Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojandownloader.xs [RESOLVED]

Started by henschke , Mar 20 2008 04:34 PM

  • This topic is locked This topic is locked

#1
henschke
Posted 20 March 2008 - 04:34 PM

henschke

    Member

  • Member
  • PipPip
  • 10 posts
Thanks in advance for any and all help.

I believe I have a Trojandownloader.xs

I am experiencing the following symptons:
*popups directing my to download spyware software
*locked out of task manager (Task Manager Has Been Disabled By Your Administrator)

I have followed the instructions in the "Read this before posting" thread, and I am still experiencing symptoms.

Below are my SUPERAntiSpyware, and HyjackThis logs: (Panada Activescan will not load on my system)

SUPERAntiSpyware Scan Log
Generated 03/20/2008 at 05:12 PM

Application Version : 3.6.1000

Core Rules Database Version : 3422
Trace Rules Database Version: 1414

Scan type : Complete Scan
Total Scan Time : 00:15:44

Memory items scanned : 167
Memory threats detected : 0
Registry items scanned : 6971
Registry threats detected : 9
File items scanned : 26340
File threats detected : 58

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
HKU\S-1-5-21-936568965-2266688463-1782279273-500\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}
HKCR\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\fairoot@atdmt[2].txt
C:\Documents and Settings\Administrator\Cookies\fairoot@tribalfusion[1].txt
C:\Documents and Settings\Administrator\Cookies\fairoot@apmebf[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\fairoot@doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\fairoot@fastclick[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\fairoot@specificclick[1].txt
C:\Documents and Settings\Administrator\Cookies\fairoot@advertising[2].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@adlegend[1].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@adlegend[2].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@adlegend[4].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][2].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][2].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][2].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][3].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][2].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@apmebf[1].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@apmebf[2].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@apmebf[3].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@bizrate[2].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@crackserialkeygen[2].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][2].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@findanisp[2].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@findarticles[1].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][2].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@imrworldwide[2].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@indextools[1].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@mediacomcc[1].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@pcstats[1].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@roiservice[1].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][4].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][3].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][5].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][7].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@specificclick[2].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@specificclick[3].txt
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@superstats[1].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][2].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][3].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][4].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][5].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][6].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][7].txt
C:\Documents and Settings\eric.henschke\Cookies\[email protected][8].txt

Adware.Casino Games (Golden Palace Casino)
HKU\S-1-5-21-936568965-2266688463-1782279273-500\Software\Golden Palace Casino PT

Trojan.DNSChanger-Codec
HKCR\etlrlws.ToolBar.1
HKCR\etlrlws.ToolBar.1\CLSID

Trojan.Net-MSV/VPS
HKCR\MSVPS.MSVPSApp
HKCR\MSVPS.MSVPSApp\CLSID
HKCR\MSVPS.MSVPSApp\CurVer

InternetDelivery
C:\PROGRAM FILES (X86)\INET DELIVERY\INTDEL.EXE



C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SysWow64\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ggfixigd] C:\WINDOWS\SysWow64\ggfixigd.exe
O4 - HKLM\..\Run: [jtyzerqn] C:\WINDOWS\SysWow64\jtyzerqn.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [DRA9ZDKmx1] C:\WINDOWS\ujuhmjit.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1201836176806
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fargoautomation.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D9CC770-9F05-4CD2-AEA0-60EDA28FB161}: NameServer = 192.168.1.5,64.21.232.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fargoautomation.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fargoautomation.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 7654 bytes


Here is my Uninstall Manager List:

2007 Microsoft Office system
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Illustrator CS2
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
AutoCAD 2007 - English
Autodesk DWF Viewer
AVG Anti-Spyware 7.5
eDrawings 2008
HijackThis 2.0.2
Innotiv Spekan Batch Tool 3.2
Logitech SetPoint
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook 2003
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Motion Analyzer
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB936181)
Nero 7 Essentials
Panda ActiveScan
Pro/ENGINEER Release Wildfire Datecode M210
Realtek High Definition Audio Driver
Security Update for Windows XP (KB923789)
Studio 11
SUPERAntiSpyware Free Edition
Trend Micro Client/Server Security Agent
Yahoo! Desktop Login

Thanks Again for any help.

Edited by henschke, 20 March 2008 - 04:40 PM.

  • 0

Advertisements

#2
sage5
Posted 20 March 2008 - 06:30 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi henschke,

Welcome to Geeks to Go!
My name is sage5, and I will be helping you with this problem.

Please download the following & save to your Desktop:
SDFix
SmitfraudFix (by S!Ri)
Deckard's System Scanner


Online Scanner:
You have a few suspicious files on your computer, which I am not familiar with. They need to be analysed by an online scanner like Virustotal.
To use Virustotal go to Here
  • Click on the Browse button at the top of the screen.
  • Go to C:\WINDOWS\SysWow64 and highlight ggfixigd.exe and click Open.
  • Click the Send button and wait for the reply.
  • Copy the text from the reply message, paste it to a new text file and save it to your Desktop as virustotal_log.txt
  • Please use the same technique to scan:
    C:\WINDOWS\SysWow64\jtyzerqn.exe
    C:\WINDOWS\ujuhmjit.exe
  • Paste the text from each of the replies into virustotal_log.txt on your Desktop
  • I will ask you to include the contents with your next post.


Start the Smitfraud scan:
  • Double-click SmitfraudFix.exe
  • Select option #1 - Search by typing 1 and press "Enter". A text file will appear, which lists infected files (if present). It is saved as C:\rapport.txt
  • Please copy/paste the content of that file into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm


Run SDFix:
Double click SDFix.exe and it will extract the files to %systemdrive%, (typically C:\SDFix)
  • Restart your Computer in Safe Mode
  • As soon as it starts to boot up, tap your F8 key repeatedly.
  • This should bring up the Windows Advanced Options Menu.
  • Use your arrow keys to select Safe Mode and click the Enter key.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save as C:\SDFix\Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).


Run Deckard's System Scanner:
  • Close all other windows before proceeding.
  • Double click on the dss.exe file on your Desktop and follow the prompts.
  • Scans will run, and 2 text files will open in Notepad.
  • Close both of the text files.
These files are C:\Deckard\System Scanner\main.txt & extra.txt. I will need you to copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt, extra.txt, C:\rapport.txt & C:\SDFix\Report.txt in your next reply.



The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.

Cheers,

sage5
  • 0

#3
henschke
Posted 21 March 2008 - 07:50 AM

henschke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
sage5, thanks for your quick response. Your help is truely appreciated.

I have followed you last instructions, but SDfix would not run. The c prompt window would only flash on the screen quickly. I have xp 64bit, is it possible SDfix does not run in an 64bit environment?

All of the other logs you requested are below:

File ggfixigd.exe received on 03.21.2008 04:53:04 (CET)
Current status: finished

Result: 3/32 (9.38%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - Covert.Sys.Exec
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen
Additional information
MD5: 17c37b76226f50b9e0494b01bb49656e
SHA1: adc43c93e91f97a9189d9307bc27c64a658f0168
SHA256: dccb4b4fc148c363d7e5bf2ad03ee05372a27df4c37e14495537bf58d835994c
SHA512: e54f14f747cb36670fa9446a4c38128f038889f0e828bed14e110630d0196fda 177080aeea0003f6804f38020bbe26f23d4f189574317f55025f008cb820b68b

File jtyzerqn.exe received on 03.21.2008 05:02:24 (CET)
Current status: finished

Result: 3/32 (9.38%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - Covert.Sys.Exec
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen
Additional information
MD5: b3292ea4c4fc468d61da76a4facd0e8f
SHA1: 50c6e79dc427b13ec89dda37d2df311af972246b
SHA256: 9d84a717050b86addbafd5079cb573bc1e0fd16a3f8d3015ab8c1b26b682c434
SHA512: 432a5c341fc301f49980feea938cfa3556cb2d37a4d6d4a7748c5dec1c8b952a 1216e17c28ec74e32850d6bac62e7091dd65060485b834900f3d0370320fffc1


File ujuhmjit.exe received on 03.21.2008 04:22:54 (CET)
Current status: finished

Result: 8/32 (25.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - -
Avast - - -
AVG - - SHeur.AZZX
BitDefender - - -
CAT-QuickHeal - - Win32.Trojan.Obfuscated.gx.3
ClamAV - - -
DrWeb - - -
eSafe - - suspicious Trojan/Worm
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - Trojan.Crypt.XPACK
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - Suspicious file
Prevx1 - - Malware.Sys.Covert
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen
Additional information
MD5: 3adf3d806ea43b5767e9950b4ce8e9bd
SHA1: 88918203ea8f3d2cc8f7a86dea3249fd8bd2e412
SHA256: 32f5a381a21155728c1f12d85fc67c98a84bbb0c3f0f840c9dbd7d04ffd3c847
SHA512: 074d5b8da0d1a4748a33371719c64fe0467dc177ca607ac612c871b52bf73ec2 f6b649137f9896eb993a594e145b2f43bc7b182d79cf21c6b18576fc7fc9d0a7

SmitFraudFix v2.305

Scan done at 8:19:59.37, Fri 03/21/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 5.2.3790] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\nvsvc64.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ujuhmjit.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\TEMP\BN34D2.EXE
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\SysWow64\jtyzerqn.exe
C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files (x86)

Deckard's System Scanner v20071014.68
Run by fairoot on 2008-03-21 08:35:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as fairoot.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:08 AM, on 3/21/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\ujuhmjit.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\SysWow64\jtyzerqn.exe
C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\WINDOWS\TEMP\MUB968.EXE
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~2\TRENDM~1\HIJACK~1\fairoot.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SysWow64\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ggfixigd] C:\WINDOWS\SysWow64\ggfixigd.exe
O4 - HKLM\..\Run: [jtyzerqn] C:\WINDOWS\SysWow64\jtyzerqn.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [DRA9ZDKmx1] C:\WINDOWS\ujuhmjit.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1201836176806
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fargoautomation.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D9CC770-9F05-4CD2-AEA0-60EDA28FB161}: NameServer = 192.168.1.5,64.21.232.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fargoautomation.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fargoautomation.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 7637 bytes

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\NOTEPAD.EXE" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ACPI (Microsoft ACPI Driver) - c:\windows\system32\drivers\acpi.sys (file missing)
R0 atapi (Standard IDE/ESDI Hard Disk Controller) - c:\windows\system32\drivers\atapi.sys (file missing)
R0 crcdisk (CRC Disk Filter Driver) - c:\windows\system32\drivers\crcdisk.sys (file missing)
R0 Disk (Disk Driver) - c:\windows\system32\drivers\disk.sys (file missing)
R0 dmio (Logical Disk Manager Driver) - c:\windows\system32\drivers\dmio.sys (file missing)
R0 dmload - c:\windows\system32\drivers\dmload.sys (file missing)
R0 FltMgr - c:\windows\system32\drivers\fltmgr.sys (file missing)
R0 Ftdisk (Volume Manager Driver) - c:\windows\system32\drivers\ftdisk.sys (file missing)
R0 isapnp (PnP ISA/EISA Bus Driver) - c:\windows\system32\drivers\isapnp.sys (file missing)
R0 JGOGO (JMicron Hot-Plug Driver) - c:\windows\system32\drivers\jgogo.sys (file missing)
R0 JRAID - c:\windows\system32\drivers\jraid.sys (file missing)
R0 KSecDD - c:\windows\system32\drivers\ksecdd.sys (file missing)
R0 MountMgr (Mount Point Manager) - c:\windows\system32\drivers\mountmgr.sys (file missing)
R0 Mup - c:\windows\system32\drivers\mup.sys (file missing)
R0 NDIS (NDIS System Driver) - c:\windows\system32\drivers\ndis.sys (file missing)
R0 ohci1394 (VIA OHCI Compliant IEEE 1394 Host Controller) - c:\windows\system32\drivers\ohci1394.sys (file missing)
R0 PartMgr (Partition Manager) - c:\windows\system32\drivers\partmgr.sys (file missing)
R0 PCI (PCI Bus Driver) - c:\windows\system32\drivers\pci.sys (file missing)
R0 PCIIde - c:\windows\system32\drivers\pciide.sys (file missing)
R0 sr (System Restore Filter Driver) - c:\windows\system32\drivers\sr.sys (file missing)
R0 VolSnap (Storage volumes) - c:\windows\system32\drivers\volsnap.sys (file missing)
R1 AFD - c:\windows\system32\drivers\afd.sys (file missing)
R1 AvgAsC64 (AVG Anti-Spyware Clean Driver) - c:\windows\system32\drivers\avgasc64.sys (file missing)
R1 Beep - c:\windows\system32\drivers\beep.sys (file missing)
R1 Cdrom (CD-ROM Driver) - c:\windows\system32\drivers\cdrom.sys (file missing)
R1 Fips - c:\windows\system32\drivers\fips.sys (file missing)
R1 imapi (CD-Burning Filter Driver) - c:\windows\system32\drivers\imapi.sys (file missing)
R1 IPSec (IPSEC driver) - c:\windows\system32\drivers\ipsec.sys (file missing)
R1 Kbdclass (Keyboard Class Driver) - c:\windows\system32\drivers\kbdclass.sys (file missing)
R1 kbdhid (Keyboard HID Driver) - c:\windows\system32\drivers\kbdhid.sys (file missing)
R1 mnmdd - c:\windows\system32\drivers\mnmdd.sys (file missing)
R1 Mouclass (Mouse Class Driver) - c:\windows\system32\drivers\mouclass.sys (file missing)
R1 MRxSmb - c:\windows\system32\drivers\mrxsmb.sys (file missing)
R1 Msfs - c:\windows\system32\drivers\msfs.sys (file missing)
R1 NetBIOS (NetBIOS Interface) - c:\windows\system32\drivers\netbios.sys (file missing)
R1 NetBT (NetBios over Tcpip) - c:\windows\system32\drivers\netbt.sys (file missing)
R1 Npfs - c:\windows\system32\drivers\npfs.sys (file missing)
R1 Null - c:\windows\system32\drivers\null.sys (file missing)
R1 RasAcd (Remote Access Auto Connection Driver) - c:\windows\system32\drivers\rasacd.sys (file missing)
R1 Rdbss - c:\windows\system32\drivers\rdbss.sys (file missing)
R1 RDPCDD - c:\windows\system32\drivers\rdpcdd.sys (file missing)
R1 redbook (Digital CD Audio Playback Filter Driver) - c:\windows\system32\drivers\redbook.sys (file missing)
R1 Serial (Serial port driver) - c:\windows\system32\drivers\serial.sys (file missing)
R1 Tcpip (TCP/IP Protocol Driver) - c:\windows\system32\drivers\tcpip.sys (file missing)
R1 TermDD (Terminal Device Driver) - c:\windows\system32\drivers\termdd.sys (file missing)
R1 VgaSave (VGA Display Controller.) - c:\windows\system32\drivers\vga.sys (file missing)
R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys (file missing)
R2 CdaD10BA - c:\windows\system32\drivers\cdad10ba.sys (file missing)
R2 LBeepKE - c:\windows\system32\drivers\lbeepke.sys (file missing)
R2 Secdrv (Security Driver) - c:\windows\system32\drivers\secdrv.sys (file missing)
R3 Arp1394 (1394 ARP Client Protocol) - c:\windows\system32\drivers\arp1394.sys (file missing)
R3 audstub (Audio Stub Driver) - c:\windows\system32\drivers\audstub.sys (file missing)
R3 Fdc (Floppy Disk Controller Driver) - c:\windows\system32\drivers\fdc.sys (file missing)
R3 Flpydisk (Floppy Disk Driver) - c:\windows\system32\drivers\flpydisk.sys (file missing)
R3 Gpc (Generic Packet Classifier) - c:\windows\system32\drivers\msgpc.sys (file missing)
R3 HDAudBus (Microsoft UAA Bus Driver for High Definition Audio) - c:\windows\system32\drivers\hdaudbus.sys (file missing)
R3 hidusb (Microsoft HID Class Driver) - c:\windows\system32\drivers\hidusb.sys (file missing)
R3 HTTP - c:\windows\system32\drivers\http.sys (file missing)
R3 IntcAzAudAddService (Service for Realtek HD Audio (WDM)) - c:\windows\system32\drivers\rtkhda64.sys (file missing)
R3 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
R3 IpNat (IP Network Address Translator) - c:\windows\system32\drivers\ipnat.sys (file missing)
R3 ksthunk (Kernel Streaming WOW64 Thunk Service) - c:\windows\system32\drivers\ksthunk.sys (file missing)
R3 LHidFilt (Logitech SetPoint KMDF HID Filter Driver) - c:\windows\system32\drivers\lhidfilt.sys (file missing)
R3 LMouFilt (Logitech SetPoint KMDF Mouse Filter Driver) - c:\windows\system32\drivers\lmoufilt.sys (file missing)
R3 LUsbFilt (Logitech SetPoint KMDF USB Filter) - c:\windows\system32\drivers\lusbfilt.sys (file missing)
R3 mouhid (Mouse HID Driver) - c:\windows\system32\drivers\mouhid.sys (file missing)
R3 MRxDAV (WebDav Client Redirector) - c:\windows\system32\drivers\mrxdav.sys (file missing)
R3 mssmbios (Microsoft System Management BIOS Driver) - c:\windows\system32\drivers\mssmbios.sys (file missing)
R3 MTsensor (ATK0110 ACPI UTILITY) - c:\windows\system32\drivers\asacpi.sys (file missing)
R3 NdisTapi (Remote Access NDIS TAPI Driver) - c:\windows\system32\drivers\ndistapi.sys (file missing)
R3 Ndisuio (NDIS Usermode I/O Protocol) - c:\windows\system32\drivers\ndisuio.sys (file missing)
R3 NdisWan (Remote Access NDIS WAN Driver) - c:\windows\system32\drivers\ndiswan.sys (file missing)
R3 NDProxy (NDIS Proxy) - c:\windows\system32\drivers\ndproxy.sys (file missing)
R3 NIC1394 (1394 Net Driver) - c:\windows\system32\drivers\nic1394.sys (file missing)
R3 nv - c:\windows\system32\drivers\nv4_mini.sys (file missing)
R3 NVENETFD (NVIDIA nForce Networking Controller Driver) - c:\windows\system32\drivers\nvenetfd.sys (file missing)
R3 nvnetbus (NVIDIA Network Bus Enumerator) - c:\windows\system32\drivers\nvnetbus.sys (file missing)
R3 Parport (Parallel port driver) - c:\windows\system32\drivers\parport.sys (file missing)
R3 PptpMiniport (WAN Miniport (PPTP)) - c:\windows\system32\drivers\raspptp.sys (file missing)
R3 PSched (QoS Packet Scheduler) - c:\windows\system32\drivers\psched.sys (file missing)
R3 Ptilink (Direct Parallel Link Driver) - c:\windows\system32\drivers\ptilink.sys (file missing)
R3 Rasl2tp (WAN Miniport (L2TP)) - c:\windows\system32\drivers\rasl2tp.sys (file missing)
R3 RasPppoe (Remote Access PPPOE Driver) - c:\windows\system32\drivers\raspppoe.sys (file missing)
R3 Raspti (Direct Parallel) - c:\windows\system32\drivers\raspti.sys (file missing)
R3 rdpdr (Terminal Server Device Redirector Driver) - c:\windows\system32\drivers\rdpdr.sys (file missing)
R3 serenum (Serenum Filter Driver) - c:\windows\system32\drivers\serenum.sys (file missing)
R3 Srv - c:\windows\system32\drivers\srv.sys (file missing)
R3 swenum (Software Bus Driver) - c:\windows\system32\drivers\swenum.sys (file missing)
R3 sysaudio (Microsoft Kernel System Audio Device) - c:\windows\system32\drivers\sysaudio.sys (file missing)
R3 Update (Microcode Update Driver) - c:\windows\system32\drivers\update.sys (file missing)
R3 usbccgp (Microsoft USB Generic Parent Driver) - c:\windows\system32\drivers\usbccgp.sys (file missing)
R3 usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - c:\windows\system32\drivers\usbehci.sys (file missing)
R3 usbhub (Microsoft USB Standard Hub Driver) - c:\windows\system32\drivers\usbhub.sys (file missing)
R3 usbohci (Microsoft USB Open Host Controller Miniport Driver) - c:\windows\system32\drivers\usbohci.sys (file missing)
R3 Wanarp (Remote Access IP ARP Driver) - c:\windows\system32\drivers\wanarp.sys (file missing)
R3 Wdf01000 - c:\windows\system32\drivers\wdf01000.sys (file missing)
R3 wdmaud (Microsoft WINMM WDM Audio Compatibility Driver) - c:\windows\system32\drivers\wdmaud.sys (file missing)
R4 Cdfs - c:\windows\system32\drivers\cdfs.sys (file missing)
R4 Ntfs - c:\windows\system32\drivers\ntfs.sys (file missing)

S1 i8042prt (i8042 Keyboard and PS/2 Mouse Port Driver) - c:\windows\system32\drivers\i8042prt.sys (file missing)
S1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
S1 SASDIFSV - c:\program files (x86)\superantispyware\sasdifsv.sys
S1 Sfloppy - c:\windows\system32\drivers\sfloppy.sys (file missing)
S3 61883 (61883 Unit Device) - c:\windows\system32\drivers\61883.sys (file missing)
S3 aec (Microsoft Kernel Acoustic Echo Canceller) - c:\windows\system32\drivers\aec.sys (file missing)
S3 AsyncMac (RAS Asynchronous Media Driver) - c:\windows\system32\drivers\asyncmac.sys (file missing)
S3 AtiHdmiService (ATI Function Driver for HDMI Service) - c:\windows\system32\drivers\atihdmi.sys (file missing)
S3 Atmarpc (ATM ARP Client Protocol) - c:\windows\system32\drivers\atmarpc.sys (file missing)
S3 Avc (AVC Device) - c:\windows\system32\drivers\avc.sys (file missing)
S3 CCDECODE (Closed Caption Decoder) - c:\windows\system32\drivers\ccdecode.sys (file missing)
S3 HdAudAddService (ATI Function Driver for High Definition Audio Service) - c:\windows\system32\drivers\atihdaud.sys (file missing)
S3 Ip6Fw (IPv6 Windows Firewall Driver) - c:\windows\system32\drivers\ip6fw.sys (file missing)
S3 IpFilterDriver (IP Traffic Filter Driver) - c:\windows\system32\drivers\ipfltdrv.sys (file missing)
S3 IpInIp (IP in IP Tunnel Driver) - c:\windows\system32\drivers\ipinip.sys (file missing)
S3 IRENUM (IR Enumerator Service) - c:\windows\system32\drivers\irenum.sys (file missing)
S3 kmixer (Microsoft Kernel Wave Audio Mixer) - c:\windows\system32\drivers\kmixer.sys (file missing)
S3 LHidKe (SetPoint HID Mouse Filter Driver) - c:\windows\system32\drivers\lhidke.sys (file missing)
S3 LMouKE (SetPoint Mouse Filter Driver) - c:\windows\system32\drivers\lmouke.sys (file missing)
S3 LUsbKbd (SetPoint USB Filter Driver) - c:\windows\system32\drivers\lusbkbd.sys (file missing)
S3 Modem - c:\windows\system32\drivers\modem.sys (file missing)
S3 MSDV (Microsoft DV Camera and VCR) - c:\windows\system32\drivers\msdv.sys (file missing)
S3 MSKSSRV (Microsoft Streaming Service Proxy) - c:\windows\system32\drivers\mskssrv.sys (file missing)
S3 MSPCLOCK (Microsoft Streaming Clock Proxy) - c:\windows\system32\drivers\mspclock.sys (file missing)
S3 MSPQM (Microsoft Streaming Quality Manager Proxy) - c:\windows\system32\drivers\mspqm.sys (file missing)
S3 MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - c:\windows\system32\drivers\mstee.sys (file missing)
S3 NABTSFEC (NABTS/FEC VBI Codec) - c:\windows\system32\drivers\nabtsfec.sys (file missing)
S3 NdisIP (Microsoft TV/Video Connection) - c:\windows\system32\drivers\ndisip.sys (file missing)
S3 RDPWD - c:\windows\system32\drivers\rdpwd.sys (file missing)
S3 SASENUM - c:\program files (x86)\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 SLIP (BDA Slip De-Framer) - c:\windows\system32\drivers\slip.sys (file missing)
S3 splitter (Microsoft Kernel Audio Splitter) - c:\windows\system32\drivers\splitter.sys (file missing)
S3 streamip (BDA IPSink) - c:\windows\system32\drivers\streamip.sys (file missing)
S3 swmidi (Microsoft Kernel GS Wavetable Synthesizer) - c:\windows\system32\drivers\swmidi.sys (file missing)
S3 TDPIPE - c:\windows\system32\drivers\tdpipe.sys (file missing)
S3 TDTCP - c:\windows\system32\drivers\tdtcp.sys (file missing)
S3 USBSTOR (USB Mass Storage Driver) - c:\windows\system32\drivers\usbstor.sys (file missing)
S3 vga - c:\windows\system32\drivers\vgapnp.sys (file missing)
S3 WSTCODEC (World Standard Teletext Codec) - c:\windows\system32\drivers\wstcodec.sys (file missing)
S3 WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - c:\windows\system32\drivers\wudfpf.sys (file missing)
S3 WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - c:\windows\system32\drivers\wudfrd.sys (file missing)
S4 ACPIEC - c:\windows\system32\drivers\acpiec.sys (file missing)
S4 dmboot - c:\windows\system32\drivers\dmboot.sys (file missing)
S4 Fastfat - c:\windows\system32\drivers\fastfat.sys (file missing)
S4 Pcmcia - c:\windows\system32\drivers\pcmcia.sys (file missing)
S4 Udfs - c:\windows\system32\drivers\udfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Eventlog (Event Log) - c:\windows\system32\services.exe (file missing)
R2 Netlogon (Net Logon) - c:\windows\system32\lsass.exe (file missing)
R2 ntrtscan (Trend Micro Client/Server Security Agent RealTime Scan) - c:\program files (x86)\trend micro\client server security agent\ntrtscan.exe
R2 NVSvc (NVIDIA Display Driver Service) - c:\windows\system32\nvsvc64.exe (file missing)
R2 OfcPfwSvc (Trend Micro Client/Server Security Agent Personal Firewall) - c:\program files (x86)\trend micro\client server security agent\ofcpfwsvc.exe
R2 PlugPlay (Plug and Play) - c:\windows\system32\services.exe (file missing)
R2 PolicyAgent (IPSEC Services) - c:\windows\system32\lsass.exe (file missing)
R2 ProtectedStorage (Protected Storage) - c:\windows\system32\lsass.exe (file missing)
R2 SamSs (Security Accounts Manager) - c:\windows\system32\lsass.exe (file missing)
R2 tmlisten (Trend Micro Client/Server Security Agent Listener) - c:\program files (x86)\trend micro\client server security agent\tmlisten.exe

S2 Fax - c:\windows\system32\fxssvc.exe (file missing)
S3 dmadmin (Logical Disk Manager Administrative Service) - c:\windows\system32\dmadmin.exe /com (file missing)
S3 HTTPFilter (HTTP SSL) - c:\windows\system32\lsass.exe (file missing)
S3 ImapiService (IMAPI CD-Burning COM Service) - c:\windows\system32\imapi.exe (file missing)
S3 MSDTC (Distributed Transaction Coordinator) - c:\windows\system32\msdtc.exe (file missing)
S3 NMIndexingService - "c:\program files (x86)\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>
S3 NtLmSsp (NT LM Security Support Provider) - c:\windows\system32\lsass.exe (file missing)
S3 RDSessMgr (Remote Desktop Help Session Manager) - c:\windows\system32\sessmgr.exe (file missing)
S3 SolidWorks Licensing Service - "c:\program files (x86)\common files\solidworks shared\service\solidworkslicensing.exe" <Not Verified; SolidWorks; SolidWorks Licensing Service>
S3 vds (Virtual Disk Service) - c:\windows\system32\vds.exe (file missing)
S3 VSS (Volume Shadow Copy) - c:\windows\system32\vssvc.exe (file missing)
S3 WmiApSrv (WMI Performance Adapter) - c:\windows\system32\wbem\wmiapsrv.exe (file missing)
S4 TlntSvr (Telnet) - c:\windows\system32\tlntsvr.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-21 08:36:41 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-02-21 and 2008-03-21 -----------------------------

2008-03-20 17:22:51 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-20 16:54:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-03-20 16:13:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\PTC
2008-03-20 16:11:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-20 16:07:51 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-03-20 16:07:47 0 d-------- C:\Program Files (x86)\SUPERAntiSpyware
2008-03-20 16:07:47 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\SUPERAntiSpyware.com
2008-03-20 16:07:33 0 d-------- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2008-03-20 16:04:07 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\Grisoft
2008-03-20 16:03:57 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-03-20 15:49:17 0 d-------- C:\Program Files (x86)\XoftSpySE
2008-03-20 15:49:16 0 d-------- C:\Documents and Settings\Administrator\Desktopvirii
2008-03-20 15:26:16 2621440 --ah----- C:\Documents and Settings\eric.henschke\NTUSER.DAT
2008-03-20 14:25:49 0 d-------- C:\Program Files (x86)\Enigma Software Group
2008-03-20 13:09:15 2146 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-20 13:02:12 0 d-------- C:\WINDOWS\pss
2008-03-20 12:54:15 4096 --a------ C:\Documents and Settings\Administrator\Desktopfilemanagerclient.exe
2008-03-20 12:54:14 4096 --a------ C:\Documents and Settings\Administrator\DesktopFWebdEditor.exe
2008-03-20 12:54:14 4096 --a------ C:\Documents and Settings\Administrator\Desktopfwebd.exe
2008-03-20 12:54:02 98304 --a------ C:\WINDOWS\system32\jtyzerqn.exe
2008-03-20 12:47:18 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-20 12:47:18 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-20 12:47:17 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-20 12:47:17 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-20 12:47:17 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-20 12:47:17 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-20 12:47:17 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-20 11:54:15 0 dr-h----- C:\Documents and Settings\eric.henschke\Recent
2008-03-20 11:01:26 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\PC-Cleaner
2008-03-20 10:57:56 0 d-------- C:\Program Files (x86)\PC-Cleaner
2008-03-20 09:07:19 401408 --a------ C:\WINDOWS\system32\pvmjpg30.dll <Not Verified; Pegasus Imaging Corporation; PICVideo Codec Suite>
2008-03-20 09:07:18 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-03-20 09:07:18 1712128 --a------ C:\WINDOWS\system32\GDIPLUS.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-20 09:05:30 0 d-------- C:\Documents and Settings\NetworkService\My Documents
2008-03-20 09:05:30 0 d-------- C:\Documents and Settings\LocalService\My Documents
2008-03-20 09:04:54 138752 --a------ C:\WINDOWS\system32\mase32.dll
2008-03-20 09:04:54 57856 --a------ C:\WINDOWS\system32\masd32.dll
2008-03-20 09:04:54 136192 --a------ C:\WINDOWS\system32\mamc32.dll <Not Verified; ; MAMC32 Dynamic Link Library>
2008-03-20 09:04:54 196096 --a------ C:\WINDOWS\system32\macd32.dll <Not Verified; ; MACD32 Dynamic Link Library>
2008-03-20 09:04:54 27648 --a------ C:\WINDOWS\system32\ma32.dll
2008-03-20 09:03:44 41219 --a------ C:\WINDOWS\RSETPATH.exe <Not Verified; Pinnacle Systems; Pinnacle Systems RSETPATH>
2008-03-20 09:03:18 49152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll <Not Verified; Pinnacle Systems; Guid_dll>
2008-03-20 08:57:02 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\InstallShield
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\winsystem.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64WINWGPX.EXE
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64winsystem.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64winlogonpc.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64vcatchpi.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64thun32.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64thun.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64temp#01.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64taack.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64taack.dat
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64sysreq.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64ssvchost.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64ssvchost.com
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64ssurf022.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64sncntr.exe
2008-03-20 08:49:28 0 d-------- C:\WINDOWS\SysWOW64smp
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64Rundl1.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64regm64.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64regc64.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64psoft1.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64psof1.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64ps1.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64newsd32.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64netode.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64mwin32.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64mtr2.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64msvchost.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64mssecu.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64msnbho.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64msgp.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64medup020.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64medup012.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64hxiwlgpm.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64hxiwlgpm.dat
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64hoproxy.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64h@tkeysh@@k.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64emesx.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64dpcproxy.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64bsva-egihsg52.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64bdn.com
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64awtoolb.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64anticipator.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64akttzn.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\mssecu.exe
2008-03-20 08:49:28 0 d-------- C:\WINDOWS\mslagent
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\bdn.com
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\a.bat
2008-03-20 08:49:28 0 d-------- C:\Program Files (x86)\Inet Delivery
2008-03-20 08:49:28 0 d-------- C:\Documents and Settings\eric.henschke\Desktopvirii
2008-03-20 08:49:28 4096 --a------ C:\Documents and Settings\eric.henschke\DesktopFWebdEditor.exe
2008-03-20 08:49:28 4096 --a------ C:\Documents and Settings\eric.henschke\Desktopfwebd.exe
2008-03-20 08:49:28 4096 --a------ C:\Documents and Settings\eric.henschke\Desktopfilemanagerclient.exe
2008-03-20 08:49:27 4096 --a------ C:\WINDOWS\SysWOW64vbsys2.dll
2008-03-20 08:49:27 0 d-------- C:\Program Files (x86)\akl
2008-03-20 08:47:20 38912 --a------ C:\WINDOWS\ujuhmjit.exe
2008-03-20 08:47:19 98304 --a------ C:\WINDOWS\system32\ggfixigd.exe
2008-03-19 15:28:40 0 d-------- C:\Program Files (x86)\WinAce
2008-03-17 09:04:57 0 d-------- C:\Program Files (x86)\proDAD
2008-03-17 09:01:39 0 d-------- C:\Program Files (x86)\AdorageI-SAL
2008-03-17 08:52:47 0 d-------- C:\WINDOWS\system32\URTTEMP
2008-03-17 08:49:39 0 d-------- C:\Program Files (x86)\SmartSound Software
2008-03-17 08:49:08 86016 --a------ C:\WINDOWS\unvise32qt.exe <Not Verified; MindVision; Installer VISE 2.8.3>
2008-03-17 08:49:03 0 d-------- C:\Program Files (x86)\QuickTime
2008-03-17 08:49:03 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\QuickTime
2008-03-17 08:41:32 0 d-------- C:\Program Files (x86)\DivX
2008-03-17 08:38:29 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Pinnacle Studio
2008-03-14 10:41:09 0 d-------- C:\WINDOWS\Downloaded Installations
2008-03-14 10:30:39 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Pinnacle
2008-03-14 10:30:37 0 d-------- C:\Program Files (x86)\Pinnacle
2008-03-14 10:30:23 14165 --a------ C:\WINDOWS\system32\drivers\Pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
2008-03-05 09:46:42 16384 --a------ C:\WINDOWS\system32\FileOps.exe
2008-03-05 09:46:42 0 d-------- C:\WINDOWS\system32\Adobe
2008-02-28 17:08:42 0 d-------- C:\Program Files (x86)\Common Files\Canon
2008-02-26 18:21:32 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\Google
2008-02-26 18:21:20 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google
2008-02-26 18:21:16 0 d-------- C:\Program Files (x86)\Google


-- Find3M Report ---------------------------------------------------------------

2008-03-20 16:07:33 0 d-------- C:\Program Files (x86)\Common Files
2008-03-20 15:12:37 0 d-------- C:\Program Files (x86)\Trend Micro
2008-03-20 09:04:54 108 --a------ C:\AUTOEXEC.BAT
2008-03-20 09:02:55 0 d--h----- C:\Program Files (x86)\InstallShield Installation Information
2008-03-17 10:41:36 0 d-------- C:\Program Files (x86)\Common Files\LightScribe
2008-03-17 08:49:31 0 d-------- C:\Program Files (x86)\Common Files\InstallShield
2008-03-13 08:50:59 0 d-------- C:\Program Files (x86)\Common Files\Adobe
2008-02-18 17:31:05 0 d-------- C:\Program Files (x86)\Common Files\Adobe Systems Shared
2008-02-18 15:33:50 1019 --a------ C:\WINDOWS\mozver.dat
2008-02-12 11:48:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\MSNInstaller
2008-02-07 15:08:30 0 d-------- C:\Program Files (x86)\Common Files\SolidWorks Shared
2008-02-07 15:08:25 0 d-------- C:\Program Files (x86)\Common Files\eDrawings2008
2008-02-01 14:52:57 0 d-------- C:\Program Files (x86)\GPLGS
2008-02-01 09:39:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-02-01 09:32:29 0 d-------- C:\Program Files (x86)\Microsoft Works
2008-02-01 09:27:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Logitech
2008-02-01 09:19:31 0 d-------- C:\Program Files (x86)\Microsoft ActiveSync
2008-02-01 09:18:58 0 d-------- C:\Program Files (x86)\Microsoft.NET
2008-01-31 23:57:38 0 d-------- C:\Program Files (x86)\MSXML 4.0
2008-01-31 23:53:33 0 d-------- C:\Program Files (x86)\Windows Defender
2008-01-31 23:51:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Ahead
2008-01-31 23:51:16 0 d-------- C:\Program Files (x86)\Common Files\Ahead
2008-01-31 23:49:53 0 d-------- C:\Program Files (x86)\Nero
2008-01-31 23:46:05 0 d-------- C:\Program Files (x86)\MA User Marked Database
2008-01-31 23:45:56 0 d-------- C:\Program Files (x86)\Motion Analyzer
2008-01-31 23:44:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-01-31 23:43:08 0 d-------- C:\Program Files (x86)\AutoCAD 2007
2008-01-31 23:42:51 0 d-------- C:\Program Files (x86)\Common Files\Autodesk Shared
2008-01-31 23:42:49 0 d-------- C:\Program Files (x86)\AnswerWorks 4.0
2008-01-31 23:40:36 0 d-------- C:\Program Files (x86)\proeWildfire
2008-01-31 23:38:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Autodesk
2008-01-31 23:37:44 0 d-------- C:\Program Files (x86)\Autodesk
2008-01-31 23:35:58 0 d-------- C:\Program Files (x86)\Acro Software
2008-01-31 23:35:22 0 d-------- C:\Program Files (x86)\Innotiv Spekan Batch Tool
2008-01-31 23:22:03 19739 --a------ C:\license.dat
2008-01-31 23:17:52 0 d-------- C:\Program Files (x86)\Realtek
2008-01-31 23:16:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-01-31 23:07:42 0 d-------- C:\Program Files (x86)\MSXML 6.0
2008-01-31 22:48:45 0 d-------- C:\Program Files (x86)\MSBuild
2008-01-31 22:44:53 0 d-------- C:\Program Files (x86)\Reference Assemblies
2008-01-31 22:22:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-01-31 22:19:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-01-31 22:15:32 0 d-------- C:\Program Files (x86)\system
2008-01-31 22:15:32 0 d-------- C:\Program Files (x86)\speechengines
2008-01-31 22:15:32 0 d-------- C:\Program Files (x86)\microsoft shared
2008-01-31 22:15:21 0 -rahs---- C:\MSDOS.SYS
2008-01-31 22:15:21 0 -rahs---- C:\IO.SYS
2008-01-31 22:15:21 0 --a------ C:\CONFIG.SYS
2008-01-31 21:19:32 0 d-------- C:\Program Files (x86)\Movie Maker
2008-01-31 21:19:20 0 d-------- C:\Program Files (x86)\Windows Media Player[Strings]
2008-01-31 21:18:12 0 d-------- C:\Program Files (x86)\MSN Gaming Zone
2008-01-31 21:17:37 0 d-------- C:\Program Files (x86)\Windows NT
2008-01-31 16:09:27 62 --ahs---- C:\Documents and Settings\Administrator\Application Data\desktop.ini
2008-01-31 14:59:56 0 d-------- C:\Program Files (x86)\Common Files\ODBC
2008-01-31 14:59:51 0 d-------- C:\Program Files (x86)\Common Files\SpeechEngines


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-03-21 08:37:49 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows® XP Professional x64 Edition (build 3790) SP 2.0
Architecture: X64; Language: English

CPU 0: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
CPU 1: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
CPU 2: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
CPU 3: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
Percentage of Memory in Use: 11%
Physical Memory (total/avail): 8190.25 MiB / 7260.64 MiB
Pagefile Memory (total/avail): 9806.72 MiB / 9275.27 MiB
Virtual Memory (total/avail): 4095.88 MiB / 3947.74 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 69.24 GiB total, 43.92 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD740ADFD-00NLR5 - 69.24 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 69.24 GiB - C:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files (x86)\\proeWildfire\\i486_nt\\nms\\nmsd.exe"="C:\\Program Files (x86)\\proeWildfire\\i486_nt\\nms\\nmsd.exe:*:Disabled:nmsd"
"C:\\Program Files (x86)\\proeWildfire\\i486_nt\\obj\\xtop.exe"="C:\\Program Files (x86)\\proeWildfire\\i486_nt\\obj\\xtop.exe:*:Disabled:xtop"
"C:\\Program Files (x86)\\proeWildfire\\i486_nt\\obj\\pro_comm_msg.exe"="C:\\Program Files (x86)\\proeWildfire\\i486_nt\\obj\\pro_comm_msg.exe:*:Disabled:pro_comm_msg"
"C:\\Program Files (x86)\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files (x86)\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files (x86)\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files (x86)\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files (x86)\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files (x86)\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files (x86)\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files (x86)\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
"C:\\Program Files (x86)\\Pinnacle\\Studio 11\\programs\\RM.exe"="C:\\Program Files (x86)\\Pinnacle\\Studio 11\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files (x86)\\Pinnacle\\Studio 11\\programs\\Studio.exe"="C:\\Program Files (x86)\\Pinnacle\\Studio 11\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files (x86)\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"="C:\\Program Files (x86)\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files (x86)\\Pinnacle\\Studio 11\\programs\\umi.exe"="C:\\Program Files (x86)\\Pinnacle\\Studio 11\\programs\\umi.exe:*:Enabled:umi"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\ptcE_tmp.exe"="C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\ptcE_tmp.exe:*:Enabled:ptcE_tmp"
"C:\\Program Files (x86)\\proeWildfire\\i486_nt\\nms\\nmsd.exe"="C:\\Program Files (x86)\\proeWildfire\\i486_nt\\nms\\nmsd.exe:*:Disabled:nmsd"
"C:\\Program Files (x86)\\proeWildfire\\i486_nt\\obj\\xtop.exe"="C:\\Program Files (x86)\\proeWildfire\\i486_nt\\obj\\xtop.exe:*:Disabled:xtop"
"C:\\Program Files (x86)\\proeWildfire\\i486_nt\\obj\\pro_comm_msg.exe"="C:\\Program Files (x86)\\proeWildfire\\i486_nt\\obj\\pro_comm_msg.exe:*:Disabled:pro_comm_msg"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files (x86)\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=D21
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\D21
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files (x86)\proeWildfire\bin;C:\Program Files (x86)\Common Files\Adobe\AGL;C:\Program Files (x86)\Pinnacle\Shared Files\;C:\Program Files (x86)\Pinnacle\Shared Files\Filter
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64
PROCESSOR_IDENTIFIER=EM64T Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramFiles=C:\Program Files (x86)
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=D21
USERNAME=fairoot
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

eric.henschke (update central, admin)
fairoot (new local, admin, net ready)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files (x86)\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
2007 Micro
  • 0

#4
sage5
Posted 21 March 2008 - 04:41 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi henschke,

The Extra log file got cut off at

--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
2007 Micro

Can you send me the rest of that log please.

Cheers,

sage5
  • 0

#5
henschke
Posted 23 March 2008 - 10:38 AM

henschke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
sorry about that... here is the remaining portion of the extra log:

2007 Microsoft Office system --> "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROHYBRIDR /dll OSETUP.DLL
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Illustrator CS2 --> msiexec /I {B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe SVG Viewer 3.0 --> C:\Program Files (x86)\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files (x86)\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
AutoCAD 2007 - English --> MsiExec.exe /I{5783F2D7-5001-0409-0002-0060B0CE6BBA}
Autodesk DWF Viewer --> C:\PROGRA~2\Autodesk\AUTODE~1\Setup.exe /remove /q0
AVG Anti-Spyware 7.5 --> C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
eDrawings 2008 --> MsiExec.exe /I{1F40F8F1-B4BC-4A5B-B1A6-363FBDD30F0C}
HijackThis 2.0.2 --> "C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Innotiv Spekan Batch Tool 3.2 --> "C:\Program Files (x86)\Innotiv Spekan Batch Tool\unins000.exe"
Logitech SetPoint --> C:\Program Files (x86)\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB928366) --> "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook 2003 --> MsiExec.exe /I{90E00409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Hybrid 2007 --> MsiExec.exe /X{91120000-0031-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Motion Analyzer --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{29C7673B-E6BD-4F53-8D13-11B562A56C76}\setup.exe" -l0x9 -removeonly
Mozilla Firefox (2.0.0.11) --> C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
Nero 7 Essentials --> MsiExec.exe /X{1C00A3F1-6DA0-49F8-94E4-01AB6FC01033}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Pro/ENGINEER Release Wildfire Datecode M210 --> "C:\Program Files (x86)\proeWildfire\uninstall\i486_nt\obj\psuninst.exe" "C:\Program Files (x86)\proeWildfire\uninstall\instlog.txt"
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
Security Update for Windows XP (KB923789) --> C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Studio 11 --> C:\Program Files (x86)\InstallShield Installation Information\{110B1ADF-2EAE-4E8F-B501-D2A1E6D8ED9D}\Setup2.exe -runfromtemp -l0x0009 UNINSTALL -removeonly
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Trend Micro Client/Server Security Agent --> "C:\Program Files (x86)\Trend Micro\Client Server Security Agent\ntrmv.exe"
Yahoo! Desktop Login --> MsiExec.exe /I{F9AEEC34-CF00-4CBD-9E36-DF9DC4002685}


-- Application Event Log -------------------------------------------------------

Event Record #/Type1770 / Error
Event Submitted/Written: 03/21/2008 08:34:13 AM
Event ID/Source: 1030 / Userenv
Event Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

Event Record #/Type1769 / Warning
Event Submitted/Written: 03/21/2008 08:33:56 AM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
**

Event Record #/Type1768 / Warning
Event Submitted/Written: 03/21/2008 08:33:56 AM
Event ID/Source: 32026 / Microsoft Fax
Event Description:


Event Record #/Type1764 / Error
Event Submitted/Written: 03/21/2008 08:27:51 AM
Event ID/Source: 8211 / VSS
Event Description:
WMI Writer{a6ad56c2-b509-4e6c-bb19-49d8f43532f0}

Event Record #/Type1761 / Error
Event Submitted/Written: 03/21/2008 08:09:37 AM
Event ID/Source: 1030 / Userenv
Event Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4831 / Warning
Event Submitted/Written: 03/21/2008 08:37:21 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%D2127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %D2127 can't undo changes that you allow.

For more information please see the following:
%D21275

Scan ID: {75834D5B-0425-43D1-833B-076DED20DAD2}

User: D21\fairoot

Name: %D21271

ID: %D21272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %D21276

Alert Type: %D21278

Detection Type: 1.1.1593.02

Event Record #/Type4830 / Warning
Event Submitted/Written: 03/21/2008 08:37:19 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%D2127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %D2127 can't undo changes that you allow.

For more information please see the following:
%D21275

Scan ID: {C3884703-C0F1-4C68-839F-8F30BFD76799}

User: D21\fairoot

Name: %D21271

ID: %D21272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %D21276

Alert Type: %D21278

Detection Type: 1.1.1593.02

Event Record #/Type4829 / Warning
Event Submitted/Written: 03/21/2008 08:37:19 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%D2127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %D2127 can't undo changes that you allow.

For more information please see the following:
%D21275

Scan ID: {A1C127D0-C4BB-4D8F-BB35-1282C384BBB4}

User: D21\fairoot

Name: %D21271

ID: %D21272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %D21276

Alert Type: %D21278

Detection Type: 1.1.1593.02

Event Record #/Type4828 / Warning
Event Submitted/Written: 03/21/2008 08:37:19 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%D2127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %D2127 can't undo changes that you allow.

For more information please see the following:
%D21275

Scan ID: {382ABE47-7A1A-4696-83C2-7C89464A5622}

User: D21\fairoot

Name: %D21271

ID: %D21272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %D21276

Alert Type: %D21278

Detection Type: 1.1.1593.02

Event Record #/Type4827 / Warning
Event Submitted/Written: 03/21/2008 08:37:19 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%D2127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %D2127 can't undo changes that you allow.

For more information please see the following:
%D21275

Scan ID: {233EEC1F-2843-41FF-A7A9-B36FD808DE6D}

User: D21\fairoot

Name: %D21271

ID: %D21272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %D21276

Alert Type: %D21278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-03-21 08:37:49 ------------
  • 0

#6
sage5
Posted 24 March 2008 - 12:53 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi henschke,


Lets see if we can get this scanner to run on your 64 bit setup.

Download the following & save to your Desktop:
a-squared Command Line Scanner

Install:
  • Using My Computer, Browse to C:\ drive (This must be the drive that your Windows folder is in, usually C:\)
  • Create a new folder named A2
  • Extract the a2cmd.zip file, on your Desktop, to that folder.

Create the batch file:
  • Open a new Notepad window
  • Copy all the text from the Code box below & Paste it into Notepad

    @echo off
%HOMEDRIVE%\A2\a2cmd /u
%HOMEDRIVE%\A2\a2cmd /f="C:\" /m /t /c /h /r /a /n /q /l=%HOMEDRIVE%\A2\log.txt
%HOMEDRIVE%\A2\log.txt
exit
  • Save the file, using the following settings:
    • Set the Save in to the Desktop
    • Make sure that Save as type is set to All files
    • Name the file a2cmd.bat
  • Double click a2cmd.bat

    First the scanner will update itself using the latest signatures. Then the scan will start.
    BE WARNED, this is an extensive scan & will take up to 20 mins.
  • When the scan is completed the log file created will open in Notepad
  • Copy & Paste the text from this file, as your next reply.

Cheers,

sage5
  • 0

#7
henschke
Posted 24 March 2008 - 07:24 AM

henschke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here is the log file as requested:

a-squared Command Line Scanner - Version 3.0
Last update: N/A

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 3/24/2008 8:05:22 AM

c:\program files (x86)\akl detected: Trace.Directory.AbsoluteKeyLogger
c:\program files (x86)\inet delivery detected: Trace.Directory.InternetDelivery
c:\windows\mslagent\2_mslagent.dll detected: Trace.File.Wintrim
c:\windows\mslagent\mslagent.exe detected: Trace.File.Wintrim
c:\windows\mslagent\uninstall.exe detected: Trace.File.Wintrim
Key: HKEY_CLASSES_ROOT\clsid\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} detected: Trace.Registry.AroundWeb
Key: HKEY_CLASSES_ROOT\clsid\{000000da-0786-4633-87c6-1aa7a4429ef1} detected: Trace.Registry.Emesx.dll
Key: HKEY_CLASSES_ROOT\clsid\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} detected: Trace.Registry.MediaUpdate
Key: HKEY_LOCAL_MACHINE\software\classes\clsid\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} detected: Trace.Registry.MediaUpdate
Key: HKEY_CLASSES_ROOT\clsid\{9dd4258a-7138-49c4-8d34-587879a5c7a4} detected: Trace.Registry.MSNSmartTags
Key: HKEY_LOCAL_MACHINE\software\classes\clsid\{9dd4258a-7138-49c4-8d34-587879a5c7a4} detected: Trace.Registry.MSNSmartTags
Key: HKEY_CLASSES_ROOT\clsid\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} detected: Trace.Registry.VividenceConnector
Key: HKEY_LOCAL_MACHINE\software\classes\clsid\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} detected: Trace.Registry.VividenceConnector
c:\documents and settings\eric.henschke\application data\pc-cleaner detected: Trace.Directory.PC-Cleaner
c:\program files (x86)\pc-cleaner detected: Trace.Directory.PC-Cleaner
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@2o7[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@2o7[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@aboutus[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@about[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@advertising[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@advertising[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@advertising[3].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@atdmt[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@atdmt[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@atdmt[3].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@bfast[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@bizrate[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@burstnet[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@casalemedia[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@casalemedia[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@casalemedia[3].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@computerhope[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@com[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@com[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@com[3].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@com[4].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@doubleclick[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@doubleclick[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@doubleclick[3].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@doubleclick[4].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@fastclick[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@fastclick[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@fastclick[3].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@hitbox[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@hitbox[3].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@hitbox[4].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@indextools[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@linkconnector[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@mediacomcc[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@mediaplex[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@mediaplex[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@pricegrabber[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@questionmarket[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@questionmarket[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@realmedia[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@realmedia[3].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@revenue[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@revenue[3].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][3].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][4].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][5].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][7].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@serving-sys[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@specificclick[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@specificclick[3].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\[email protected][2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@superstats[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@tradedoubler[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@trafficmp[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@tribalfusion[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@tribalfusion[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@tribalfusion[3].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@zedo[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@zedo[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\eric.henschke\Cookies\eric.henschke@zedo[4].txt detected: Trace.TrackingCookie
C:\DATA\SDFix.exe/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\DATA\SmitfraudFix\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\DATA\SmitfraudFix\Reboot.exe detected: Riskware.RiskTool.Win32.Reboot.f
C:\Documents and Settings\eric.henschke\Desktop\SmitfraudFix\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\eric.henschke\Desktop\SmitfraudFix\Reboot.exe detected: Riskware.RiskTool.Win32.Reboot.f
C:\SDFix\apps\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{B646A482-6C74-4230-89E2-94015EA028D2}\RP100\A0024809.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{B646A482-6C74-4230-89E2-94015EA028D2}\RP100\A0024883.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{B646A482-6C74-4230-89E2-94015EA028D2}\RP100\A0024884.exe detected: Riskware.RiskTool.Win32.Reboot.f
C:\System Volume Information\_restore{B646A482-6C74-4230-89E2-94015EA028D2}\RP100\A0024946.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{B646A482-6C74-4230-89E2-94015EA028D2}\RP100\A0024947.exe detected: Riskware.RiskTool.Win32.Reboot.f
C:\System Volume Information\_restore{B646A482-6C74-4230-89E2-94015EA028D2}\RP100\A0024949.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{B646A482-6C74-4230-89E2-94015EA028D2}\RP98\A0024705.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{B646A482-6C74-4230-89E2-94015EA028D2}\RP98\A0024706.exe detected: Riskware.RiskTool.Win32.Reboot.f
C:\System Volume Information\_restore{B646A482-6C74-4230-89E2-94015EA028D2}\RP99\A0024731.exe detected: Adware.Win32.Agent.bm
C:\WINDOWS\system32\Process.exe detected: Riskware.RiskTool.Win32.Processor.20

Scanned

Files: 130205
Traces: 171685
Cookies: 636
Processes: 15

Found

Files: 16
Traces: 15
Cookies: 75
Processes: 0

Quarantined

Files: 15
Traces: 11
Cookies: 75
Processes: 0

Scan end: 3/24/2008 8:27:16 AM
Scan time: 0:21:54


Thanks Again!
  • 0

#8
sage5
Posted 24 March 2008 - 07:09 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi henschke,

There seems to be some strange results in that Deckard's log:

2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64Rundl1.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64regm64.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64regc64.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64psoft1.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64psof1.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64ps1.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64newsd32.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64netode.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64mwin32.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64mtr2.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64msvchost.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64mssecu.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64msnbho.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64msgp.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64medup020.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64medup012.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64hxiwlgpm.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64hxiwlgpm.dat
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64hoproxy.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64h@tkeysh@@k.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64emesx.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64dpcproxy.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64bsva-egihsg52.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64bdn.com
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64awtoolb.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64anticipator.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64akttzn.exe


Can you, using My Computer of Windows Explorer, check to see if these files have a "\" missing from their names.
e.g. They should be C:\WINDOWS\SysWOW64\Rundl1.exe ( file called Rundl1.exe in the C:\WINDOWS\SysWOW64 folder.

As they appear here it looks more like a file called SysWOW64Rundl1.exe in the C:\WINDOWS folder.

Please advise.

Cheers,

sage5
  • 0

#9
henschke
Posted 25 March 2008 - 07:28 AM

henschke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
The log appears accurate. The log files in question do exist in the c:\windows directory (I have attached a screenshot showing some of the files). The folder c:\windows\syswow64 does also exist, but the files are not in it.

I also reran the Deckard Scan. The main log is posted below (it did not create a new extra log):

Deckard's System Scanner v20071014.68
Run by eric.henschke on 2008-03-25 08:23:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as eric.henschke.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:55 AM, on 3/25/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\ujuhmjit.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\SysWow64\jtyzerqn.exe
C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\DATA\dss.exe
C:\PROGRA~2\TRENDM~1\HIJACK~1\ERICHE~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SysWow64\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ggfixigd] C:\WINDOWS\SysWow64\ggfixigd.exe
O4 - HKLM\..\Run: [jtyzerqn] C:\WINDOWS\SysWow64\jtyzerqn.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LaunchList] C:\Program Files (x86)\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [DRA9ZDKmx1] C:\WINDOWS\ujuhmjit.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1201836176806
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fargoautomation.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D9CC770-9F05-4CD2-AEA0-60EDA28FB161}: NameServer = 192.168.1.5,64.21.232.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fargoautomation.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fargoautomation.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 8282 bytes

-- Files created between 2008-02-25 and 2008-03-25 -----------------------------

2008-03-24 08:31:55 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\PC-Cleaner
2008-03-24 08:03:21 0 d-------- C:\a2
2008-03-20 17:22:51 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-20 16:54:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-03-20 16:13:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\PTC
2008-03-20 16:11:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-20 16:07:51 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-03-20 16:07:47 0 d-------- C:\Program Files (x86)\SUPERAntiSpyware
2008-03-20 16:07:47 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\SUPERAntiSpyware.com
2008-03-20 16:07:33 0 d-------- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2008-03-20 16:04:07 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\Grisoft
2008-03-20 16:03:57 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-03-20 15:49:17 0 d-------- C:\Program Files (x86)\XoftSpySE
2008-03-20 15:49:16 0 d-------- C:\Documents and Settings\Administrator\Desktopvirii
2008-03-20 15:26:16 3407872 --ah----- C:\Documents and Settings\eric.henschke\NTUSER.DAT
2008-03-20 14:25:49 0 d-------- C:\Program Files (x86)\Enigma Software Group
2008-03-20 13:09:15 2146 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-20 13:02:12 0 d-------- C:\WINDOWS\pss
2008-03-20 12:54:15 4096 --a------ C:\Documents and Settings\Administrator\Desktopfilemanagerclient.exe
2008-03-20 12:54:14 4096 --a------ C:\Documents and Settings\Administrator\DesktopFWebdEditor.exe
2008-03-20 12:54:14 4096 --a------ C:\Documents and Settings\Administrator\Desktopfwebd.exe
2008-03-20 12:54:02 98304 --a------ C:\WINDOWS\system32\jtyzerqn.exe
2008-03-20 12:47:18 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-20 12:47:18 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-20 12:47:17 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-20 12:47:17 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-20 12:47:17 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-20 12:47:17 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-20 11:54:15 0 dr-h----- C:\Documents and Settings\eric.henschke\Recent
2008-03-20 09:07:19 401408 --a------ C:\WINDOWS\system32\pvmjpg30.dll <Not Verified; Pegasus Imaging Corporation; PICVideo Codec Suite>
2008-03-20 09:07:18 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-03-20 09:07:18 1712128 --a------ C:\WINDOWS\system32\GDIPLUS.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-20 09:05:30 0 d-------- C:\Documents and Settings\NetworkService\My Documents
2008-03-20 09:05:30 0 d-------- C:\Documents and Settings\LocalService\My Documents
2008-03-20 09:04:54 138752 --a------ C:\WINDOWS\system32\mase32.dll
2008-03-20 09:04:54 57856 --a------ C:\WINDOWS\system32\masd32.dll
2008-03-20 09:04:54 136192 --a------ C:\WINDOWS\system32\mamc32.dll <Not Verified; ; MAMC32 Dynamic Link Library>
2008-03-20 09:04:54 196096 --a------ C:\WINDOWS\system32\macd32.dll <Not Verified; ; MACD32 Dynamic Link Library>
2008-03-20 09:04:54 27648 --a------ C:\WINDOWS\system32\ma32.dll
2008-03-20 09:03:44 41219 --a------ C:\WINDOWS\RSETPATH.exe <Not Verified; Pinnacle Systems; Pinnacle Systems RSETPATH>
2008-03-20 09:03:18 49152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll <Not Verified; Pinnacle Systems; Guid_dll>
2008-03-20 08:57:02 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\InstallShield
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\winsystem.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64WINWGPX.EXE
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64winsystem.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64winlogonpc.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64vcatchpi.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64thun32.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64thun.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64temp#01.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64taack.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64taack.dat
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64sysreq.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64ssvchost.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64ssvchost.com
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64ssurf022.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64sncntr.exe
2008-03-20 08:49:28 0 d-------- C:\WINDOWS\SysWOW64smp
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64Rundl1.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64regm64.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64regc64.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64psoft1.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64psof1.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64ps1.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64newsd32.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64netode.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64mwin32.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64mtr2.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64msvchost.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64mssecu.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64msnbho.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64msgp.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64medup020.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64medup012.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64hxiwlgpm.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64hxiwlgpm.dat
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64hoproxy.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64h@tkeysh@@k.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64emesx.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64dpcproxy.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64bsva-egihsg52.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64bdn.com
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64awtoolb.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64anticipator.dll
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\SysWOW64akttzn.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\mssecu.exe
2008-03-20 08:49:28 0 d-------- C:\WINDOWS\mslagent
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\bdn.com
2008-03-20 08:49:28 4096 --a------ C:\WINDOWS\a.bat
2008-03-20 08:49:28 0 d-------- C:\Documents and Settings\eric.henschke\Desktopvirii
2008-03-20 08:49:28 4096 --a------ C:\Documents and Settings\eric.henschke\DesktopFWebdEditor.exe
2008-03-20 08:49:28 4096 --a------ C:\Documents and Settings\eric.henschke\Desktopfwebd.exe
2008-03-20 08:49:28 4096 --a------ C:\Documents and Settings\eric.henschke\Desktopfilemanagerclient.exe
2008-03-20 08:49:27 4096 --a------ C:\WINDOWS\SysWOW64vbsys2.dll
2008-03-20 08:47:20 38912 --a------ C:\WINDOWS\ujuhmjit.exe
2008-03-20 08:47:19 98304 --a------ C:\WINDOWS\system32\ggfixigd.exe
2008-03-19 15:28:40 0 d-------- C:\Program Files (x86)\WinAce
2008-03-17 09:04:57 0 d-------- C:\Program Files (x86)\proDAD
2008-03-17 09:01:39 0 d-------- C:\Program Files (x86)\AdorageI-SAL
2008-03-17 08:52:47 0 d-------- C:\WINDOWS\system32\URTTEMP
2008-03-17 08:49:39 0 d-------- C:\Program Files (x86)\SmartSound Software
2008-03-17 08:49:08 86016 --a------ C:\WINDOWS\unvise32qt.exe <Not Verified; MindVision; Installer VISE 2.8.3>
2008-03-17 08:49:03 0 d-------- C:\Program Files (x86)\QuickTime
2008-03-17 08:49:03 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\QuickTime
2008-03-17 08:41:32 0 d-------- C:\Program Files (x86)\DivX
2008-03-17 08:38:29 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Pinnacle Studio
2008-03-14 10:41:09 0 d-------- C:\WINDOWS\Downloaded Installations
2008-03-14 10:30:39 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Pinnacle
2008-03-14 10:30:37 0 d-------- C:\Program Files (x86)\Pinnacle
2008-03-14 10:30:23 14165 --a------ C:\WINDOWS\system32\drivers\Pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
2008-03-05 09:46:42 16384 --a------ C:\WINDOWS\system32\FileOps.exe
2008-03-05 09:46:42 0 d-------- C:\WINDOWS\system32\Adobe
2008-02-28 17:08:42 0 d-------- C:\Program Files (x86)\Common Files\Canon
2008-02-26 18:21:32 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\Google
2008-02-26 18:21:20 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google
2008-02-26 18:21:16 0 d-------- C:\Program Files (x86)\Google


-- Find3M Report ---------------------------------------------------------------

2008-03-20 16:07:33 0 d-------- C:\Program Files (x86)\Common Files
2008-03-20 15:12:37 0 d-------- C:\Program Files (x86)\Trend Micro
2008-03-20 09:04:54 108 --a------ C:\AUTOEXEC.BAT
2008-03-20 09:02:55 0 d--h----- C:\Program Files (x86)\InstallShield Installation Information
2008-03-17 10:41:36 0 d-------- C:\Program Files (x86)\Common Files\LightScribe
2008-03-17 08:49:31 0 d-------- C:\Program Files (x86)\Common Files\InstallShield
2008-03-13 08:50:59 0 d-------- C:\Program Files (x86)\Common Files\Adobe
2008-02-18 17:31:05 0 d-------- C:\Program Files (x86)\Common Files\Adobe Systems Shared
2008-02-18 15:33:50 1019 --a------ C:\WINDOWS\mozver.dat
2008-02-07 15:08:30 0 d-------- C:\Program Files (x86)\Common Files\SolidWorks Shared
2008-02-07 15:08:25 0 d-------- C:\Program Files (x86)\Common Files\eDrawings2008
2008-02-01 14:52:57 0 d-------- C:\Program Files (x86)\GPLGS
2008-02-01 09:32:29 0 d-------- C:\Program Files (x86)\Microsoft Works
2008-02-01 09:19:31 0 d-------- C:\Program Files (x86)\Microsoft ActiveSync
2008-02-01 09:18:58 0 d-------- C:\Program Files (x86)\Microsoft.NET
2008-01-31 23:57:38 0 d-------- C:\Program Files (x86)\MSXML 4.0
2008-01-31 23:53:33 0 d-------- C:\Program Files (x86)\Windows Defender
2008-01-31 23:51:16 0 d-------- C:\Program Files (x86)\Common Files\Ahead
2008-01-31 23:49:53 0 d-------- C:\Program Files (x86)\Nero
2008-01-31 23:46:05 0 d-------- C:\Program Files (x86)\MA User Marked Database
2008-01-31 23:45:56 0 d-------- C:\Program Files (x86)\Motion Analyzer
2008-01-31 23:43:08 0 d-------- C:\Program Files (x86)\AutoCAD 2007
2008-01-31 23:42:51 0 d-------- C:\Program Files (x86)\Common Files\Autodesk Shared
2008-01-31 23:42:49 0 d-------- C:\Program Files (x86)\AnswerWorks 4.0
2008-01-31 23:40:36 0 d-------- C:\Program Files (x86)\proeWildfire
2008-01-31 23:37:44 0 d-------- C:\Program Files (x86)\Autodesk
2008-01-31 23:35:58 0 d-------- C:\Program Files (x86)\Acro Software
2008-01-31 23:35:22 0 d-------- C:\Program Files (x86)\Innotiv Spekan Batch Tool
2008-01-31 23:22:03 19739 --a------ C:\license.dat
2008-01-31 23:17:52 0 d-------- C:\Program Files (x86)\Realtek
2008-01-31 23:07:42 0 d-------- C:\Program Files (x86)\MSXML 6.0
2008-01-31 22:48:45 0 d-------- C:\Program Files (x86)\MSBuild
2008-01-31 22:44:53 0 d-------- C:\Program Files (x86)\Reference Assemblies
2008-01-31 22:15:32 0 d-------- C:\Program Files (x86)\system
2008-01-31 22:15:32 0 d-------- C:\Program Files (x86)\speechengines
2008-01-31 22:15:32 0 d-------- C:\Program Files (x86)\microsoft shared
2008-01-31 22:15:21 0 -rahs---- C:\MSDOS.SYS
2008-01-31 22:15:21 0 -rahs---- C:\IO.SYS
2008-01-31 22:15:21 0 --a------ C:\CONFIG.SYS
2008-01-31 21:19:32 0 d-------- C:\Program Files (x86)\Movie Maker
2008-01-31 21:19:20 0 d-------- C:\Program Files (x86)\Windows Media Player[Strings]
2008-01-31 21:18:12 0 d-------- C:\Program Files (x86)\MSN Gaming Zone
2008-01-31 21:17:37 0 d-------- C:\Program Files (x86)\Windows NT
2008-01-31 14:59:56 0 d-------- C:\Program Files (x86)\Common Files\ODBC
2008-01-31 14:59:51 0 d-------- C:\Program Files (x86)\Common Files\SpeechEngines
2008-01-29 12:47:01 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\Ahead
2008-01-29 10:59:47 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\Autodesk
2008-01-28 17:45:51 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\ATI


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-03-25 08:24:07 ------------

Attached Thumbnails

  • screenshot.jpg

  • 0

#10
henschke
Posted 26 March 2008 - 11:35 AM

henschke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
sage5~

I've been looking into these syswow64 files that reside in the c:\windows directory, and it appears that other unifected 64 bit systems do not contain these files in their c:\windows directory (which I'm sure you already know because you said it was unusual). It also appears that the creation date for these files are at the time I suspect I was infected (around 8:50 on 3/20/2008). I have attached screen shots of the c:\windows directory sorted by creation date. Is it possible these files were created by the malware to redirect windows functions?

Please let me know if you need any additional information, and what your next suggested coarse of action is.

Thanks!

Attached Thumbnails

  • screenshot1.jpg
  • screenshot2.jpg

  • 0

Advertisements

#11
sage5
Posted 27 March 2008 - 06:45 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi henschke,

Sorry for the extended wait.
Finding out which of the tools we use, will work in x64, proved a bit tricky.


Please print these instructions, and have the hard copy handy, to complete the steps below.

Please download the following & save to your Desktop:
Killbox by Option^Explicit.
ERUNT

The following steps involve modifying the registry. This can be EXTREMELY risky so we will make a backup of the registry first.
You need to follow the steps that are listed below EXACTLY.
If you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry:
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts. (use the default install settings but say no when asked to add ERUNT to the start-up folder. This can be enabled later)
  • Start ERUNTeither by double clicking on the desktop icon or choosing to start the program at the end of the setup.
  • Choose a location for the backup, (or use the default location which is C:\WINDOWS\ERDNT).
  • Make sure that at least the first two check boxes are ticked.
  • Press OK
  • Press YES to create the folder.

Registry Modifications:
  • Please open a new Notepad file by clicking Start\All Programs\Accessories\Notepad
  • Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)
Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\etlrlws.ToolBar.1]

[-HKEY_CLASSES_ROOT\MSVPS.MSVPSApp]

[-HKEY_CLASSES_ROOT\clsid\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c}]

[-HKEY_CLASSES_ROOT\clsid\{0656A137-B161-CADD-9777-E37A75727E78}]

[-HKEY_CLASSES_ROOT\clsid\{000000da-0786-4633-87c6-1aa7a4429ef1}]

[-HKEY_CLASSES_ROOT\clsid\{b8c0220d-763d-49a4-95f4-61dfdec66ee6}]

[-HKEY_CLASSES_ROOT\clsid\{9dd4258a-7138-49c4-8d34-587879a5c7a4}]

[-HKEY_CLASSES_ROOT\clsid\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338}]

[-HKEY_USERS\S-1-5-21-936568965-2266688463-1782279273-500\Software\Golden Palace Casino PT]
  • Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
  • Save the file to the Desktop, make sure Type is All Files, and name it Fixreg.reg
  • Double click on the file created and click Yes when asked to merge the information into the Registry


Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O4 - HKLM\..\Run: [ggfixigd] C:\WINDOWS\SysWow64\ggfixigd.exe
O4 - HKLM\..\Run: [jtyzerqn] C:\WINDOWS\SysWow64\jtyzerqn.exe
O4 - HKLM\..\Policies\Explorer\Run: [DRA9ZDKmx1] C:\WINDOWS\ujuhmjit.exe
  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.


Shut down & Reboot normally:

Use KillBox to stop & remove processes:
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • All Files.
  • Please copy the file paths from the Cobebox below to the clipboard by highlighting ALL of them and pressing CTRL + C.

    C:\WINDOWS\SysWow64\ggfixigd.exe
C:\WINDOWS\SysWow64\jtyzerqn.exe
C:\WINDOWS\ujuhmjit.exe
C:\WINDOWS\winsystem.exe  
C:\WINDOWS\userconfig9x.dll  
C:\WINDOWS\SysWOW64WINWGPX.EXE  
C:\WINDOWS\SysWOW64winsystem.exe  
C:\WINDOWS\SysWOW64winlogonpc.exe  
C:\WINDOWS\SysWOW64vcatchpi.dll  
C:\WINDOWS\SysWOW64thun32.dll  
C:\WINDOWS\SysWOW64thun.dll  
C:\WINDOWS\SysWOW64temp#01.exe  
C:\WINDOWS\SysWOW64taack.exe  
C:\WINDOWS\SysWOW64taack.dat  
C:\WINDOWS\SysWOW64sysreq.exe  
C:\WINDOWS\SysWOW64ssvchost.exe  
C:\WINDOWS\SysWOW64ssvchost.com  
C:\WINDOWS\SysWOW64ssurf022.dll  
C:\WINDOWS\SysWOW64sncntr.exe  
C:\WINDOWS\SysWOW64smp  
C:\WINDOWS\SysWOW64Rundl1.exe  
C:\WINDOWS\SysWOW64regm64.dll  
C:\WINDOWS\SysWOW64regc64.dll  
C:\WINDOWS\SysWOW64psoft1.exe  
C:\WINDOWS\SysWOW64psof1.exe  
C:\WINDOWS\SysWOW64ps1.exe  
C:\WINDOWS\SysWOW64newsd32.exe  
C:\WINDOWS\SysWOW64netode.exe  
C:\WINDOWS\SysWOW64mwin32.exe  
C:\WINDOWS\SysWOW64mtr2.exe  
C:\WINDOWS\SysWOW64msvchost.exe  
C:\WINDOWS\SysWOW64mssecu.exe  
C:\WINDOWS\SysWOW64msnbho.dll  
C:\WINDOWS\SysWOW64msgp.exe  
C:\WINDOWS\SysWOW64medup020.dll  
C:\WINDOWS\SysWOW64medup012.dll  
C:\WINDOWS\SysWOW64hxiwlgpm.exe  
C:\WINDOWS\SysWOW64hxiwlgpm.dat  
C:\WINDOWS\SysWOW64hoproxy.dll  
C:\WINDOWS\SysWOW64h@tkeysh@@k.dll  
C:\WINDOWS\SysWOW64emesx.dll  
C:\WINDOWS\SysWOW64dpcproxy.exe  
C:\WINDOWS\SysWOW64bsva-egihsg52.exe  
C:\WINDOWS\SysWOW64bdn.com  
C:\WINDOWS\SysWOW64awtoolb.dll  
C:\WINDOWS\SysWOW64anticipator.dll  
C:\WINDOWS\SysWOW64akttzn.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\bdn.com
C:\WINDOWS\a.bat
C:\Documents and Settings\eric.henschke\DesktopFWebdEditor.exe
C:\Documents and Settings\eric.henschke\Desktopfwebd.exe
C:\Documents and Settings\eric.henschke\Desktopfilemanagerclient.exe
C:\WINDOWS\SysWOW64vbsys2.dll
C:\WINDOWS\ujuhmjit.exe
C:\WINDOWS\system32\ggfixigd.exe
C:\WINDOWS\unvise32qt.exe
C:\WINDOWS\system32\FileOps.exe
C:\Documents and Settings\eric.henschke\Desktopvirii
C:\WINDOWS\system32\Adobe
C:\WINDOWS\mslagent
c:\program files (x86)\akl
c:\program files (x86)\inet delivery
c:\documents and settings\eric.henschke\application data\pc-cleaner
c:\program files (x86)\pc-cleaner
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button.
  • Click Yes at the Delete on Reboot prompt.
  • Click OK at any PendingRenameOperations prompt.
    If your computer does not restart automatically, please restart it manually
  • After the restart reopen Killbox and go to File > Logs > Actions History Log.
  • A Notepad window will open.
  • Copy all the text & paste it back here as your next reply


Cheers,

sage5

Edited by sage5, 27 March 2008 - 07:04 AM.

  • 0

#12
henschke
Posted 27 March 2008 - 07:37 AM

henschke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I have no problem waiting for good advice!



I have followed all steps from your previous post, and the Killbox log is posted below (along with an updated Deckard main log). I am however still locked out of the task manager, and many of the files that were to be deleted remain in the c:\windows directory (attached screenshot). I have not had any more spyware warning pop-ups or system trays warnings since following your last instructions.

Thanks for the help so far, and let me know what I should do next!

Pocket Killbox version 2.0.0.978
Running on as eric.henschke(Limited Account)
was started @ Thursday, March 27, 2008, 8:32 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\SysWow64\ggfixigd.exe


# 2 [Delete on Reboot]
Path = C:\WINDOWS\SysWow64\jtyzerqn.exe


# 3 [Delete on Reboot]
Path = C:\WINDOWS\ujuhmjit.exe


# 4 [Delete on Reboot]
Path = C:\WINDOWS\winsystem.exe


# 5 [Delete on Reboot]
Path = C:\WINDOWS\userconfig9x.dll


# 6 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64WINWGPX.EXE


# 7 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64winsystem.exe


# 8 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64winlogonpc.exe


# 9 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64vcatchpi.dll


# 10 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64thun32.dll


# 11 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64thun.dll


# 12 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64temp#01.exe


# 13 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64taack.exe


# 14 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64taack.dat


# 15 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64sysreq.exe


# 16 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64ssvchost.exe


# 17 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64ssvchost.com


# 18 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64ssurf022.dll


# 19 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64sncntr.exe


# 20 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64smp


# 21 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64Rundl1.exe


# 22 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64regm64.dll


# 23 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64regc64.dll


# 24 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64psoft1.exe


# 25 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64psof1.exe


# 26 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64ps1.exe


# 27 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64newsd32.exe


# 28 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64netode.exe


# 29 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64mwin32.exe


# 30 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64mtr2.exe


# 31 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64msvchost.exe


# 32 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64mssecu.exe


# 33 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64msnbho.dll


# 34 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64msgp.exe


# 35 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64medup020.dll


# 36 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64medup012.dll


# 37 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64hxiwlgpm.exe


# 38 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64hxiwlgpm.dat


# 39 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64hoproxy.dll


# 40 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64h@tkeysh@@k.dll


# 41 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64emesx.dll


# 42 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64dpcproxy.exe


# 43 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64bsva-egihsg52.exe


# 44 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64bdn.com


# 45 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64awtoolb.dll


# 46 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64anticipator.dll


# 47 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64akttzn.exe


# 48 [Delete on Reboot]
Path = C:\WINDOWS\mssecu.exe


# 49 [Delete on Reboot]
Path = C:\WINDOWS\iTunesMusic.exe


# 50 [Delete on Reboot]
Path = C:\WINDOWS\FVProtect.exe


# 51 [Delete on Reboot]
Path = C:\WINDOWS\bdn.com


# 52 [Delete on Reboot]
Path = C:\WINDOWS\a.bat


# 53 [Delete on Reboot]
Path = C:\Documents and Settings\eric.henschke\DesktopFWebdEditor.exe


# 54 [Delete on Reboot]
Path = C:\Documents and Settings\eric.henschke\Desktopfwebd.exe


# 55 [Delete on Reboot]
Path = C:\Documents and Settings\eric.henschke\Desktopfilemanagerclient.exe


# 56 [Delete on Reboot]
Path = C:\WINDOWS\SysWOW64vbsys2.dll


# 57 [Delete on Reboot]
Path = C:\WINDOWS\system32\ggfixigd.exe


# 58 [Delete on Reboot]
Path = C:\WINDOWS\unvise32qt.exe


# 59 [Delete on Reboot]
Path = C:\WINDOWS\system32\FileOps.exe


# 60 [Delete on Reboot]
Path = C:\Documents and Settings\eric.henschke\Desktopvirii


# 61 [Delete on Reboot]
Path = C:\WINDOWS\system32\Adobe


# 62 [Delete on Reboot]
Path = C:\WINDOWS\mslagent


# 63 [Delete on Reboot]
Path = c:\documents and settings\eric.henschke\application data\pc-cleaner


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:34:02 AM
Killbox Closed(Exit) @ 8:34:25 AM
__________________________________________________

Pocket Killbox version 2.0.0.978
Running on as eric.henschke(Limited Account)
was started @ Thursday, March 27, 2008, 8:37 AM



Deckard's System Scanner v20071014.68
Run by eric.henschke on 2008-03-27 09:27:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as eric.henschke.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:58 AM, on 3/27/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\YD24F3.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\eric.henschke\Desktop\dss.exe
C:\PROGRA~2\TRENDM~1\HIJACK~1\ERICHE~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SysWow64\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LaunchList] C:\Program Files (x86)\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1201836176806
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fargoautomation.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D9CC770-9F05-4CD2-AEA0-60EDA28FB161}: NameServer = 192.168.1.5,64.21.232.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fargoautomation.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fargoautomation.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 8153 bytes

-- Files created between 2008-02-27 and 2008-03-27 -----------------------------

2008-03-27 08:32:52 0 d-------- C:\!KillBox
2008-03-26 13:01:01 0 d-------- C:\VundoFix Backups
2008-03-24 08:31:55 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\PC-Cleaner
2008-03-24 08:03:21 0 d-------- C:\a2
2008-03-20 17:22:51 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-20 16:54:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-03-20 16:13:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\PTC
2008-03-20 16:11:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-20 16:07:51 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-03-20 16:07:47 0 d-------- C:\Program Files (x86)\SUPERAntiSpyware
2008-03-20 16:07:47 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\SUPERAntiSpyware.com
2008-03-20 16:07:33 0 d-------- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2008-03-20 16:04:07 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\Grisoft
2008-03-20 16:03:57 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-03-20 15:49:17 0 d-------- C:\Program Files (x86)\XoftSpySE
2008-03-20 15:49:16 0 d-------- C:\Documents and Settings\Administrator\Desktopvirii
2008-03-20 15:26:16 3407872 --ah----- C:\Documents and Settings\eric.henschke\NTUSER.DAT
2008-03-20 14:25:49 0 d-------- C:\Program Files (x86)\Enigma Software Group
2008-03-20 13:09:15 2146 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-20 13:02:12 0 d-------- C:\WINDOWS\pss
2008-03-20 12:54:15 4096 --a------ C:\Documents and Settings\Administrator\Desktopfilemanagerclient.exe
2008-03-20 12:54:14 4096 --a------ C:\Documents and Settings\Administrator\DesktopFWebdEditor.exe
2008-03-20 12:54:14 4096 --a------ C:\Documents and Settings\Administrator\Desktopfwebd.exe
2008-03-20 12:47:18 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-20 12:47:18 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-20 12:47:17 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-20 12:47:17 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-20 12:47:17 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-20 12:47:17 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-20 11:54:15 0 dr-h----- C:\Documents and Settings\eric.henschke\Recent
2008-03-20 09:07:19 401408 --a------ C:\WINDOWS\system32\pvmjpg30.dll <Not Verified; Pegasus Imaging Corporation; PICVideo Codec Suite>
2008-03-20 09:07:18 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-03-20 09:07:18 1712128 --a------ C:\WINDOWS\system32\GDIPLUS.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-20 09:05:30 0 d-------- C:\Documents and Settings\NetworkService\My Documents
2008-03-20 09:05:30 0 d-------- C:\Documents and Settings\LocalService\My Documents
2008-03-20 09:04:54 138752 --a------ C:\WINDOWS\system32\mase32.dll
2008-03-20 09:04:54 57856 --a------ C:\WINDOWS\system32\masd32.dll
2008-03-20 09:04:54 136192 --a------ C:\WINDOWS\system32\mamc32.dll <Not Verified; ; MAMC32 Dynamic Link Library>
2008-03-20 09:04:54 196096 --a------ C:\WINDOWS\system32\macd32.dll <Not Verified; ; MACD32 Dynamic Link Library>
2008-03-20 09:04:54 27648 --a------ C:\WINDOWS\system32\ma32.dll
2008-03-20 09:03:44 41219 --a------ C:\WINDOWS\RSETPATH.exe <Not Verified; Pinnacle Systems; Pinnacle Systems RSETPATH>
2008-03-20 09:03:18 49152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll <Not Verified; Pinnacle Systems; Guid_dll>
2008-03-20 08:57:02 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\InstallShield
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\winsystem.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\userconfig9x.dll
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64WINWGPX.EXE
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64winsystem.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64winlogonpc.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64vcatchpi.dll
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64thun32.dll
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64thun.dll
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64temp#01.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64taack.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64taack.dat
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64sysreq.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64ssvchost.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64ssvchost.com
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64ssurf022.dll
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64sncntr.exe
2008-03-20 08:49:28 0 d-------- C:\WINDOWS\SysWOW64smp
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64Rundl1.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64regm64.dll
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64regc64.dll
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64psoft1.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64psof1.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64ps1.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64newsd32.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64netode.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64mwin32.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64mtr2.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64msvchost.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64mssecu.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64msnbho.dll
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64msgp.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64medup020.dll
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64medup012.dll
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64hxiwlgpm.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64hxiwlgpm.dat
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64hoproxy.dll
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64h@tkeysh@@k.dll
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64emesx.dll
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64dpcproxy.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64bsva-egihsg52.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64bdn.com
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64awtoolb.dll
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64anticipator.dll
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\SysWOW64akttzn.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\mssecu.exe
2008-03-20 08:49:28 0 d-------- C:\WINDOWS\mslagent
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\iTunesMusic.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\FVProtect.exe
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\bdn.com
2008-03-20 08:49:28 4096 -----n--- C:\WINDOWS\a.bat
2008-03-20 08:49:28 0 d-------- C:\Documents and Settings\eric.henschke\Desktopvirii
2008-03-20 08:49:28 4096 -----n--- C:\Documents and Settings\eric.henschke\DesktopFWebdEditor.exe
2008-03-20 08:49:28 4096 -----n--- C:\Documents and Settings\eric.henschke\Desktopfwebd.exe
2008-03-20 08:49:28 4096 -----n--- C:\Documents and Settings\eric.henschke\Desktopfilemanagerclient.exe
2008-03-20 08:49:27 4096 -----n--- C:\WINDOWS\SysWOW64vbsys2.dll
2008-03-20 08:47:20 38912 -----n--- C:\WINDOWS\ujuhmjit.exe
2008-03-19 15:28:40 0 d-------- C:\Program Files (x86)\WinAce
2008-03-17 09:04:57 0 d-------- C:\Program Files (x86)\proDAD
2008-03-17 09:01:39 0 d-------- C:\Program Files (x86)\AdorageI-SAL
2008-03-17 08:52:47 0 d-------- C:\WINDOWS\system32\URTTEMP
2008-03-17 08:49:39 0 d-------- C:\Program Files (x86)\SmartSound Software
2008-03-17 08:49:08 86016 -----n--- C:\WINDOWS\unvise32qt.exe <Not Verified; MindVision; Installer VISE 2.8.3>
2008-03-17 08:49:03 0 d-------- C:\Program Files (x86)\QuickTime
2008-03-17 08:49:03 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\QuickTime
2008-03-17 08:41:32 0 d-------- C:\Program Files (x86)\DivX
2008-03-17 08:38:29 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Pinnacle Studio
2008-03-14 10:41:09 0 d-------- C:\WINDOWS\Downloaded Installations
2008-03-14 10:30:39 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Pinnacle
2008-03-14 10:30:37 0 d-------- C:\Program Files (x86)\Pinnacle
2008-03-14 10:30:23 14165 --a------ C:\WINDOWS\system32\drivers\Pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
2008-03-05 09:46:42 16384 -----n--- C:\WINDOWS\system32\FileOps.exe
2008-03-05 09:46:42 0 d-------- C:\WINDOWS\system32\Adobe
2008-02-28 17:08:42 0 d-------- C:\Program Files (x86)\Common Files\Canon


-- Find3M Report ---------------------------------------------------------------

2008-03-20 16:07:33 0 d-------- C:\Program Files (x86)\Common Files
2008-03-20 15:12:37 0 d-------- C:\Program Files (x86)\Trend Micro
2008-03-20 09:04:54 108 --a------ C:\AUTOEXEC.BAT
2008-03-20 09:02:55 0 d--h----- C:\Program Files (x86)\InstallShield Installation Information
2008-03-17 10:41:36 0 d-------- C:\Program Files (x86)\Common Files\LightScribe
2008-03-17 08:49:31 0 d-------- C:\Program Files (x86)\Common Files\InstallShield
2008-03-17 08:02:38 0 d-------- C:\Program Files (x86)\Google
2008-03-13 08:50:59 0 d-------- C:\Program Files (x86)\Common Files\Adobe
2008-03-03 09:59:26 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\Google
2008-02-18 17:31:05 0 d-------- C:\Program Files (x86)\Common Files\Adobe Systems Shared
2008-02-18 15:33:50 1019 --a------ C:\WINDOWS\mozver.dat
2008-02-07 15:08:30 0 d-------- C:\Program Files (x86)\Common Files\SolidWorks Shared
2008-02-07 15:08:25 0 d-------- C:\Program Files (x86)\Common Files\eDrawings2008
2008-02-01 14:52:57 0 d-------- C:\Program Files (x86)\GPLGS
2008-02-01 09:32:29 0 d-------- C:\Program Files (x86)\Microsoft Works
2008-02-01 09:19:31 0 d-------- C:\Program Files (x86)\Microsoft ActiveSync
2008-02-01 09:18:58 0 d-------- C:\Program Files (x86)\Microsoft.NET
2008-01-31 23:57:38 0 d-------- C:\Program Files (x86)\MSXML 4.0
2008-01-31 23:53:33 0 d-------- C:\Program Files (x86)\Windows Defender
2008-01-31 23:51:16 0 d-------- C:\Program Files (x86)\Common Files\Ahead
2008-01-31 23:49:53 0 d-------- C:\Program Files (x86)\Nero
2008-01-31 23:46:05 0 d-------- C:\Program Files (x86)\MA User Marked Database
2008-01-31 23:45:56 0 d-------- C:\Program Files (x86)\Motion Analyzer
2008-01-31 23:43:08 0 d-------- C:\Program Files (x86)\AutoCAD 2007
2008-01-31 23:42:51 0 d-------- C:\Program Files (x86)\Common Files\Autodesk Shared
2008-01-31 23:42:49 0 d-------- C:\Program Files (x86)\AnswerWorks 4.0
2008-01-31 23:40:36 0 d-------- C:\Program Files (x86)\proeWildfire
2008-01-31 23:37:44 0 d-------- C:\Program Files (x86)\Autodesk
2008-01-31 23:35:58 0 d-------- C:\Program Files (x86)\Acro Software
2008-01-31 23:35:22 0 d-------- C:\Program Files (x86)\Innotiv Spekan Batch Tool
2008-01-31 23:22:03 19739 --a------ C:\license.dat
2008-01-31 23:17:52 0 d-------- C:\Program Files (x86)\Realtek
2008-01-31 23:07:42 0 d-------- C:\Program Files (x86)\MSXML 6.0
2008-01-31 22:48:45 0 d-------- C:\Program Files (x86)\MSBuild
2008-01-31 22:44:53 0 d-------- C:\Program Files (x86)\Reference Assemblies
2008-01-31 22:15:32 0 d-------- C:\Program Files (x86)\system
2008-01-31 22:15:32 0 d-------- C:\Program Files (x86)\speechengines
2008-01-31 22:15:32 0 d-------- C:\Program Files (x86)\microsoft shared
2008-01-31 22:15:21 0 -rahs---- C:\MSDOS.SYS
2008-01-31 22:15:21 0 -rahs---- C:\IO.SYS
2008-01-31 22:15:21 0 --a------ C:\CONFIG.SYS
2008-01-31 21:19:32 0 d-------- C:\Program Files (x86)\Movie Maker
2008-01-31 21:19:20 0 d-------- C:\Program Files (x86)\Windows Media Player[Strings]
2008-01-31 21:18:12 0 d-------- C:\Program Files (x86)\MSN Gaming Zone
2008-01-31 21:17:37 0 d-------- C:\Program Files (x86)\Windows NT
2008-01-31 14:59:56 0 d-------- C:\Program Files (x86)\Common Files\ODBC
2008-01-31 14:59:51 0 d-------- C:\Program Files (x86)\Common Files\SpeechEngines
2008-01-29 12:47:01 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\Ahead
2008-01-29 10:59:47 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\Autodesk
2008-01-28 17:45:51 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\ATI


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-03-27 09:28:13 ------------

Attached Thumbnails

  • screenshot.jpg

Edited by henschke, 27 March 2008 - 11:08 AM.

  • 0

#13
sage5
Posted 27 March 2008 - 06:33 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi henschke,


Please print these instructions, and have the hard copy handy, to complete the steps below.


First, this file:

2008-03-20 09:04:54 108 --a------ C:\AUTOEXEC.BAT

should be 0 bytes. Can you right click on it and select edit. That should open the file in Notepad. Using File > Save As, save the file as autoexec.txt on your Desktop.

Now, lets try the deletions in Safe Mode.

Copy all the text in the Codebox below:
folders:

C:\WINDOWS\SysWOW64smp 
C:\WINDOWS\mslagent
C:\Documents and Settings\eric.henschke\Desktopvirii
C:\Documents and Settings\Administrator\Desktopvirii

files:

C:\Documents and Settings\Administrator\Desktopfilemanagerclient.exe
C:\Documents and Settings\Administrator\DesktopFWebdEditor.exe
C:\Documents and Settings\Administrator\Desktopfwebd.exe
C:\Documents and Settings\eric.henschke\DesktopFWebdEditor.exe
C:\Documents and Settings\eric.henschke\Desktopfwebd.exe
C:\Documents and Settings\eric.henschke\Desktopfilemanagerclient.exe
C:\WINDOWS\winsystem.exe  
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\ujuhmjit.exe  
C:\WINDOWS\unvise32qt.exe
C:\WINDOWS\mssecu.exe  
C:\WINDOWS\iTunesMusic.exe  
C:\WINDOWS\FVProtect.exe  
C:\WINDOWS\bdn.com  
C:\WINDOWS\a.bat 
C:\WINDOWS\system32\drivers\Pclepci.sys
C:\WINDOWS\system32\FileOps.exe 
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\SysWOW64WINWGPX.EXE  
C:\WINDOWS\SysWOW64winsystem.exe  
C:\WINDOWS\SysWOW64winlogonpc.exe  
C:\WINDOWS\SysWOW64vcatchpi.dll  
C:\WINDOWS\SysWOW64thun32.dll  
C:\WINDOWS\SysWOW64thun.dll  
C:\WINDOWS\SysWOW64temp#01.exe  
C:\WINDOWS\SysWOW64taack.exe  
C:\WINDOWS\SysWOW64taack.dat  
C:\WINDOWS\SysWOW64sysreq.exe  
C:\WINDOWS\SysWOW64ssvchost.exe  
C:\WINDOWS\SysWOW64ssvchost.com  
C:\WINDOWS\SysWOW64ssurf022.dll  
C:\WINDOWS\SysWOW64sncntr.exe 
C:\WINDOWS\SysWOW64Rundl1.exe  
C:\WINDOWS\SysWOW64regm64.dll  
C:\WINDOWS\SysWOW64regc64.dll  
C:\WINDOWS\SysWOW64psoft1.exe  
C:\WINDOWS\SysWOW64psof1.exe  
C:\WINDOWS\SysWOW64ps1.exe  
C:\WINDOWS\SysWOW64newsd32.exe  
C:\WINDOWS\SysWOW64netode.exe  
C:\WINDOWS\SysWOW64mwin32.exe  
C:\WINDOWS\SysWOW64mtr2.exe  
C:\WINDOWS\SysWOW64msvchost.exe  
C:\WINDOWS\SysWOW64mssecu.exe  
C:\WINDOWS\SysWOW64msnbho.dll  
C:\WINDOWS\SysWOW64msgp.exe  
C:\WINDOWS\SysWOW64medup020.dll  
C:\WINDOWS\SysWOW64medup012.dll  
C:\WINDOWS\SysWOW64hxiwlgpm.exe  
C:\WINDOWS\SysWOW64hxiwlgpm.dat  
C:\WINDOWS\SysWOW64hoproxy.dll  
C:\WINDOWS\SysWOW64h@tkeysh@@k.dll  
C:\WINDOWS\SysWOW64emesx.dll  
C:\WINDOWS\SysWOW64dpcproxy.exe  
C:\WINDOWS\SysWOW64bsva-egihsg52.exe  
C:\WINDOWS\SysWOW64bdn.com  
C:\WINDOWS\SysWOW64awtoolb.dll  
C:\WINDOWS\SysWOW64anticipator.dll  
C:\WINDOWS\SysWOW64akttzn.exe 
C:\WINDOWS\SysWOW64vbsys2.dll

Paste the text to a new Notepad window & save to the Desktop as killbox files.txt

Reboot into Safe Mode:
  • Restart your Computer
  • As soon as it starts to boot up, tap your F8 key repeatedly.
  • This should bring up the Windows Advanced Options Menu.
  • Use your arrow keys to select Safe Mode and click the Enter key.

Open the killbox files.txt file & try option a) first:
a) Using KillBox:
  • Go to File > Logs & click * Start New Log. Click Yes.
  • Make sure that the Standard File Kill is checked then paste the file/folder paths one at a time into the Full Path of File to Delete and hit the red Delete File button.
  • Check to see if those files have been deleted.
  • If all goes well post me the new log created.

b) If that fails, for whatever reason, try using My computer, browse to the files & folders & delete them manually.


Re enable Task Manager:
  • Please open a new Notepad file by clicking Start\All Programs\Accessories\Notepad
  • Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
"**del.DisableTaskMgr"=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DisableCAD"=dword:00000000
  • Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
  • Save the file to the Desktop, make sure Type is All Files, and name it Fixreg.reg
  • Double click on the file created and click Yes when asked to merge the information into the Registry


Re-run Deckard's System Scanner:
  • Go to Start > Run and type or paste "%userprofile%\desktop\dss.exe" /config
  • In the Modules window click the Check All button
  • Click the Scan! button
  • Scans will run, and 2 text files will open in Notepad.
  • Paste the text from both files into your next reply, as well as text from autoexec.txt & either the Killbox log or tell me how the deletions went.

Also, can you tell me what Security software you have on that PC.
I see signs of Trend Micro here, but cannot make out what modules you have. (anti-virus, firewall etc)
Normally on an x86 machine this is reported in the Deckard's scan, but doesn't appear to work in x64.

Cheers,

sage5

Edited by sage5, 27 March 2008 - 06:35 PM.

  • 0

#14
henschke
Posted 28 March 2008 - 09:02 AM

henschke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
At first I could not find the file c:\autoexec.bat, but then I unchecked "Hide protected operating systems files" in the folder option's view menu. Here is the text of that file:
SET PATH=C:\Program Files (x86)\Pinnacle\Shared Files\;C:\Program Files (x86)\Pinnacle\Shared Files\Filter



I had to delete the files manually as Killbox would give a "file does not seem to exist" message when I would paste the file addresses into it. The deletions seem to have worked as I do not see these files again after rebooting... THANK YOU!



The regedit also seems to have worked as I now have access to the task manager again... THANK YOU AGAIN!



As for the Trend Micron software, this machine is networked to a server and is running Trend Micron's Client/Server Security Agent for antivirus protection below is an excerpt from their readme file. The network is protected by a hardware firewall and the pc has the windows firewall enabled.
1. About Client/Server Security Agent
========================================================================
Designed to suit the needs of small- to medium-sized corporate
IT networks, Trend Micro Client/Server Security Agent provides
network-wide desktop and server protection.



I reran the Deckard scan after rebooting to normal mode and the main log is below, the extra log is in the following reply:

Deckard's System Scanner v20071014.68
Run by eric.henschke on 2008-03-28 09:37:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Performed disk cleanup.



-- HijackThis (run as eric.henschke.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:45 AM, on 3/28/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\CW7DB3.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Documents and Settings\eric.henschke\desktop\dss.exe
C:\PROGRA~2\TRENDM~1\HIJACK~1\ERICHE~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SysWow64\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LaunchList] C:\Program Files (x86)\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1201836176806
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fargoautomation.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D9CC770-9F05-4CD2-AEA0-60EDA28FB161}: NameServer = 192.168.1.5,64.21.232.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fargoautomation.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = fargoautomation.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 8091 bytes

-- HijackThis Fixed Entries (C:\PROGRA~2\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080327-082324-107 O4 - HKLM\..\Policies\Explorer\Run: [DRA9ZDKmx1] C:\WINDOWS\ujuhmjit.exe
backup-20080327-082324-327 O4 - HKLM\..\Run: [jtyzerqn] C:\WINDOWS\SysWow64\jtyzerqn.exe
backup-20080327-082324-410 O4 - HKLM\..\Run: [ggfixigd] C:\WINDOWS\SysWow64\ggfixigd.exe

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\NOTEPAD.EXE" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ACPI (Microsoft ACPI Driver) - c:\windows\system32\drivers\acpi.sys (file missing)
R0 atapi (Standard IDE/ESDI Hard Disk Controller) - c:\windows\system32\drivers\atapi.sys (file missing)
R0 crcdisk (CRC Disk Filter Driver) - c:\windows\system32\drivers\crcdisk.sys (file missing)
R0 Disk (Disk Driver) - c:\windows\system32\drivers\disk.sys (file missing)
R0 dmio (Logical Disk Manager Driver) - c:\windows\system32\drivers\dmio.sys (file missing)
R0 dmload - c:\windows\system32\drivers\dmload.sys (file missing)
R0 FltMgr - c:\windows\system32\drivers\fltmgr.sys (file missing)
R0 Ftdisk (Volume Manager Driver) - c:\windows\system32\drivers\ftdisk.sys (file missing)
R0 isapnp (PnP ISA/EISA Bus Driver) - c:\windows\system32\drivers\isapnp.sys (file missing)
R0 JGOGO (JMicron Hot-Plug Driver) - c:\windows\system32\drivers\jgogo.sys (file missing)
R0 JRAID - c:\windows\system32\drivers\jraid.sys (file missing)
R0 KSecDD - c:\windows\system32\drivers\ksecdd.sys (file missing)
R0 MountMgr (Mount Point Manager) - c:\windows\system32\drivers\mountmgr.sys (file missing)
R0 Mup - c:\windows\system32\drivers\mup.sys (file missing)
R0 NDIS (NDIS System Driver) - c:\windows\system32\drivers\ndis.sys (file missing)
R0 ohci1394 (VIA OHCI Compliant IEEE 1394 Host Controller) - c:\windows\system32\drivers\ohci1394.sys (file missing)
R0 PartMgr (Partition Manager) - c:\windows\system32\drivers\partmgr.sys (file missing)
R0 PCI (PCI Bus Driver) - c:\windows\system32\drivers\pci.sys (file missing)
R0 PCIIde - c:\windows\system32\drivers\pciide.sys (file missing)
R0 sr (System Restore Filter Driver) - c:\windows\system32\drivers\sr.sys (file missing)
R0 VolSnap (Storage volumes) - c:\windows\system32\drivers\volsnap.sys (file missing)
R1 AFD - c:\windows\system32\drivers\afd.sys (file missing)
R1 AvgAsC64 (AVG Anti-Spyware Clean Driver) - c:\windows\system32\drivers\avgasc64.sys (file missing)
R1 Beep - c:\windows\system32\drivers\beep.sys (file missing)
R1 Cdrom (CD-ROM Driver) - c:\windows\system32\drivers\cdrom.sys (file missing)
R1 Fips - c:\windows\system32\drivers\fips.sys (file missing)
R1 imapi (CD-Burning Filter Driver) - c:\windows\system32\drivers\imapi.sys (file missing)
R1 IPSec (IPSEC driver) - c:\windows\system32\drivers\ipsec.sys (file missing)
R1 Kbdclass (Keyboard Class Driver) - c:\windows\system32\drivers\kbdclass.sys (file missing)
R1 kbdhid (Keyboard HID Driver) - c:\windows\system32\drivers\kbdhid.sys (file missing)
R1 mnmdd - c:\windows\system32\drivers\mnmdd.sys (file missing)
R1 Mouclass (Mouse Class Driver) - c:\windows\system32\drivers\mouclass.sys (file missing)
R1 MRxSmb - c:\windows\system32\drivers\mrxsmb.sys (file missing)
R1 Msfs - c:\windows\system32\drivers\msfs.sys (file missing)
R1 NetBIOS (NetBIOS Interface) - c:\windows\system32\drivers\netbios.sys (file missing)
R1 NetBT (NetBios over Tcpip) - c:\windows\system32\drivers\netbt.sys (file missing)
R1 Npfs - c:\windows\system32\drivers\npfs.sys (file missing)
R1 Null - c:\windows\system32\drivers\null.sys (file missing)
R1 RasAcd (Remote Access Auto Connection Driver) - c:\windows\system32\drivers\rasacd.sys (file missing)
R1 Rdbss - c:\windows\system32\drivers\rdbss.sys (file missing)
R1 RDPCDD - c:\windows\system32\drivers\rdpcdd.sys (file missing)
R1 redbook (Digital CD Audio Playback Filter Driver) - c:\windows\system32\drivers\redbook.sys (file missing)
R1 Serial (Serial port driver) - c:\windows\system32\drivers\serial.sys (file missing)
R1 Tcpip (TCP/IP Protocol Driver) - c:\windows\system32\drivers\tcpip.sys (file missing)
R1 TermDD (Terminal Device Driver) - c:\windows\system32\drivers\termdd.sys (file missing)
R1 VgaSave (VGA Display Controller.) - c:\windows\system32\drivers\vga.sys (file missing)
R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys (file missing)
R2 CdaD10BA - c:\windows\system32\drivers\cdad10ba.sys (file missing)
R2 LBeepKE - c:\windows\system32\drivers\lbeepke.sys (file missing)
R2 Secdrv (Security Driver) - c:\windows\system32\drivers\secdrv.sys (file missing)
R3 aec (Microsoft Kernel Acoustic Echo Canceller) - c:\windows\system32\drivers\aec.sys (file missing)
R3 Arp1394 (1394 ARP Client Protocol) - c:\windows\system32\drivers\arp1394.sys (file missing)
R3 audstub (Audio Stub Driver) - c:\windows\system32\drivers\audstub.sys (file missing)
R3 Fdc (Floppy Disk Controller Driver) - c:\windows\system32\drivers\fdc.sys (file missing)
R3 Flpydisk (Floppy Disk Driver) - c:\windows\system32\drivers\flpydisk.sys (file missing)
R3 Gpc (Generic Packet Classifier) - c:\windows\system32\drivers\msgpc.sys (file missing)
R3 HDAudBus (Microsoft UAA Bus Driver for High Definition Audio) - c:\windows\system32\drivers\hdaudbus.sys (file missing)
R3 hidusb (Microsoft HID Class Driver) - c:\windows\system32\drivers\hidusb.sys (file missing)
R3 HTTP - c:\windows\system32\drivers\http.sys (file missing)
R3 IntcAzAudAddService (Service for Realtek HD Audio (WDM)) - c:\windows\system32\drivers\rtkhda64.sys (file missing)
R3 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
R3 IpNat (IP Network Address Translator) - c:\windows\system32\drivers\ipnat.sys (file missing)
R3 kmixer (Microsoft Kernel Wave Audio Mixer) - c:\windows\system32\drivers\kmixer.sys (file missing)
R3 ksthunk (Kernel Streaming WOW64 Thunk Service) - c:\windows\system32\drivers\ksthunk.sys (file missing)
R3 LHidFilt (Logitech SetPoint KMDF HID Filter Driver) - c:\windows\system32\drivers\lhidfilt.sys (file missing)
R3 LMouFilt (Logitech SetPoint KMDF Mouse Filter Driver) - c:\windows\system32\drivers\lmoufilt.sys (file missing)
R3 LUsbFilt (Logitech SetPoint KMDF USB Filter) - c:\windows\system32\drivers\lusbfilt.sys (file missing)
R3 mouhid (Mouse HID Driver) - c:\windows\system32\drivers\mouhid.sys (file missing)
R3 MRxDAV (WebDav Client Redirector) - c:\windows\system32\drivers\mrxdav.sys (file missing)
R3 mssmbios (Microsoft System Management BIOS Driver) - c:\windows\system32\drivers\mssmbios.sys (file missing)
R3 MTsensor (ATK0110 ACPI UTILITY) - c:\windows\system32\drivers\asacpi.sys (file missing)
R3 NdisTapi (Remote Access NDIS TAPI Driver) - c:\windows\system32\drivers\ndistapi.sys (file missing)
R3 Ndisuio (NDIS Usermode I/O Protocol) - c:\windows\system32\drivers\ndisuio.sys (file missing)
R3 NdisWan (Remote Access NDIS WAN Driver) - c:\windows\system32\drivers\ndiswan.sys (file missing)
R3 NDProxy (NDIS Proxy) - c:\windows\system32\drivers\ndproxy.sys (file missing)
R3 NIC1394 (1394 Net Driver) - c:\windows\system32\drivers\nic1394.sys (file missing)
R3 nv - c:\windows\system32\drivers\nv4_mini.sys (file missing)
R3 NVENETFD (NVIDIA nForce Networking Controller Driver) - c:\windows\system32\drivers\nvenetfd.sys (file missing)
R3 nvnetbus (NVIDIA Network Bus Enumerator) - c:\windows\system32\drivers\nvnetbus.sys (file missing)
R3 Parport (Parallel port driver) - c:\windows\system32\drivers\parport.sys (file missing)
R3 PptpMiniport (WAN Miniport (PPTP)) - c:\windows\system32\drivers\raspptp.sys (file missing)
R3 PSched (QoS Packet Scheduler) - c:\windows\system32\drivers\psched.sys (file missing)
R3 Ptilink (Direct Parallel Link Driver) - c:\windows\system32\drivers\ptilink.sys (file missing)
R3 Rasl2tp (WAN Miniport (L2TP)) - c:\windows\system32\drivers\rasl2tp.sys (file missing)
R3 RasPppoe (Remote Access PPPOE Driver) - c:\windows\system32\drivers\raspppoe.sys (file missing)
R3 Raspti (Direct Parallel) - c:\windows\system32\drivers\raspti.sys (file missing)
R3 rdpdr (Terminal Server Device Redirector Driver) - c:\windows\system32\drivers\rdpdr.sys (file missing)
R3 serenum (Serenum Filter Driver) - c:\windows\system32\drivers\serenum.sys (file missing)
R3 splitter (Microsoft Kernel Audio Splitter) - c:\windows\system32\drivers\splitter.sys (file missing)
R3 Srv - c:\windows\system32\drivers\srv.sys (file missing)
R3 swenum (Software Bus Driver) - c:\windows\system32\drivers\swenum.sys (file missing)
R3 swmidi (Microsoft Kernel GS Wavetable Synthesizer) - c:\windows\system32\drivers\swmidi.sys (file missing)
R3 sysaudio (Microsoft Kernel System Audio Device) - c:\windows\system32\drivers\sysaudio.sys (file missing)
R3 Update (Microcode Update Driver) - c:\windows\system32\drivers\update.sys (file missing)
R3 usbccgp (Microsoft USB Generic Parent Driver) - c:\windows\system32\drivers\usbccgp.sys (file missing)
R3 usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - c:\windows\system32\drivers\usbehci.sys (file missing)
R3 usbhub (Microsoft USB Standard Hub Driver) - c:\windows\system32\drivers\usbhub.sys (file missing)
R3 usbohci (Microsoft USB Open Host Controller Miniport Driver) - c:\windows\system32\drivers\usbohci.sys (file missing)
R3 Wanarp (Remote Access IP ARP Driver) - c:\windows\system32\drivers\wanarp.sys (file missing)
R3 Wdf01000 - c:\windows\system32\drivers\wdf01000.sys (file missing)
R3 wdmaud (Microsoft WINMM WDM Audio Compatibility Driver) - c:\windows\system32\drivers\wdmaud.sys (file missing)
R4 Cdfs - c:\windows\system32\drivers\cdfs.sys (file missing)
R4 Ntfs - c:\windows\system32\drivers\ntfs.sys (file missing)

S1 i8042prt (i8042 Keyboard and PS/2 Mouse Port Driver) - c:\windows\system32\drivers\i8042prt.sys (file missing)
S1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
S1 SASDIFSV - c:\program files (x86)\superantispyware\sasdifsv.sys
S1 Sfloppy - c:\windows\system32\drivers\sfloppy.sys (file missing)
S3 61883 (61883 Unit Device) - c:\windows\system32\drivers\61883.sys (file missing)
S3 AsyncMac (RAS Asynchronous Media Driver) - c:\windows\system32\drivers\asyncmac.sys (file missing)
S3 AtiHdmiService (ATI Function Driver for HDMI Service) - c:\windows\system32\drivers\atihdmi.sys (file missing)
S3 Atmarpc (ATM ARP Client Protocol) - c:\windows\system32\drivers\atmarpc.sys (file missing)
S3 Avc (AVC Device) - c:\windows\system32\drivers\avc.sys (file missing)
S3 CCDECODE (Closed Caption Decoder) - c:\windows\system32\drivers\ccdecode.sys (file missing)
S3 HdAudAddService (ATI Function Driver for High Definition Audio Service) - c:\windows\system32\drivers\atihdaud.sys (file missing)
S3 Ip6Fw (IPv6 Windows Firewall Driver) - c:\windows\system32\drivers\ip6fw.sys (file missing)
S3 IpFilterDriver (IP Traffic Filter Driver) - c:\windows\system32\drivers\ipfltdrv.sys (file missing)
S3 IpInIp (IP in IP Tunnel Driver) - c:\windows\system32\drivers\ipinip.sys (file missing)
S3 IRENUM (IR Enumerator Service) - c:\windows\system32\drivers\irenum.sys (file missing)
S3 LHidKe (SetPoint HID Mouse Filter Driver) - c:\windows\system32\drivers\lhidke.sys (file missing)
S3 LMouKE (SetPoint Mouse Filter Driver) - c:\windows\system32\drivers\lmouke.sys (file missing)
S3 LUsbKbd (SetPoint USB Filter Driver) - c:\windows\system32\drivers\lusbkbd.sys (file missing)
S3 Modem - c:\windows\system32\drivers\modem.sys (file missing)
S3 MSDV (Microsoft DV Camera and VCR) - c:\windows\system32\drivers\msdv.sys (file missing)
S3 MSKSSRV (Microsoft Streaming Service Proxy) - c:\windows\system32\drivers\mskssrv.sys (file missing)
S3 MSPCLOCK (Microsoft Streaming Clock Proxy) - c:\windows\system32\drivers\mspclock.sys (file missing)
S3 MSPQM (Microsoft Streaming Quality Manager Proxy) - c:\windows\system32\drivers\mspqm.sys (file missing)
S3 MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - c:\windows\system32\drivers\mstee.sys (file missing)
S3 NABTSFEC (NABTS/FEC VBI Codec) - c:\windows\system32\drivers\nabtsfec.sys (file missing)
S3 NdisIP (Microsoft TV/Video Connection) - c:\windows\system32\drivers\ndisip.sys (file missing)
S3 RDPWD - c:\windows\system32\drivers\rdpwd.sys (file missing)
S3 SABProcEnum - c:\program files (x86)\internet explorer\sabprocenum.sys (file missing)
S3 SASENUM - c:\program files (x86)\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 SLIP (BDA Slip De-Framer) - c:\windows\system32\drivers\slip.sys (file missing)
S3 streamip (BDA IPSink) - c:\windows\system32\drivers\streamip.sys (file missing)
S3 TDPIPE - c:\windows\system32\drivers\tdpipe.sys (file missing)
S3 TDTCP - c:\windows\system32\drivers\tdtcp.sys (file missing)
S3 USBSTOR (USB Mass Storage Driver) - c:\windows\system32\drivers\usbstor.sys (file missing)
S3 vga - c:\windows\system32\drivers\vgapnp.sys (file missing)
S3 WSTCODEC (World Standard Teletext Codec) - c:\windows\system32\drivers\wstcodec.sys (file missing)
S3 WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - c:\windows\system32\drivers\wudfpf.sys (file missing)
S3 WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - c:\windows\system32\drivers\wudfrd.sys (file missing)
S4 ACPIEC - c:\windows\system32\drivers\acpiec.sys (file missing)
S4 dmboot - c:\windows\system32\drivers\dmboot.sys (file missing)
S4 Fastfat - c:\windows\system32\drivers\fastfat.sys (file missing)
S4 Pcmcia - c:\windows\system32\drivers\pcmcia.sys (file missing)
S4 Udfs - c:\windows\system32\drivers\udfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Eventlog (Event Log) - c:\windows\system32\services.exe (file missing)
R2 Netlogon (Net Logon) - c:\windows\system32\lsass.exe (file missing)
R2 ntrtscan (Trend Micro Client/Server Security Agent RealTime Scan) - c:\program files (x86)\trend micro\client server security agent\ntrtscan.exe
R2 NVSvc (NVIDIA Display Driver Service) - c:\windows\system32\nvsvc64.exe (file missing)
R2 OfcPfwSvc (Trend Micro Client/Server Security Agent Personal Firewall) - c:\program files (x86)\trend micro\client server security agent\ofcpfwsvc.exe
R2 PlugPlay (Plug and Play) - c:\windows\system32\services.exe (file missing)
R2 PolicyAgent (IPSEC Services) - c:\windows\system32\lsass.exe (file missing)
R2 ProtectedStorage (Protected Storage) - c:\windows\system32\lsass.exe (file missing)
R2 SamSs (Security Accounts Manager) - c:\windows\system32\lsass.exe (file missing)
R2 tmlisten (Trend Micro Client/Server Security Agent Listener) - c:\program files (x86)\trend micro\client server security agent\tmlisten.exe

S2 Fax - c:\windows\system32\fxssvc.exe (file missing)
S3 dmadmin (Logical Disk Manager Administrative Service) - c:\windows\system32\dmadmin.exe /com (file missing)
S3 HTTPFilter (HTTP SSL) - c:\windows\system32\lsass.exe (file missing)
S3 ImapiService (IMAPI CD-Burning COM Service) - c:\windows\system32\imapi.exe (file missing)
S3 MSDTC (Distributed Transaction Coordinator) - c:\windows\system32\msdtc.exe (file missing)
S3 NMIndexingService - "c:\program files (x86)\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>
S3 NtLmSsp (NT LM Security Support Provider) - c:\windows\system32\lsass.exe (file missing)
S3 RDSessMgr (Remote Desktop Help Session Manager) - c:\windows\system32\sessmgr.exe (file missing)
S3 SolidWorks Licensing Service - "c:\program files (x86)\common files\solidworks shared\service\solidworkslicensing.exe" <Not Verified; SolidWorks; SolidWorks Licensing Service>
S3 vds (Virtual Disk Service) - c:\windows\system32\vds.exe (file missing)
S3 VSS (Volume Shadow Copy) - c:\windows\system32\vssvc.exe (file missing)
S3 WmiApSrv (WMI Performance Adapter) - c:\windows\system32\wbem\wmiapsrv.exe (file missing)
S4 TlntSvr (Telnet) - c:\windows\system32\tlntsvr.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

All modules okay.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-28 09:21:57 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-02-28 and 2008-03-28 -----------------------------

2008-03-28 09:16:44 0 d--h----- C:\Documents and Settings\fairoot.D21\Templates
2008-03-28 09:16:44 0 dr------- C:\Documents and Settings\fairoot.D21\Start Menu
2008-03-28 09:16:44 0 dr-h----- C:\Documents and Settings\fairoot.D21\SendTo
2008-03-28 09:16:44 0 d--h----- C:\Documents and Settings\fairoot.D21\Recent
2008-03-28 09:16:44 0 d--h----- C:\Documents and Settings\fairoot.D21\PrintHood
2008-03-28 09:16:44 524288 --ah----- C:\Documents and Settings\fairoot.D21\NTUSER.DAT
2008-03-28 09:16:44 0 d--h----- C:\Documents and Settings\fairoot.D21\NetHood
2008-03-28 09:16:44 0 d-------- C:\Documents and Settings\fairoot.D21\My Documents
2008-03-28 09:16:44 0 d--h----- C:\Documents and Settings\fairoot.D21\Local Settings
2008-03-28 09:16:44 0 d-------- C:\Documents and Settings\fairoot.D21\Favorites
2008-03-28 09:16:44 0 d-------- C:\Documents and Settings\fairoot.D21\Desktop
2008-03-28 09:16:44 0 d--hs---- C:\Documents and Settings\fairoot.D21\Cookies
2008-03-28 09:16:44 0 dr-h----- C:\Documents and Settings\fairoot.D21\Application Data
2008-03-28 09:16:44 0 d---s---- C:\Documents and Settings\fairoot.D21\Application Data\Microsoft
2008-03-27 14:58:19 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\PC-Cleaner
2008-03-27 08:32:52 0 d-------- C:\!KillBox
2008-03-26 13:01:01 0 d-------- C:\VundoFix Backups
2008-03-24 08:03:21 0 d-------- C:\a2
2008-03-20 17:22:51 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-20 16:07:51 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-03-20 16:07:47 0 d-------- C:\Program Files (x86)\SUPERAntiSpyware
2008-03-20 16:07:47 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\SUPERAntiSpyware.com
2008-03-20 16:07:33 0 d-------- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2008-03-20 16:04:07 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\Grisoft
2008-03-20 16:03:57 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-03-20 15:49:17 0 d-------- C:\Program Files (x86)\XoftSpySE
2008-03-20 15:26:16 3407872 --ah----- C:\Documents and Settings\eric.henschke\NTUSER.DAT
2008-03-20 14:25:49 0 d-------- C:\Program Files (x86)\Enigma Software Group
2008-03-20 13:09:15 2146 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-20 13:02:12 0 d-------- C:\WINDOWS\pss
2008-03-20 12:47:18 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-20 12:47:18 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-20 12:47:17 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-20 12:47:17 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-20 12:47:17 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-20 12:47:17 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-20 11:54:15 0 dr-h----- C:\Documents and Settings\eric.henschke\Recent
2008-03-20 09:07:19 401408 --a------ C:\WINDOWS\system32\pvmjpg30.dll <Not Verified; Pegasus Imaging Corporation; PICVideo Codec Suite>
2008-03-20 09:07:18 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-03-20 09:07:18 1712128 --a------ C:\WINDOWS\system32\GDIPLUS.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-20 09:05:30 0 d-------- C:\Documents and Settings\NetworkService\My Documents
2008-03-20 09:05:30 0 d-------- C:\Documents and Settings\LocalService\My Documents
2008-03-20 09:04:54 138752 --a------ C:\WINDOWS\system32\mase32.dll
2008-03-20 09:04:54 57856 --a------ C:\WINDOWS\system32\masd32.dll
2008-03-20 09:04:54 136192 --a------ C:\WINDOWS\system32\mamc32.dll <Not Verified; ; MAMC32 Dynamic Link Library>
2008-03-20 09:04:54 196096 --a------ C:\WINDOWS\system32\macd32.dll <Not Verified; ; MACD32 Dynamic Link Library>
2008-03-20 09:04:54 27648 --a------ C:\WINDOWS\system32\ma32.dll
2008-03-20 09:03:44 41219 --a------ C:\WINDOWS\RSETPATH.exe <Not Verified; Pinnacle Systems; Pinnacle Systems RSETPATH>
2008-03-20 09:03:18 49152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll <Not Verified; Pinnacle Systems; Guid_dll>
2008-03-20 08:57:02 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\InstallShield
2008-03-19 15:28:40 0 d-------- C:\Program Files (x86)\WinAce
2008-03-17 09:04:57 0 d-------- C:\Program Files (x86)\proDAD
2008-03-17 09:01:39 0 d-------- C:\Program Files (x86)\AdorageI-SAL
2008-03-17 08:52:47 0 d-------- C:\WINDOWS\system32\URTTEMP
2008-03-17 08:49:39 0 d-------- C:\Program Files (x86)\SmartSound Software
2008-03-17 08:49:03 0 d-------- C:\Program Files (x86)\QuickTime
2008-03-17 08:49:03 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\QuickTime
2008-03-17 08:41:32 0 d-------- C:\Program Files (x86)\DivX
2008-03-17 08:38:29 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Pinnacle Studio
2008-03-14 10:41:09 0 d-------- C:\WINDOWS\Downloaded Installations
2008-03-14 10:30:39 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Pinnacle
2008-03-14 10:30:37 0 d-------- C:\Program Files (x86)\Pinnacle
2008-03-14 10:30:23 14165 --a------ C:\WINDOWS\system32\drivers\Pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
2008-03-05 09:46:42 16384 -----n--- C:\WINDOWS\system32\FileOps.exe
2008-03-05 09:46:42 0 d-------- C:\WINDOWS\system32\Adobe
2008-02-28 17:08:42 0 d-------- C:\Program Files (x86)\Common Files\Canon


-- Find3M Report ---------------------------------------------------------------

2008-03-20 16:07:33 0 d-------- C:\Program Files (x86)\Common Files
2008-03-20 15:12:37 0 d-------- C:\Program Files (x86)\Trend Micro
2008-03-20 09:04:54 108 --a------ C:\AUTOEXEC.BAT
2008-03-20 09:02:55 0 d--h----- C:\Program Files (x86)\InstallShield Installation Information
2008-03-17 10:41:36 0 d-------- C:\Program Files (x86)\Common Files\LightScribe
2008-03-17 08:49:31 0 d-------- C:\Program Files (x86)\Common Files\InstallShield
2008-03-17 08:02:38 0 d-------- C:\Program Files (x86)\Google
2008-03-13 08:50:59 0 d-------- C:\Program Files (x86)\Common Files\Adobe
2008-03-03 09:59:26 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\Google
2008-02-18 17:31:05 0 d-------- C:\Program Files (x86)\Common Files\Adobe Systems Shared
2008-02-18 15:33:50 1019 --a------ C:\WINDOWS\mozver.dat
2008-02-07 15:08:30 0 d-------- C:\Program Files (x86)\Common Files\SolidWorks Shared
2008-02-07 15:08:25 0 d-------- C:\Program Files (x86)\Common Files\eDrawings2008
2008-02-01 14:52:57 0 d-------- C:\Program Files (x86)\GPLGS
2008-02-01 09:32:29 0 d-------- C:\Program Files (x86)\Microsoft Works
2008-02-01 09:19:31 0 d-------- C:\Program Files (x86)\Microsoft ActiveSync
2008-02-01 09:18:58 0 d-------- C:\Program Files (x86)\Microsoft.NET
2008-01-31 23:57:38 0 d-------- C:\Program Files (x86)\MSXML 4.0
2008-01-31 23:53:33 0 d-------- C:\Program Files (x86)\Windows Defender
2008-01-31 23:51:16 0 d-------- C:\Program Files (x86)\Common Files\Ahead
2008-01-31 23:49:53 0 d-------- C:\Program Files (x86)\Nero
2008-01-31 23:46:05 0 d-------- C:\Program Files (x86)\MA User Marked Database
2008-01-31 23:45:56 0 d-------- C:\Program Files (x86)\Motion Analyzer
2008-01-31 23:43:08 0 d-------- C:\Program Files (x86)\AutoCAD 2007
2008-01-31 23:42:51 0 d-------- C:\Program Files (x86)\Common Files\Autodesk Shared
2008-01-31 23:42:49 0 d-------- C:\Program Files (x86)\AnswerWorks 4.0
2008-01-31 23:40:36 0 d-------- C:\Program Files (x86)\proeWildfire
2008-01-31 23:37:44 0 d-------- C:\Program Files (x86)\Autodesk
2008-01-31 23:35:58 0 d-------- C:\Program Files (x86)\Acro Software
2008-01-31 23:35:22 0 d-------- C:\Program Files (x86)\Innotiv Spekan Batch Tool
2008-01-31 23:22:03 19739 --a------ C:\license.dat
2008-01-31 23:17:52 0 d-------- C:\Program Files (x86)\Realtek
2008-01-31 23:07:42 0 d-------- C:\Program Files (x86)\MSXML 6.0
2008-01-31 22:48:45 0 d-------- C:\Program Files (x86)\MSBuild
2008-01-31 22:44:53 0 d-------- C:\Program Files (x86)\Reference Assemblies
2008-01-31 22:15:32 0 d-------- C:\Program Files (x86)\system
2008-01-31 22:15:32 0 d-------- C:\Program Files (x86)\speechengines
2008-01-31 22:15:32 0 d-------- C:\Program Files (x86)\microsoft shared
2008-01-31 22:15:21 0 -rahs---- C:\MSDOS.SYS
2008-01-31 22:15:21 0 -rahs---- C:\IO.SYS
2008-01-31 22:15:21 0 --a------ C:\CONFIG.SYS
2008-01-31 21:19:32 0 d-------- C:\Program Files (x86)\Movie Maker
2008-01-31 21:19:20 0 d-------- C:\Program Files (x86)\Windows Media Player[Strings]
2008-01-31 21:18:12 0 d-------- C:\Program Files (x86)\MSN Gaming Zone
2008-01-31 21:17:37 0 d-------- C:\Program Files (x86)\Windows NT
2008-01-31 14:59:56 0 d-------- C:\Program Files (x86)\Common Files\ODBC
2008-01-31 14:59:51 0 d-------- C:\Program Files (x86)\Common Files\SpeechEngines
2008-01-29 12:47:01 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\Ahead
2008-01-29 10:59:47 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\Autodesk
2008-01-28 17:45:51 0 d-------- C:\Documents and Settings\eric.henschke\Application Data\ATI


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-03-28 09:38:26 ------------

Edited by henschke, 28 March 2008 - 09:09 AM.

  • 0

#15
henschke
Posted 28 March 2008 - 09:10 AM

henschke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here is the extra log:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows® XP Professional x64 Edition (build 3790) SP 2.0
Architecture: X64; Language: English

CPU 0: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
CPU 1: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
CPU 2: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
CPU 3: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
Percentage of Memory in Use: 11%
Physical Memory (total/avail): 8190.25 MiB / 7218.42 MiB
Pagefile Memory (total/avail): 9806.72 MiB / 9209.63 MiB
Virtual Memory (total/avail): 4095.88 MiB / 3943.57 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 69.24 GiB total, 22.96 GiB free.
D: is CDROM (No Media)
P: is Network (NTFS)

\\.\PHYSICALDRIVE0 - WDC WD740ADFD-00NLR5 - 69.24 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 69.24 GiB - C:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files (x86)\\proeWildfire\\i486_nt\\nms\\nmsd.exe"="C:\\Program Files (x86)\\proeWildfire\\i486_nt\\nms\\nmsd.exe:*:Disabled:nmsd"
"C:\\Program Files (x86)\\proeWildfire\\i486_nt\\obj\\xtop.exe"="C:\\Program Files (x86)\\proeWildfire\\i486_nt\\obj\\xtop.exe:*:Disabled:xtop"
"C:\\Program Files (x86)\\proeWildfire\\i486_nt\\obj\\pro_comm_msg.exe"="C:\\Program Files (x86)\\proeWildfire\\i486_nt\\obj\\pro_comm_msg.exe:*:Disabled:pro_comm_msg"
"C:\\Program Files (x86)\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files (x86)\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files (x86)\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files (x86)\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files (x86)\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files (x86)\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files (x86)\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files (x86)\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
"C:\\Program Files (x86)\\Pinnacle\\Studio 11\\programs\\RM.exe"="C:\\Program Files (x86)\\Pinnacle\\Studio 11\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files (x86)\\Pinnacle\\Studio 11\\programs\\Studio.exe"="C:\\Program Files (x86)\\Pinnacle\\Studio 11\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files (x86)\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"="C:\\Program Files (x86)\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files (x86)\\Pinnacle\\Studio 11\\programs\\umi.exe"="C:\\Program Files (x86)\\Pinnacle\\Studio 11\\programs\\umi.exe:*:Enabled:umi"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\ptcE_tmp.exe"="C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\ptcE_tmp.exe:*:Enabled:ptcE_tmp"
"C:\\Program Files (x86)\\proeWildfire\\i486_nt\\nms\\nmsd.exe"="C:\\Program Files (x86)\\proeWildfire\\i486_nt\\nms\\nmsd.exe:*:Disabled:nmsd"
"C:\\Program Files (x86)\\proeWildfire\\i486_nt\\obj\\xtop.exe"="C:\\Program Files (x86)\\proeWildfire\\i486_nt\\obj\\xtop.exe:*:Disabled:xtop"
"C:\\Program Files (x86)\\proeWildfire\\i486_nt\\obj\\pro_comm_msg.exe"="C:\\Program Files (x86)\\proeWildfire\\i486_nt\\obj\\pro_comm_msg.exe:*:Disabled:pro_comm_msg"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\eric.henschke\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files (x86)\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=D21
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\eric.henschke
LOGONSERVER=\\FS01
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files (x86)\proeWildfire\bin;C:\Program Files (x86)\Common Files\Adobe\AGL;C:\Program Files (x86)\Pinnacle\Shared Files\;C:\Program Files (x86)\Pinnacle\Shared Files\Filter
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64
PROCESSOR_IDENTIFIER=EM64T Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramFiles=C:\Program Files (x86)
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ERIC~1.HEN\LOCALS~1\Temp
TMP=C:\DOCUME~1\ERIC~1.HEN\LOCALS~1\Temp
USERDNSDOMAIN=FARGOAUTOMATION.LOCAL
USERDOMAIN=FARGOAUTOMATION
USERNAME=eric.henschke
USERPROFILE=C:\Documents and Settings\eric.henschke
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

eric.henschke (update central, admin)
fairoot (new local, admin, net ready)
fairoot.D21 (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files (x86)\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
2007 Microsoft Office system --> "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROHYBRIDR /dll OSETUP.DLL
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Illustrator CS2 --> msiexec /I {B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe SVG Viewer 3.0 --> C:\Program Files (x86)\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files (x86)\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
AutoCAD 2007 - English --> MsiExec.exe /I{5783F2D7-5001-0409-0002-0060B0CE6BBA}
Autodesk DWF Viewer --> C:\PROGRA~2\Autodesk\AUTODE~1\Setup.exe /remove /q0
AVG Anti-Spyware 7.5 --> C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
eDrawings 2008 --> MsiExec.exe /I{1F40F8F1-B4BC-4A5B-B1A6-363FBDD30F0C}
ERUNT 1.1j --> "C:\Program Files (x86)\ERUNT\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Innotiv Spekan Batch Tool 3.2 --> "C:\Program Files (x86)\Innotiv Spekan Batch Tool\unins000.exe"
Logitech SetPoint --> C:\Program Files (x86)\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB928366) --> "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook 2003 --> MsiExec.exe /I{90E00409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Hybrid 2007 --> MsiExec.exe /X{91120000-0031-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Motion Analyzer --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{29C7673B-E6BD-4F53-8D13-11B562A56C76}\setup.exe" -l0x9 -removeonly
Mozilla Firefox (2.0.0.11) --> C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
Nero 7 Essentials --> MsiExec.exe /X{1C00A3F1-6DA0-49F8-94E4-01AB6FC01033}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Pro/ENGINEER Release Wildfire Datecode M210 --> "C:\Program Files (x86)\proeWildfire\uninstall\i486_nt\obj\psuninst.exe" "C:\Program Files (x86)\proeWildfire\uninstall\instlog.txt"
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
Security Update for Windows XP (KB923789) --> C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Studio 11 --> C:\Program Files (x86)\InstallShield Installation Information\{110B1ADF-2EAE-4E8F-B501-D2A1E6D8ED9D}\Setup2.exe -runfromtemp -l0x0009 UNINSTALL -removeonly
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Trend Micro Client/Server Security Agent --> "C:\Program Files (x86)\Trend Micro\Client Server Security Agent\ntrmv.exe"
Yahoo! Desktop Login --> MsiExec.exe /I{F9AEEC34-CF00-4CBD-9E36-DF9DC4002685}


-- Application Event Log -------------------------------------------------------

Event Record #/Type1908 / Error
Event Submitted/Written: 03/28/2008 09:31:29 AM
Event ID/Source: 1053 / Userenv
Event Description:
Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type1903 / Error
Event Submitted/Written: 03/28/2008 09:19:21 AM
Event ID/Source: 1030 / Userenv
Event Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

Event Record #/Type1902 / Warning
Event Submitted/Written: 03/28/2008 09:19:15 AM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
**

Event Record #/Type1901 / Warning
Event Submitted/Written: 03/28/2008 09:19:15 AM
Event ID/Source: 32026 / Microsoft Fax
Event Description:


Event Record #/Type1897 / Error
Event Submitted/Written: 03/28/2008 09:16:39 AM
Event ID/Source: 1030 / Userenv
Event Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5349 / Warning
Event Submitted/Written: 03/28/2008 09:38:01 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%FARGOAUTOMATION27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FARGOAUTOMATION27 can't undo changes that you allow.

For more information please see the following:
%FARGOAUTOMATION275

Scan ID: {DE44C45D-4A8D-4C41-A3A4-F32670A3799E}

User: FARGOAUTOMATION\eric.henschke

Name: %FARGOAUTOMATION271

ID: %FARGOAUTOMATION272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FARGOAUTOMATION276

Alert Type: %FARGOAUTOMATION278

Detection Type: 1.1.1593.02

Event Record #/Type5348 / Warning
Event Submitted/Written: 03/28/2008 09:38:01 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%FARGOAUTOMATION27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FARGOAUTOMATION27 can't undo changes that you allow.

For more information please see the following:
%FARGOAUTOMATION275

Scan ID: {ECFBA892-09BB-4023-B28F-A9675B941B02}

User: FARGOAUTOMATION\eric.henschke

Name: %FARGOAUTOMATION271

ID: %FARGOAUTOMATION272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FARGOAUTOMATION276

Alert Type: %FARGOAUTOMATION278

Detection Type: 1.1.1593.02

Event Record #/Type5347 / Warning
Event Submitted/Written: 03/28/2008 09:38:01 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%FARGOAUTOMATION27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FARGOAUTOMATION27 can't undo changes that you allow.

For more information please see the following:
%FARGOAUTOMATION275

Scan ID: {13427440-8F13-480E-BF29-4C40794A2C66}

User: FARGOAUTOMATION\eric.henschke

Name: %FARGOAUTOMATION271

ID: %FARGOAUTOMATION272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FARGOAUTOMATION276

Alert Type: %FARGOAUTOMATION278

Detection Type: 1.1.1593.02

Event Record #/Type5346 / Warning
Event Submitted/Written: 03/28/2008 09:37:59 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%FARGOAUTOMATION27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FARGOAUTOMATION27 can't undo changes that you allow.

For more information please see the following:
%FARGOAUTOMATION275

Scan ID: {B7E76DF9-F13C-4DF2-A0BD-7478418E5B88}

User: FARGOAUTOMATION\eric.henschke

Name: %FARGOAUTOMATION271

ID: %FARGOAUTOMATION272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FARGOAUTOMATION276

Alert Type: %FARGOAUTOMATION278

Detection Type: 1.1.1593.02

Event Record #/Type5345 / Warning
Event Submitted/Written: 03/28/2008 09:37:59 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%FARGOAUTOMATION27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %FARGOAUTOMATION27 can't undo changes that you allow.

For more information please see the following:
%FARGOAUTOMATION275

Scan ID: {FE61F816-8EAB-42A6-88F3-173668705128}

User: FARGOAUTOMATION\eric.henschke

Name: %FARGOAUTOMATION271

ID: %FARGOAUTOMATION272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %FARGOAUTOMATION276

Alert Type: %FARGOAUTOMATION278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-03-28 09:38:26 ------------
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP