Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Memory dropping in huge chunks [RESOLVED]


  • This topic is locked This topic is locked

#1
BlackHalo

BlackHalo

    Member

  • Member
  • PipPipPip
  • 266 posts
Hi,

I've posted some things in the hardware section about this and thought I might try here in case it's a malware problem. I did GeekU up to a point a while back and did all the steps I could think of, so I'm just checking.

OK, recently my PC has been digging into my harddrive memory when running intensive programs (such as Photoshop). I'm talking 55GB just disappearing from the harddrive when i work on large files! This has never happened before and I've worked on A2 sized files in Photoshop. Now i can barely work on A4 pages without trouble. Not only does the PC dump huge amounts of space, but it has also slowed to a dying crawl when I work on files (it appears any size file). I have 1GB of DDR RAM and a 2GB processor, so this shouldn't be a problem (nor has it been up till now). I've run Combofix and it found some things. Might be related to this link, some of the same stuff appears in my scan and I know the problems started after inserting my USB drive (so I'll need to clean that up as well). Anyway, I have the Combofix report on hand if necessary, here is my HJT log (I tried cross-referencing it with CastleCops, but it was down the last time i tried...) :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:55:08, on 06/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BitLord\BitLord.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FDF5EEA-593F-443C-BA07-D0E13DB0B1AF}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FDF5EEA-593F-443C-BA07-D0E13DB0B1AF}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10336 bytes


F:\ is my external harddrive by the way, the flash drive would be E:\. Much appreciated.

Edited by BlackHalo, 06 March 2008 - 07:50 AM.

  • 0

Advertisements


#2
eddie5659

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Hello BlackHalo. I'm currently reading over your log right now and I'll do my best to try to get your system clean :)

Since I'm still in training, there may be a slight delay between my posts because they must be checked by an expert.

Regards

eddie
  • 0

#3
BlackHalo

BlackHalo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 266 posts
No problem eddie, I also trained way back when, so I understand! :)
  • 0

#4
eddie5659

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Can you post the ComboFix log as well :)
  • 0

#5
BlackHalo

BlackHalo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 266 posts
ComboFix 08-03-01.3 - UnitShift 2008-03-09 20:19:48.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.599 [GMT 2:00]
Running from: C:\Documents and Settings\UnitShift\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo1.dll
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-09 20:15 . 2008-03-09 20:14 102,536 -r-hs---- C:\v.com
2008-03-07 16:39 . 2008-03-07 16:39 <DIR> d-------- C:\Program Files\Multiquence
2008-03-06 14:55 . 2008-03-06 14:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-06 05:53 . 2008-03-06 05:53 106,249 -r-hs---- C:\ta2.cmd
2008-03-05 17:12 . 2008-03-05 17:12 <DIR> d-------- C:\Program Files\AndreaMosaic
2008-03-05 17:12 . 2008-03-05 17:12 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-03-04 23:31 . 2008-03-04 23:31 107,272 -r-hs---- C:\8.bat
2008-03-03 21:09 . 2008-03-03 21:09 <DIR> d-------- C:\Documents and Settings\UnitShift\Application Data\CD-LabelPrint
2008-03-03 19:45 . 2008-03-03 19:49 <DIR> d-------- C:\Documents and Settings\UnitShift\Application Data\GetRightToGo
2008-03-02 16:11 . 2008-03-08 10:39 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-03-02 16:11 . 2008-03-02 18:11 <DIR> d-------- C:\Documents and Settings\UnitShift\Application Data\Spyware Terminator
2008-03-02 16:11 . 2008-03-02 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-02 16:11 . 2008-03-02 16:11 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-02 16:06 . 2008-03-02 16:06 102,800 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-02 12:55 . 2004-08-04 14:00 388,608 --a------ C:\WINDOWS\system32\kmd.exe
2008-02-25 11:29 . 2008-02-25 11:29 <DIR> d-------- C:\Program Files\QuickTime
2008-02-25 11:28 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-02-25 11:28 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-02-22 09:09 . 2008-02-24 14:47 109,413 -r-hs---- C:\oufddh.exe
2008-02-16 22:11 . 2007-01-18 14:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-02-16 21:04 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-16 20:39 . 2008-02-16 22:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 20:39 . 2008-02-16 20:40 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-16 20:39 . 2008-02-16 20:40 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-16 20:39 . 2008-02-16 20:40 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 18:35 . 2008-02-16 18:35 <DIR> d-------- C:\Documents and Settings\UnitShift\Application Data\Grisoft
2008-02-16 17:14 . 2008-02-16 17:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-16 17:14 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-16 16:19 . 2008-03-02 13:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-16 16:19 . 2008-03-02 16:12 <DIR> d-------- C:\Documents and Settings\UnitShift\Application Data\SUPERAntiSpyware.com
2008-02-16 16:19 . 2008-02-16 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-15 18:29 . 2008-02-15 18:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-02-15 07:38 . 2008-02-16 11:00 1,680,334 ---hs---- C:\WINDOWS\system32\egwfxddq.ini
2008-02-13 20:41 . 2008-02-15 07:34 2,027,868 ---hs---- C:\WINDOWS\system32\kjsecrqs.ini
2008-02-13 19:45 . 2008-02-13 19:47 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-02-10 20:27 . 2008-02-10 20:27 <DIR> d-------- C:\Documents and Settings\UnitShift\Application Data\funkitron

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 18:24 13,991,968 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-09 17:01 166,796 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-09 16:52 --------- d-----w C:\Program Files\Winamp
2008-03-06 18:42 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-02 14:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-25 03:34 3,386,274 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-02-24 17:43 --------- d-----w C:\Documents and Settings\UnitShift\Application Data\Vso
2008-02-17 13:48 --------- d-----w C:\Documents and Settings\UnitShift\Application Data\CopyToDvd
2008-02-16 19:26 --------- d-----w C:\Program Files\Apoint2K
2008-02-16 18:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 16:48 --------- d-----w C:\Documents and Settings\UnitShift\Application Data\Orbit
2008-02-14 04:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-12 18:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-08 09:09 --------- d-----w C:\Documents and Settings\UnitShift\Application Data\U3
2008-02-08 08:00 695,568 ----a-w C:\Documents and Settings\UnitShift\Application Data\GDIPFONTCACHEV1.DAT
2008-01-30 22:34 --------- d-----w C:\Program Files\Apophysis 2.0
2008-01-21 14:39 --------- d-----w C:\Documents and Settings\UnitShift\Application Data\AdobeUM
2008-01-20 19:17 --------- d-----w C:\Program Files\DivX
2008-01-20 14:27 --------- d-----w C:\Documents and Settings\UnitShift\Application Data\dvdcss
2008-01-20 14:20 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-01-16 16:36 --------- d-----w C:\Program Files\Eltima Software
2008-01-16 16:36 --------- d-----w C:\Program Files\Common Files\Eltima Shared
2008-01-16 16:36 --------- d-----w C:\Documents and Settings\UnitShift\Application Data\Eltima Software
2008-01-14 12:29 --------- d-----w C:\Program Files\Canon
2008-01-14 12:26 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-01-14 12:21 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-12 13:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-22 09:29 20,632,296 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_12_22_01_37_09_full.dmp.zip
2007-11-25 19:51 47,360 ----a-w C:\Documents and Settings\UnitShift\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 12:26 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-22 02:10 88358 C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 23:40 196608]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-09-06 15:04 671744]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-08-25 20:11 53248]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 14:45 28672]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 14:45 65536]
"Zooming"="ZoomingHook.exe" [2005-06-06 10:58 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-08-22 17:49 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"Tvs"="C:\Program Files\TOSHIBA\Tvs\TvsTray.exe" [2005-04-05 17:25 73728]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 15:00 79224]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 07:28 36352]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 23:48 479232]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-02 12:45 185896]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 03:10 409600]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-03-02 16:11 2957824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-11-18 23:40:46 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-02 16:11]
R1 TPwSav;Common Driver;C:\WINDOWS\system32\Drivers\TPwSav.sys [2005-06-03 20:49]
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-03-24 17:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 20:24:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-09 20:25:11
ComboFix-quarantined-files.txt 2008-03-09 18:25:07
.
2008-02-17 07:18:21 --- E O F ---


Note: When I finished this scan just now, my windows explorer disappeared. Had to run everything through Windows Task Manager and shortcut keys.
  • 0

#6
eddie5659

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Download FixIEDef by ShadowPuterDude to the Desktop.

Double-click FixIEDef
Posted Image

Click 'OK'
Posted Image

Click 'Scan'
Posted Image

Click 'OK' (FixIEDef requires Adminstrator Privileges to run correctly. This box tells you that FixIEDef successfully elevated it's privileges to that of Administrator)
Posted Image
Posted Image
Posted Image

WARNING: FixIEDef will kill all copies of <b>Internet Explorer</b> and <b>Explorer</b> that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.

Everything will be restored to normal, once the malicious file is removed.

Click 'Exit' once FixIEDef displays the All Finished message.
Posted Image

Post the FixIEDef log file, located on the Desktop.
Posted Image
  • 0

#7
BlackHalo

BlackHalo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 266 posts
Just a quick question, do I need to have the infected flash drive inserted when doing this scan? Will it scan all connected drives (ie external harddrive, flashdrive) or just the C drive?
  • 0

#8
BlackHalo

BlackHalo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 266 posts
********************************************************************************
* *
* FixIEDef Log *
* Version 1.2.10.3145 *
* *
********************************************************************************

Created at 22:50:41 on Tuesday, March 11, 2008

Time Zone : (GMT+02:00) Harare, Pretoria

Operating System : Microsoft Windows XP Professional
Service Pack Level: Service Pack 2
System Langauge : English
Processor : X86
Boot State : Normal boot

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\LuResult.txt
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Uninstall.ico

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done :)

ShadowPuterDude

Safe Surfing!!!
  • 0

#9
eddie5659

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\v.com
  • Click on the submit button
  • Please post the results in your next reply.


Then, do the same for the following files:

C:\ta2.cmd
C:\8.bat


And post the results of them as well.
  • 0

#10
BlackHalo

BlackHalo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 266 posts
The first two gave the same result:

Scanner results
Scan taken on 14 Mar 2008 05:18:46 (GMT) A-Squared
Found nothing
AntiVir
Found TR/Crypt.XPACK.Gen
ArcaVir
Found Trojan.Psw.Onlinegames.Too
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Trojan.PWS.OnLineGames.SQN
ClamAV
Found Trojan.Spy-26699
CPsecure
Found Troj.PSW.W32.Delf.oc
Dr.Web
Found modification of Win32.Besso
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-PSW.Win32.OnLineGames.too
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan-PSW.Win32.OnLineGames.too
NOD32
Found Win32/PSW.OnLineGames.MUU
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found Mal/Behav-164
VirusBuster
Found Trojan.Lineage.Gen!Pac.3
VBA32
Found Trojan-PSW.Win32.OnLineGames.too


C:\8.bat gave this result:

Scanner results
Scan taken on 14 Mar 2008 05:24:17 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Crypt.XPACK.Gen
ArcaVir
Found Worm.Autorun.Cvx
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Trojan.PWS.OnLineGames.SQA
ClamAV
Found nothing
CPsecure
Found W32.W.AutoRun.cvx
Dr.Web
Found Trojan.MulDrop.6474
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Worm.Win32.AutoRun.cvx
Fortinet
Found LegMir.K!tr.pws
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Worm.Win32.AutoRun.cvx
NOD32
Found Win32/PSW.OnLineGames.NLI
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found Mal/Generic-A
VirusBuster
Found Trojan.Lineage.Gen!Pac.3
VBA32
Found Worm.Win32.AutoRun.cvx
  • 0

Advertisements


#11
eddie5659

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
OTMoveIt2 -

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\v.com
    C:\ta2.cmd
    C:\8.bat
    C:\WINDOWS\system32\egwfxddq.ini
    C:\WINDOWS\system32\kjsecrqs.ini
    C:\oufddh.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Please go HERE to run Panda's TotalScan
  • Select the bubble for Full scan
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Post the contents of the OTMoveIT, TotalScan and the main.txt and extra.txt in your next reply.

Edited by eddie5659, 17 March 2008 - 05:59 PM.

  • 0

#12
BlackHalo

BlackHalo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 266 posts
I'll run those programs asap. In the meantime though, thought you might like to know that Avast! for some reason has now picked up certain files which it usually didn't find (ie C:\8.bat, etc). I ran a boot-scan with Avast last night and did some scans with Avg AntiSpyware, Spyware Terminator and Avast. The spyware scans came back LOADED with spyware and trojans (I'm guessing because of the already-existing ones) and I cleared them up. Here's the result of the Avast scan. I'll post the results of the other scans in my next result.

03/17/2008 22:12
Scan of C:\
File C:\22wcb21o.exe is infected by Win32:AuCrypt [Cryp], Deleted
File C:\8.bat is infected by Win32:AuCrypt [Cryp], Deleted
File C:\Documents and Settings\UnitShift\Local Settings\Temporary Internet Files\Content.IE5\4VE52X2D\BIN_STDATA[1].CAB\BIN_STDATA.SPT Error 42127 {CAB archive is corrupted.}
File C:\Documents and Settings\UnitShift\Local Settings\Temporary Internet Files\Content.IE5\4VE52X2D\help[1].exe is infected by Win32:AuCrypt [Cryp], Deleted
File C:\Program Files\Spyware Terminator\update\BIN_STDATA.SPT.cab\BIN_STDATA.SPT Error 42127 {CAB archive is corrupted.}
File C:\QooBox\Quarantine\C\WINDOWS\system32\amvo.exe.vir is infected by Win32:AuCrypt [Cryp], Deleted
File C:\QooBox\Quarantine\C\WINDOWS\system32\amvo1.dll.vir is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP149\A0034139.dll is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP152\A0034407.dll is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP164\A0036967.cmd is infected by Win32:OnLineGames-CWV [Trj], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP166\A0037219.bat is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP167\A0037226.bat is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP167\A0037264.exe is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP167\A0037265.dll is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP167\A0037266.dll is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP168\A0037309.cmd is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP168\A0037335.exe is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP168\A0037336.dll is infected by Win32:OnLineGames-CWS [Trj], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP171\A0037672.cmd is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP171\A0037696.dll is infected by Win32:OnLineGames-CWS [Trj], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP171\A0037698.exe is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP174\A0039100.com is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP176\A0039341.exe is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP176\A0039342.com is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP177\A0039346.exe is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP177\A0039347.dll is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP178\A0039351.exe is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP179\A0039493.exe is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP180\A0039531.exe is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP180\A0039651.dll is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP180\A0039652.exe is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP180\A0039656.exe is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP181\A0039734.exe is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP181\A0039735.dll is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP184\A0039957.exe is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP185\A0039991.com is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP185\A0040004.dll is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP185\A0040008.exe is infected by Win32:AuCrypt [Cryp], Deleted
File C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP185\A0040009.bat is infected by Win32:AuCrypt [Cryp], Deleted
File C:\ta2.cmd is infected by Win32:AuCrypt [Cryp], Deleted
File C:\v.com is infected by Win32:AuCrypt [Cryp], Deleted
File C:\WINDOWS\system32\amvo.exe is infected by Win32:AuCrypt [Cryp], Deleted
File C:\WINDOWS\system32\amvo0.dll is infected by Win32:AuCrypt [Cryp], Deleted
File C:\WINDOWS\Temp\_avast4_\unp152167612.tmp is infected by Win32:AuCrypt [Cryp], Deleted

Scan of F:\
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP164\A0036968.cmd is infected by Win32:OnLineGames-CWV [Trj], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP167\A0037236.bat is infected by Win32:AuCrypt [Cryp], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP168\A0037311.cmd is infected by Win32:AuCrypt [Cryp], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP168\A0037313.cmd is infected by Win32:AuCrypt [Cryp], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP171\A0037673.cmd is infected by Win32:AuCrypt [Cryp], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP174\A0039132.com is infected by Win32:AuCrypt [Cryp], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP176\A0039344.com is infected by Win32:AuCrypt [Cryp], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP178\A0039353.exe is infected by Win32:AuCrypt [Cryp], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP178\A0039486.exe is infected by Win32:AuCrypt [Cryp], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP179\A0039495.exe is infected by Win32:AuCrypt [Cryp], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP179\A0039498.exe is infected by Win32:AuCrypt [Cryp], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP179\A0039528.exe is infected by Win32:AuCrypt [Cryp], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP180\A0039533.exe is infected by Win32:AuCrypt [Cryp], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP180\A0039608.exe is infected by Win32:AuCrypt [Cryp], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP180\A0039654.exe is infected by Win32:AuCrypt [Cryp], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP184\A0039931.exe is infected by Win32:OnLineGames-CVB [Trj], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP184\A0039958.exe is infected by Win32:AuCrypt [Cryp], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP184\A0039963.com is infected by Win32:AuCrypt [Cryp], Deleted
File F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP185\A0039993.com is infected by Win32:AuCrypt [Cryp], Deleted
File F:\Programs\PC Protection\SpywareTerminatorSetup.exe\Inno0001.bin Error 42146 {Installer archive is corrupted.}
File F:\22wcb21o.exe is infected by Win32:AuCrypt [Cryp], Deleted
File F:\8.bat is infected by Win32:AuCrypt [Cryp], Deleted
File F:\ta2.cmd is infected by Win32:AuCrypt [Cryp], Deleted
File F:\v.com is infected by Win32:AuCrypt [Cryp], Deleted

Number of searched folders: 9785
Number of tested files: 483085
Number of infected files: 65

Quick question though: there's still the problem of the infected flashdrive. How do i clean that up without having to go through this whole process on the PC again?
  • 0

#13
BlackHalo

BlackHalo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 266 posts
Ok, I forgot to copy the OTMoveit report, but the first three files and the last one were not found, other two were moved.

Panda scan:

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-03-18 14:34:34
PROTECTIONS: 1
MALWARE: 19
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
avast! antivirus 4.7.1098 [VPS 080318-0] 4.7.1098 No Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139535 Application/Processor HackTools No 0 No No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP141\A0032481.exe[²ƒÇ]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\UnitShift\Application Data\Mozilla\Firefox\Profiles\j1qeu3xv.default\cookies.txt[.com.com/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\UnitShift\Application Data\Mozilla\Firefox\Profiles\j1qeu3xv.default\cookies.txt[.xiti.com/]
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\UnitShift\Application Data\Mozilla\Firefox\Profiles\j1qeu3xv.default\cookies.txt[.azjmp.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\UnitShift\Application Data\Mozilla\Firefox\Profiles\j1qeu3xv.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\UnitShift\Application Data\Mozilla\Firefox\Profiles\j1qeu3xv.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\UnitShift\Application Data\Mozilla\Firefox\Profiles\j1qeu3xv.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\UnitShift\Application Data\Mozilla\Firefox\Profiles\j1qeu3xv.default\cookies.txt[.adultfriendfinder.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\UnitShift\Application Data\Mozilla\Firefox\Profiles\j1qeu3xv.default\cookies.txt[.atwola.com/]
00519333 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP141\A0032481.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP162\A0036815.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP181\A0039733.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP159\A0035694.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP161\A0035767.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP158\A0035592.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP144\A0032541.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP161\A0035820.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP145\A0032547.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP145\A0032602.EXE
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP145\A0032589.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP145\A0032629.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP145\A0032697.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP145\A0032712.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP144\A0032544.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP149\A0034193.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP149\A0034214.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP149\A0034254.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP152\A0034418.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP152\A0034445.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP152\A0034481.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP153\A0034910.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP153\A0034926.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP153\A0034950.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP158\A0035475.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP158\A0035495.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP158\A0035528.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP158\A0035578.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP144\A0032525.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP159\A0035678.com
01262593 Application/NirCmd.A HackTools No 0 No No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP162\A0036852.EXE[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP159\A0035697.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP160\A0035739.com
01262593 Application/NirCmd.A HackTools No 0 No No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP162\A0036852.EXE[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP161\A0035770.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP161\A0035806.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP145\A0032733.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP161\A0035823.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP161\A0035842.com
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP161\A0035857.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP161\A0035857.exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP161\A0035899.com
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\UnitShift\Application Data\Mozilla\Firefox\Profiles\j1qeu3xv.default\cookies.txt[.adserver.easyad.info/]
02095979 Dialer.ISB Dialers No 1 Yes No C:\WINDOWS\system32\oobe\ISPSoftware\BTYahoo\BroadbandFromBT.exe
02904838 W32/Lineage.HRP.worm Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP167\A0037227.inf
02904838 W32/Lineage.HRP.worm Virus/Trojan No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP167\A0037235.INF
02904838 W32/Lineage.HRP.worm Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP166\A0037220.inf
02904839 W32/Lineage.HRP.worm Virus/Trojan No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP185\A0040015.BAT
02905161 Trj/Lineage.HSE Virus/Trojan No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP185\A0040016.CMD
02905162 Trj/Lineage.HSE Virus/Trojan No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP168\A0037314.INF
02905162 Trj/Lineage.HSE Virus/Trojan No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP168\A0037312.INF
02905162 Trj/Lineage.HSE Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP171\A0037699.inf
02905162 Trj/Lineage.HSE Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP168\A0037310.inf
02905162 Trj/Lineage.HSE Virus/Trojan No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP171\A0037700.INF
02905885 W32/Autorun.RO.worm Virus/Trojan No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP185\A0040017.COM
02906574 W32/lineage.HUB.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP185\A0040014.EXE
02906575 W32/lineage.HUB.worm Virus/Worm No 0 Yes No C:\Documents and Settings\UnitShift\Local Settings\Temp\22umqpcg.dll
02906734 BAT/Autorun.RR Virus/Worm No 0 Yes No C:\QooBox\Quarantine\C\autorun.inf.vir
02906734 BAT/Autorun.RR Virus/Worm No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP180\A0039653.inf
02906734 BAT/Autorun.RR Virus/Worm No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP180\A0039532.inf
02906734 BAT/Autorun.RR Virus/Worm No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP178\A0039354.INF
02906734 BAT/Autorun.RR Virus/Worm No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP178\A0039487.INF
02906734 BAT/Autorun.RR Virus/Worm No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP181\A0039737.inf
02906734 BAT/Autorun.RR Virus/Worm No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP179\A0039499.INF
02906734 BAT/Autorun.RR Virus/Worm No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP179\A0039529.INF
02906734 BAT/Autorun.RR Virus/Worm No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP180\A0039534.INF
02906734 BAT/Autorun.RR Virus/Worm No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP180\A0039609.INF
02906734 BAT/Autorun.RR Virus/Worm No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP180\A0039655.INF
02906734 BAT/Autorun.RR Virus/Worm No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP181\A0039738.INF
02906734 BAT/Autorun.RR Virus/Worm No 0 Yes No F:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP179\A0039496.INF
02906734 BAT/Autorun.RR Virus/Worm No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP179\A0039494.inf
02906734 BAT/Autorun.RR Virus/Worm No 0 Yes No C:\System Volume Information\_restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP178\A0039352.inf
02906734 BAT/Autorun.RR Virus/Worm No 0 Yes No C:\QooBox\Quarantine\F\autorun.inf.vir
;===============================================================================
=================================================================================
===================
SUSPECTS
Location
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================

DSS scan:

Deckard's System Scanner v20071014.68
Run by UnitShift on 2008-03-18 14:35:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-18 14:35:37
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\agrsmmsg.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Toshiba\E-KEY\CeEKey.exe
C:\Program Files\Toshiba\TouchPad\TPTray.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\UnitShift\My Documents\Mozilla Downloads\dss.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{0FDF5EEA-593F-443C-BA07-D0E13DB0B1AF}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 10943 bytes

-- Files created between 2008-02-18 and 2008-03-18 -----------------------------

2008-03-18 13:18:49 0 d-------- C:\WINDOWS\LastGood
2008-03-18 13:16:13 0 d-------- C:\Program Files\Panda Security
2008-03-18 13:11:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 19:50:33 0 d-------- C:\VundoFix Backups
2008-03-16 16:35:09 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-16 16:35:09 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-16 16:35:09 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-16 16:35:09 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-15 19:23:20 626688 --a------ C:\WINDOWS\system32\vp7vfw.dll <Not Verified; On2.com; On2_VP70>
2008-03-15 19:23:20 217127 --a------ C:\WINDOWS\system32\drv43260.dll <Not Verified; RealNetworks, Inc.; RealVideo 9 (32-bit)>
2008-03-15 19:23:20 208935 --a------ C:\WINDOWS\system32\drv33260.dll <Not Verified; RealNetworks, Inc.; RealVideo 8 (32-bit)>
2008-03-15 19:23:20 176165 --a------ C:\WINDOWS\system32\drv23260.dll <Not Verified; RealNetworks, Inc.; RealVideo G2 (32-bit)>
2008-03-15 19:23:20 65602 --a------ C:\WINDOWS\system32\cook3260.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2008-03-13 16:01:34 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-03-07 16:39:23 0 d-------- C:\Program Files\Multiquence
2008-03-04 05:56:09 0 dr-h----- C:\Documents and Settings\UnitShift\Recent
2008-03-03 21:09:11 0 d-------- C:\Documents and Settings\UnitShift\Application Data\CD-LabelPrint
2008-03-03 19:45:11 0 d-------- C:\Documents and Settings\UnitShift\Application Data\GetRightToGo
2008-03-02 16:11:18 138752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-02 16:11:16 0 d-------- C:\Documents and Settings\UnitShift\Application Data\Spyware Terminator
2008-03-02 16:11:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-02 16:11:12 0 d-------- C:\Program Files\Spyware Terminator
2008-02-25 11:29:43 0 d-------- C:\Program Files\QuickTime
2008-02-22 08:16:56 0 d-------- C:\Documents and Settings\UnitShift\Application Data\Help


-- Find3M Report ---------------------------------------------------------------

2008-03-18 13:16:15 2515 --a------ C:\WINDOWS\mozver.dat
2008-03-18 00:03:44 12397 --a------ C:\WINDOWS\system32\tablet.dat
2008-03-17 17:20:40 0 d-------- C:\Program Files\Winamp
2008-03-16 22:31:24 321 --a------ C:\Documents and Settings\UnitShift\Application Data\Multique.ini
2008-03-16 16:55:52 0 d-------- C:\Documents and Settings\UnitShift\Application Data\Winamp
2008-03-15 21:02:59 0 d-------- C:\Documents and Settings\UnitShift\Application Data\Vso
2008-03-15 21:02:58 668 --a------ C:\Documents and Settings\UnitShift\Application Data\vso_ts_preview.xml
2008-03-15 19:23:22 0 d-------- C:\Program Files\VSO
2008-03-13 16:01:34 0 d-------- C:\Program Files\Common Files
2008-03-13 06:02:58 0 d-------- C:\Documents and Settings\UnitShift\Application Data\Eltima Software
2008-03-11 23:40:05 0 d-------- C:\Documents and Settings\UnitShift\Application Data\CopyToDvd
2008-03-10 05:48:41 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-07 16:39:25 1403 --a------ C:\Documents and Settings\UnitShift\Application Data\MQPreset.ini
2008-03-07 16:31:14 0 d-------- C:\Documents and Settings\UnitShift\Application Data\Adobe
2008-03-06 20:42:04 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-02 16:12:12 0 d-------- C:\Documents and Settings\UnitShift\Application Data\SUPERAntiSpyware.com
2008-03-02 16:12:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-02 13:36:10 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-16 21:26:55 0 d-------- C:\Program Files\Apoint2K
2008-02-16 18:35:56 0 d-------- C:\Documents and Settings\UnitShift\Application Data\Grisoft
2008-02-14 18:48:05 0 d-------- C:\Documents and Settings\UnitShift\Application Data\Orbit
2008-02-13 19:47:05 37888 --a------ C:\WINDOWS\system32\rar.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-02-13 19:45:19 741376 --a------ C:\WINDOWS\system32\WinUpdating.exe
2008-02-11 10:30:26 952 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-11 10:30:26 88 -r-hs---- C:\WINDOWS\system32\716D453F9D.sys
2008-02-10 20:27:32 0 d-------- C:\Documents and Settings\UnitShift\Application Data\funkitron
2008-02-08 11:09:19 0 d-------- C:\Documents and Settings\UnitShift\Application Data\U3
2008-02-08 10:00:44 695568 --a------ C:\Documents and Settings\UnitShift\Application Data\GDIPFONTCACHEV1.DAT
2008-01-31 00:34:23 0 d-------- C:\Program Files\Apophysis 2.0
2008-01-21 16:39:16 0 d-------- C:\Documents and Settings\UnitShift\Application Data\AdobeUM
2008-01-20 21:17:08 0 d-------- C:\Program Files\DivX
2008-01-20 16:27:09 0 d-------- C:\Documents and Settings\UnitShift\Application Data\dvdcss
2008-01-20 16:20:38 0 d-------- C:\Program Files\Common Files\Download Manager


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [22/12/2004 02:10 C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [23/03/2004 23:40]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [06/09/2005 15:04]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [25/08/2005 20:11]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [01/05/2004 14:45]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [01/05/2004 14:45]
"Zooming"="ZoomingHook.exe" [06/06/2005 10:58 C:\WINDOWS\system32\ZoomingHook.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [22/08/2005 17:49 C:\WINDOWS\system32\TCtrlIOHook.exe]
"Tvs"="C:\Program Files\TOSHIBA\Tvs\TvsTray.exe" [05/04/2005 17:25]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [05/08/2005 21:05]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [14/12/2004 02:12]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [04/12/2007 15:00]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [16/01/2008 00:54]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [15/07/2005 23:48]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/01/2008 12:45]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [14/01/2004 03:10]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 11:25]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [02/03/2008 16:11]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [14/11/2007 16:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [11/04/2005 12:26]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 14:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [18/11/2007 23:40:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 27/02/2007 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51ec1ce3-e918-11dc-afa4-00166f3d6faf}]
AutoRun\command- E:\22wcb21o.exe
explore\Command- E:\22wcb21o.exe
open\Command- E:\22wcb21o.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66dc50e3-b070-11dc-bf24-00166f3d6faf}]
AutoRun\command- G:\8.bat
explore\Command- G:\8.bat
open\Command- G:\8.bat




-- End of Deckard's System Scanner: finished at 2008-03-18 14:36:25 ------------
  • 0

#14
eddie5659

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Then, when all complete, re-scan with Deckard's System Scanner and post the results of the scan here.
  • 0

#15
BlackHalo

BlackHalo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 266 posts
Deckard's System Scanner v20071014.68
Run by UnitShift on 2008-03-25 08:15:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-25 08:16:11
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\agrsmmsg.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Toshiba\E-KEY\CeEKey.exe
C:\Program Files\Toshiba\TouchPad\TPTray.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Programs\PC Protection\dss.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{0FDF5EEA-593F-443C-BA07-D0E13DB0B1AF}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 11076 bytes

-- Files created between 2008-02-25 and 2008-03-25 -----------------------------

2008-03-18 16:10:33 691545 --a------ C:\WINDOWS\unins000.exe
2008-03-18 16:10:33 2548 --a------ C:\WINDOWS\unins000.dat
2008-03-18 13:16:13 0 d-------- C:\Program Files\Panda Security
2008-03-18 13:11:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 16:35:09 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-16 16:35:09 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-16 16:35:09 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-16 16:35:09 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-15 19:23:20 626688 --a------ C:\WINDOWS\system32\vp7vfw.dll <Not Verified; On2.com; On2_VP70>
2008-03-15 19:23:20 217127 --a------ C:\WINDOWS\system32\drv43260.dll <Not Verified; RealNetworks, Inc.; RealVideo 9 (32-bit)>
2008-03-15 19:23:20 208935 --a------ C:\WINDOWS\system32\drv33260.dll <Not Verified; RealNetworks, Inc.; RealVideo 8 (32-bit)>
2008-03-15 19:23:20 176165 --a------ C:\WINDOWS\system32\drv23260.dll <Not Verified; RealNetworks, Inc.; RealVideo G2 (32-bit)>
2008-03-15 19:23:20 65602 --a------ C:\WINDOWS\system32\cook3260.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2008-03-13 16:01:34 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-03-07 16:39:23 0 d-------- C:\Program Files\Multiquence
2008-03-04 05:56:09 0 dr-h----- C:\Documents and Settings\UnitShift\Recent
2008-03-03 21:09:11 0 d-------- C:\Documents and Settings\UnitShift\Application Data\CD-LabelPrint
2008-03-03 19:45:11 0 d-------- C:\Documents and Settings\UnitShift\Application Data\GetRightToGo
2008-03-02 16:11:18 138752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-02 16:11:16 0 d-------- C:\Documents and Settings\UnitShift\Application Data\Spyware Terminator
2008-03-02 16:11:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-02 16:11:12 0 d-------- C:\Program Files\Spyware Terminator
2008-02-25 11:29:43 0 d-------- C:\Program Files\QuickTime


-- Find3M Report ---------------------------------------------------------------

2008-03-25 08:11:10 12397 --a------ C:\WINDOWS\system32\tablet.dat
2008-03-18 13:16:15 2515 --a------ C:\WINDOWS\mozver.dat
2008-03-17 17:20:40 0 d-------- C:\Program Files\Winamp
2008-03-16 22:31:24 321 --a------ C:\Documents and Settings\UnitShift\Application Data\Multique.ini
2008-03-16 16:55:52 0 d-------- C:\Documents and Settings\UnitShift\Application Data\Winamp
2008-03-15 21:02:59 0 d-------- C:\Documents and Settings\UnitShift\Application Data\Vso
2008-03-15 21:02:58 668 --a------ C:\Documents and Settings\UnitShift\Application Data\vso_ts_preview.xml
2008-03-15 19:23:22 0 d-------- C:\Program Files\VSO
2008-03-13 16:01:34 0 d-------- C:\Program Files\Common Files
2008-03-13 06:02:58 0 d-------- C:\Documents and Settings\UnitShift\Application Data\Eltima Software
2008-03-11 23:40:05 0 d-------- C:\Documents and Settings\UnitShift\Application Data\CopyToDvd
2008-03-10 05:48:41 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-07 16:39:25 1403 --a------ C:\Documents and Settings\UnitShift\Application Data\MQPreset.ini
2008-03-07 16:31:14 0 d-------- C:\Documents and Settings\UnitShift\Application Data\Adobe
2008-03-06 20:42:04 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-02 16:12:12 0 d-------- C:\Documents and Settings\UnitShift\Application Data\SUPERAntiSpyware.com
2008-03-02 16:12:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-02 13:36:10 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-22 08:16:56 0 d-------- C:\Documents and Settings\UnitShift\Application Data\Help
2008-02-16 21:26:55 0 d-------- C:\Program Files\Apoint2K
2008-02-16 18:35:56 0 d-------- C:\Documents and Settings\UnitShift\Application Data\Grisoft
2008-02-14 18:48:05 0 d-------- C:\Documents and Settings\UnitShift\Application Data\Orbit
2008-02-13 19:47:05 37888 --a------ C:\WINDOWS\system32\rar.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-02-13 19:45:19 741376 --a------ C:\WINDOWS\system32\WinUpdating.exe
2008-02-11 10:30:26 952 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-11 10:30:26 88 -r-hs---- C:\WINDOWS\system32\716D453F9D.sys
2008-02-10 20:27:32 0 d-------- C:\Documents and Settings\UnitShift\Application Data\funkitron
2008-02-08 11:09:19 0 d-------- C:\Documents and Settings\UnitShift\Application Data\U3
2008-02-08 10:00:44 695568 --a------ C:\Documents and Settings\UnitShift\Application Data\GDIPFONTCACHEV1.DAT
2008-01-31 00:34:23 0 d-------- C:\Program Files\Apophysis 2.0


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [22/12/2004 02:10 C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [23/03/2004 23:40]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [06/09/2005 15:04]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [25/08/2005 20:11]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [01/05/2004 14:45]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [01/05/2004 14:45]
"Zooming"="ZoomingHook.exe" [06/06/2005 10:58 C:\WINDOWS\system32\ZoomingHook.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [22/08/2005 17:49 C:\WINDOWS\system32\TCtrlIOHook.exe]
"Tvs"="C:\Program Files\TOSHIBA\Tvs\TvsTray.exe" [05/04/2005 17:25]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [05/08/2005 21:05]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [14/12/2004 02:12]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [04/12/2007 15:00]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [16/01/2008 00:54]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [15/07/2005 23:48]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/01/2008 12:45]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [14/01/2004 03:10]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 11:25]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [02/03/2008 16:11]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [14/11/2007 16:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [11/04/2005 12:26]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 14:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [18/11/2007 23:40:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 27/02/2007 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- xp19.com
explore\Command- xp19.com
open\Command- xp19.com




-- End of Deckard's System Scanner: finished at 2008-03-25 08:17:09 ------------
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP