile.dat
2008-02-22 20:01:11 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-14 22:23:13 0 d-------- C:\Documents and Settings\Brian\Application Data\SuperNZB
2008-02-08 23:02:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-05 22:47:05 0 d-------- C:\Program Files\Common Files
2008-01-21 17:20:50 0 d-------- C:\Program Files\Linksys EasyLink Advisor
2008-01-21 17:20:48 0 d--h----- C:\Documents and Settings\Brian\Application Data\GTek
2008-01-14 22:14:18 0 d-------- C:\Documents and Settings\Brian\Application Data\Media Player Classic
2008-01-14 21:46:30 0 d-------- C:\Program Files\Smallvideosoft
2008-01-13 16:57:00 0 d-------- C:\Program Files\SuperNZB
2008-01-13 16:23:52 0 d-------- C:\Program Files\7-Zip
2008-01-12 19:42:26 0 d-------- C:\Documents and Settings\Brian\Application Data\Pinnacle Systems
2008-01-12 19:21:47 0 d-------- C:\Documents and Settings\Brian\Application Data\InstallShield
2008-01-12 19:11:02 0 d-------- C:\Documents and Settings\Brian\Application Data\Download Manager
2008-01-12 18:28:44 0 d-------- C:\Program Files\proDAD
2008-01-12 17:11:52 0 d-------- C:\Program Files\AdorageI-GfxDatas
2008-01-12 17:10:44 0 d-------- C:\Program Files\AdorageI-SAL
2008-01-12 16:56:46 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-12 16:34:33 0 d-------- C:\Program Files\Pinnacle
2008-01-12 16:31:37 0 d-------- C:\Program Files\Microsoft SQL Server
2008-01-12 16:24:33 0 d-------- C:\Program Files\SmartSound Software
2008-01-12 16:23:43 0 d-------- C:\Program Files\QuickTime
2008-01-12 16:21:43 95 --a------ C:\AUTOEXEC.BAT
2008-01-12 16:12:44 0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-12 16:03:43 0 d-------- C:\Documents and Settings\Brian\Application Data\Roxio
2008-01-12 12:00:15 0 d-------- C:\Program Files\DivxManager
2008-01-08 18:35:41 0 d-------- C:\Program Files\AVStoDVD
2008-01-08 18:25:44 0 d-------- C:\Program Files\AviSynth 2.5
2008-01-08 18:19:00 0 d-------- C:\Program Files\Lavasoft
2008-01-08 17:15:36 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-01-08 17:15:31 0 d-------- C:\Program Files\AVS4YOU
2008-01-08 17:04:37 0 d-------- C:\Documents and Settings\Brian\Application Data\AVS4YOU
2008-01-08 15:22:55 0 d-------- C:\Program Files\DirectVobSub
2008-01-07 15:40:40 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-01-04 21:43:15 0 d-------- C:\Program Files\Network Stumbler
2007-12-29 22:45:54 0 d-------- C:\Program Files\WinASO
2007-12-29 18:07:09 0 d-------- C:\Program Files\Common Files\Roxio Shared
2007-12-29 18:06:12 0 d-------- C:\Program Files\Roxio
2007-12-29 10:27:25 0 d-------- C:\Program Files\NDAS
2007-12-28 22:06:41 0 d-------- C:\Program Files\FlashGet
2007-12-28 22:05:17 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-12-27 21:33:30 0 d-------- C:\Program Files\HooTech
2007-12-15 14:18:15 0 -rahs---- C:\MSDOS.SYS
2007-12-15 14:18:15 0 -rahs---- C:\IO.SYS
2007-12-15 14:18:15 0 --a------ C:\CONFIG.SYS
2007-12-15 14:15:05 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-12-15 06:06:37 62 --ahs---- C:\Documents and Settings\Brian\Application Data\desktop.ini
2007-12-03 16:34:26 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-11-29 12:52:32 60273 --a------ C:\WINDOWS\system32\pthreadGC2.dll <Not Verified; Open Source Software community project; >

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 01:25 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [03/14/2007 07:49 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [05/29/2003 04:28 PM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [05/30/2003 09:42 AM]
"Ptipbmf"="ptipbmf.dll" [06/20/2003 03:06 PM C:\WINDOWS\system32\ptipbmf.dll]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [11/21/2006 05:38 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [11/27/2007 5:06:54 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DLLPN"=3 (0x3)

-- End of Deckard's System Scanner: finished at 2008-02-23 12:01:21 ------------

#7
Rorschach112

Posted 24 February 2008 - 08:29 AM

Ralphie

Retired Staff
47,710 posts

How is your PC running ? Can you still not get into Safe Mode ?

#8
Briannola

Posted 24 February 2008 - 09:29 PM

Member

Topic Starter
Member
50 posts

I still cannot start in the safe mode on startup unless I set it up in msconfig first. The boot menu screen does not show on startup. The screen just flickers on and off until the windows screen appears. It will not go to the Windows Advanced Options menu. If I press F8 when I think the boot menu screen should appear, I get "Reboot and select proper boot device or insert boot media in selected boot device and press any key." Once the computer completely boots up, I must use the windows key on the keyboard to manually open the first application (it doest not matter which application I open first). If I don't (and I have forgotten to a couple of times) then what ever I pass the mouse pointer over suddenly opens 30 to 40 times until the computer locks up because it runs out of memory. I can open task manager and see that the application (last time it was IE) is listed under processes about forty times but there is nothing on the task manager's applications page. I have never seen anything like this.

The only reason I knew I could not open in safe mode is beacuse I was following the steps on your "You Must Read This Before Posting A Hijackthis Log, Malware Cleaning Guide" page.

Will I have to reload windows?

#9
Rorschach112

Posted 25 February 2008 - 08:52 AM

Ralphie

Retired Staff
47,710 posts

Try this for the Safe Mode problem

Download http://z-oleg.com/avz4.zip and unzip it to a folder on your desktop.
Double click on AVZ.exe
Click on the file tab and then click on System Recovery.
Put a checkmark next to Restore SafeBoot registry keys.
Click on Execute selected operations.

Reboot and see if you can get into Safe Mode then

Edited by Rorschach112, 25 February 2008 - 08:53 AM.

#10
Briannola

Posted 25 February 2008 - 08:09 PM

Member

Topic Starter
Member
50 posts

I get an error stating "avz.exe is not a valid Win32 application".

#11
Rorschach112

Posted 25 February 2008 - 08:13 PM

Ralphie

Retired Staff
47,710 posts

I don't think this is malware related, lets do one final scan to be sure though

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

#12
Briannola

Posted 26 February 2008 - 12:46 AM

Member

Topic Starter
Member
50 posts

Here are the logs. Thanks for hanging in there with me. I thought there was a possibility that this was not malware related but with the combination of problems I am having at once, I did not think it would be windows related. Thanks again.

Brian

ComboFix 08-02-25.3 - Brian 2008-02-25 22:16:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.188 [GMT -8:00]
Running from: C:\Documents and Settings\Brian\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-23 11:34 . 2008-02-23 11:34 <DIR> d-------- C:\_OTMoveIt
2008-02-22 20:24 . 2008-02-22 20:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-22 20:24 . 2008-02-22 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-22 20:17 . 2008-02-22 20:17 <DIR> d-------- C:\Deckard
2008-02-16 21:59 . 2008-02-16 21:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-16 13:49 . 2008-02-16 14:09 <DIR> d-------- C:\XPCD
2008-02-16 00:40 . 2008-02-16 00:40 <DIR> d-------- C:\Program Files\Security Task Manager
2008-02-16 00:40 . 2008-02-16 00:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-02-09 20:50 . 2008-02-09 20:52 <DIR> d-------- C:\Program Files\NavFit98A
2008-02-09 20:50 . 2008-02-09 20:50 286,720 --------- C:\WINDOWS\Setup1.exe
2008-02-09 20:50 . 2008-02-09 20:50 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-02-09 19:03 . 2008-02-09 19:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-09 19:00 . 2008-01-21 17:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-02-09 17:18 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-02-09 17:18 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-02-09 09:32 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-09 00:42 . 2008-02-09 10:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-09 00:42 . 2008-02-09 00:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-09 00:42 . 2008-02-09 00:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-09 00:42 . 2008-02-09 00:42 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-08 23:03 . 2008-02-17 23:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-08 23:03 . 2008-02-08 23:03 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\SUPERAntiSpyware.com
2008-02-08 23:03 . 2008-02-08 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-08 21:57 . 2008-02-08 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-08 20:33 . 2008-02-08 20:33 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\Grisoft
2008-02-08 20:32 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-08 18:56 . 2008-02-08 18:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-07 21:21 . 2008-02-07 21:21 <DIR> d-------- C:\Program Files\uTorrent
2008-02-07 21:21 . 2008-02-24 19:53 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\uTorrent
2008-02-07 20:25 . 2008-02-09 09:54 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-07 19:14 . 2008-02-08 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-07 19:10 . 2008-02-07 19:10 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-05 22:47 . 2008-02-05 22:47 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-28 21:34 . 2008-01-28 21:34 52 --a------ C:\WINDOWS\RTFContentCtrl.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 04:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-15 06:23 --------- d-----w C:\Documents and Settings\Brian\Application Data\SuperNZB
2008-02-09 07:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-23 07:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-22 01:21 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-01-22 01:20 --------- d--h--w C:\Documents and Settings\Brian\Application Data\GTek
2008-01-22 01:20 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2008-01-15 06:14 --------- d-----w C:\Documents and Settings\Brian\Application Data\Media Player Classic
2008-01-15 05:46 --------- d-----w C:\Program Files\Smallvideosoft
2008-01-14 00:57 --------- d-----w C:\Program Files\SuperNZB
2008-01-14 00:23 --------- d-----w C:\Program Files\7-Zip
2008-01-13 03:42 --------- d-----w C:\Documents and Settings\Brian\Application Data\Pinnacle Systems
2008-01-13 03:21 --------- d-----w C:\Documents and Settings\Brian\Application Data\InstallShield
2008-01-13 03:11 --------- d-----w C:\Documents and Settings\Brian\Application Data\Download Manager
2008-01-13 02:28 --------- d-----w C:\Program Files\proDAD
2008-01-13 01:11 --------- d-----w C:\Program Files\AdorageI-GfxDatas
2008-01-13 01:10 --------- d-----w C:\Program Files\AdorageI-SAL
2008-01-13 00:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle Studio
2008-01-13 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-01-13 00:34 --------- d-----w C:\Program Files\Pinnacle
2008-01-13 00:31 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-01-13 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-01-13 00:24 --------- d-----w C:\Program Files\SmartSound Software
2008-01-13 00:23 --------- d-----w C:\Program Files\QuickTime
2008-01-13 00:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-13 00:12 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-13 00:03 --------- d-----w C:\Documents and Settings\Brian\Application Data\Roxio
2008-01-12 20:00 --------- d-----w C:\Program Files\DivxManager
2008-01-11 04:54 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-01-11 04:54 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-01-09 02:35 --------- d-----w C:\Program Files\AVStoDVD
2008-01-09 02:25 --------- d-----w C:\Program Files\AviSynth 2.5
2008-01-09 02:19 --------- d-----w C:\Program Files\Lavasoft
2008-01-09 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-09 01:15 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-01-09 01:15 --------- d-----w C:\Program Files\AVS4YOU
2008-01-09 01:04 --------- d-----w C:\Documents and Settings\Brian\Application Data\AVS4YOU
2008-01-09 01:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-01-08 23:22 --------- d-----w C:\Program Files\DirectVobSub
2008-01-07 23:40 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-01-05 05:43 --------- d-----w C:\Program Files\Network Stumbler
2007-12-30 06:45 --------- d-----w C:\Program Files\WinASO
2007-12-30 02:07 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-12-30 02:06 --------- d-----w C:\Program Files\Roxio
2007-12-30 02:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2007-12-29 18:27 --------- d-----w C:\Program Files\NDAS
2007-12-29 06:06 --------- d-----w C:\Program Files\FlashGet
2007-12-28 05:33 --------- d-----w C:\Program Files\HooTech
2007-12-21 02:57 48,768 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-15 22:18 558,142 ----a-w C:\WINDOWS\java\Packages\4PB3V1J7.ZIP
2007-12-15 22:18 155,995 ----a-w C:\WINDOWS\java\Packages\25FB1BB7.ZIP
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 00:34 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-11-29 20:52 60,273 ----a-w C:\WINDOWS\system32\pthreadGC2.dll
2007-11-28 01:06 15,848 ----a-w C:\WINDOWS\system32\wshlpx.dll
2007-11-28 01:06 14,312 ----a-w C:\WINDOWS\system32\ndasiomg.dll
.

------- Sigcheck -------

482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\drivers\tcpip.sys
----a-w 359,808 2006-04-20 11:51:50 C:\WINDOWS\$hf_mig$\KB917953\SP2GDR\tcpip.sys
----a-w 360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
----a-w 360,832 2007-10-30 16:53:32 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
-c----w 340,480 2006-04-20 11:38:44 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
-c----w 359,040 2004-08-04 06:14:40 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
-c----w 332,928 2002-09-03 13:00:00 C:\WINDOWS\$NtUninstallKB917953_0$\tcpip.sys
-c----w 359,808 2006-04-20 11:51:50 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
----a-w 359,040 2004-08-04 06:14:40 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
-c--a-w 360,064 2008-01-11 04:54:51 C:\WINDOWS\system32\dllcache\TCPIP.SYS
----a-w 360,064 2008-01-11 04:54:51 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2007-03-14 19:49 125632]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2003-05-30 09:42 585728]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 15:06 118784 C:\WINDOWS\system32\ptipbmf.dll]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38 52840]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [2007-11-27 17:06:54 236520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DLLPN"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=

R0 lfsfilt;Lean File Sharing;C:\WINDOWS\system32\DRIVERS\lfsfilt.sys [2007-11-27 17:06]
R0 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys [2007-11-27 17:06]
R1 ndasfat;NDAS FAT;C:\WINDOWS\system32\DRIVERS\ndasfat.sys [2007-11-27 17:06]
R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\system32\DRIVERS\ndasbus.sys [2007-11-27 17:06]
S2 WUSB300NSvc;WUSB300NSvc;"C:\Program Files\Linksys\WUSB300N\WLService.exe" "WUSB300N.exe" []
S3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\system32\DRIVERS\ndasscsi.sys [2007-11-27 17:06]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-23 18:12]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-26 01:50:53 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 22:18:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-25 22:19:29
.
2008-02-15 06:05:54 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:15 PM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.aka...vex-2.2.3.2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Unknown owner - (no file)
O23 - Service: Promise RAID message agent (RAIDmAgt) - Parallel Technologies, Inc. - (no file)
O23 - Service: Promise RAID message server (RAIDmSvr) - Parallel Technologies, Inc. - (no file)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: WUSB300NSvc - Unknown owner - C:\Program Files\Linksys\WUSB300N\WLService.exe

--
End of file - 7335 bytes

#13
Rorschach112

Posted 26 February 2008 - 07:00 AM

Ralphie

Retired Staff
47,710 posts

Yeah this is definitely not malware related. You will need to make a topic in the Windows XP forum, tell them I sent you over

Few things to do

Now lets uninstall Combofix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

The above procedure will do the following:

Delete ComboFix and its associated files and folders.
Delete VundoFix backups, if present
Delete the C:\Deckard folder, if present
Delete the C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

#14
Briannola

Posted 27 February 2008 - 11:39 PM

Member

Topic Starter
Member
50 posts

Ok Thanks. I have posted in the Windows XP forum.

#15
Rorschach112

Posted 28 February 2008 - 07:42 AM

Ralphie

Retired Staff
47,710 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.