Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojandownload.xs ? Problem [RESOLVED]

Started by ryan38 , Mar 30 2008 03:30 PM

  • This topic is locked This topic is locked

#1
ryan38
Posted 30 March 2008 - 03:30 PM

ryan38

    Member

  • Member
  • PipPip
  • 34 posts
Hi there,

I've been having a few problems last few days and i decided to take some action. I did an AVG scan and it seemed to get rid of a lot of pop ups and random ie browsers popping up but im still getting a window that says i have a serious windows infection. This window leads me to a website that asks me to buy spyware program. I've also been getting that fake windows security window saying its a trojandownloader.xs

I should also mention that after reading a few posts that i also am unable to access my task manager

Here is my log from Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:52 PM, on 3/30/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\ProgramData\rsnozato\vwvefena.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Users\Ryan\Program Files\DNA\btdna.exe
C:\Windows\System32\zcbelebc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?

LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft

Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [BurnQuick Queue] C:\Program Files\BurnQuick\BQTray.exe
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Ryan\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [kxkmozcn] C:\Windows\system32\zcbelebc.exe
O4 - HKLM\..\Policies\Explorer\Run: [HjfnwIoLfU] C:\ProgramData\rsnozato\vwvefena.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03

\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12

\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2

\Office12\ONBttnIE.dll
O13 - Gopher Prefix:
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) -

http://simcity.ea.co...ic/SimCityX.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft

Office\Office12\GrooveSystemServices.dll
O21 - SSODL: CDRunOnce - {f72b0f02-fd1b-44eb-8da6-74eb28e05b09} - C:\Windows\Installer\{f72b0f02-fd1b-44eb-8da6-

74eb28e05b09}\CDRunOnce.dll
O21 - SSODL: vbgtorfd - {EC2764AC-18F3-400D-B4FA-36C9716E89A8} - C:\Windows\vbgtorfd.dll
O21 - SSODL: dwnrpofk - {3F38C0BE-98F0-42CF-860E-CBD4C5AF2103} - C:\Windows\dwnrpofk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007

\aawservice.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program

Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe

--
End of file - 6390 bytes

--------

Heres my uninstall list

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
ArcGIS Desktop
ArcGIS License Manager
Ares 2.0.9
AVG Anti-Spyware 7.5
BearShare
BurnQuick
Cheetah CD Burner
Conexant AC-Link Audio
Free CD Ripper 3.1
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Guitar Pro 5.2
HijackThis 2.0.2
Instant CD & DVD Burner
Java™ 6 Update 3
LimeWire 4.17.2
MagicDisc 2.5.79
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
Phanku eTaxCanada 2007
PowerISO
Python 2.1
Python 2.1 combined Win32 extensions
Security Update for Excel 2007 (KB946974)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
Sentinel System Driver 5.42.1 (32-bit)
STOIK Capturer
Update for Outlook 2007 Junk Email Filter (kb947945)
Windows Live installer
Windows Live Messenger
WinRAR archiver
Xvid 1.1.3 final uninstall


Any help?

Edited by ryan38, 30 March 2008 - 03:41 PM.

  • 0

Advertisements

#2
Rorschach112
Posted 31 March 2008 - 05:35 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Open notepad, click Format, uncheck wordwrap


Then do this


Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
ryan38
Posted 31 March 2008 - 01:45 PM

ryan38

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hi there!!

Thanks for the fast reply... here are the three texts you asked for!

Here is the Rapport

SmitFraudFix v2.309

Scan done at 16:56:02.61, Mon 03/31/2008
Run from C:\Users\Ryan\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
::1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\Windows\vbgtorfd.dll deleted.
C:\Windows\dwnrpofk.dll deleted.
C:\Windows\Installer\{f72b0f02-fd1b-44eb-8da6-74eb28e05b09}\CDRunOnce.dll deleted


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\akl\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2A84D630-8018-4C3F-87F8-448333785583}: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2A84D630-8018-4C3F-87F8-448333785583}: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2A84D630-8018-4C3F-87F8-448333785583}: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

----------------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Ryan on 2008-03-31 17:01:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
12: 2008-03-30 16:44:36 UTC - RP114 - Installed STOIK Capturer
11: 2008-03-30 16:33:56 UTC - RP113 - Windows Defender Checkpoint
10: 2008-03-28 20:05:37 UTC - RP111 - Windows Defender Checkpoint
9: 2008-03-28 09:47:22 UTC - RP109 - Installed Ad-Aware 2007
8: 2008-03-27 18:25:29 UTC - RP108 - Windows Update


-- First Restore Point --
1: 2008-03-21 14:30:51 UTC - RP101 - Windows Update


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 894 MiB (1024 MiB recommended).


-- HijackThis (run as Ryan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:02 PM, on 3/31/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\ProgramData\rsnozato\vwvefena.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\system32\taskeng.exe
C:\Users\Ryan\Program Files\DNA\btdna.exe
C:\Windows\System32\zcbelebc.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Ryan\Desktop\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ryan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [BurnQuick Queue] C:\Program Files\BurnQuick\BQTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Ryan\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [kxkmozcn] C:\Windows\system32\zcbelebc.exe
O4 - HKLM\..\Policies\Explorer\Run: [HjfnwIoLfU] C:\ProgramData\rsnozato\vwvefena.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4888 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>

S0 OemBiosDevice (Royalty OEM BIOS Extension) - c:\windows\system32\drivers\royal.sys <Not Verified; PARADOX; SLP Kernel-Mode Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 ArcGIS License Manager - c:\progra~1\esri\license\arcgis9x\lmgrd.exe
S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_3091103C&REV_00\4&445E9A7&0&4BA4
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_3091103C&REV_00\4&445E9A7&0&4BA4
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-03-31 16:37:26 416 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{082C516C-27E8-4410-9FB4-74962EC78A15}.job


-- Files created between 2008-02-29 and 2008-03-31 -----------------------------

2008-03-31 16:56:11 2910 --a------ C:\Windows\system32\tmp.reg
2008-03-31 16:55:40 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-03-31 16:55:40 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-31 16:55:40 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-31 16:55:40 82432 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-31 16:55:40 51200 --a------ C:\Windows\system32\dumphive.exe
2008-03-31 16:55:39 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-31 16:55:39 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-30 18:53:11 0 d-------- C:\Program Files\Trend Micro
2008-03-30 17:08:03 0 d-------- C:\Users\All Users\Grisoft
2008-03-30 17:02:19 0 d-------- C:\help
2008-03-30 14:15:12 0 d-------- C:\Program Files\STOIK Imaging
2008-03-30 14:13:45 0 d-------- C:\vid
2008-03-28 22:08:00 0 d-------- C:\Users\Ryan\Program Files
2008-03-28 07:18:45 0 d-------- C:\Program Files\Lavasoft
2008-03-28 07:18:44 0 d-------- C:\Users\All Users\Lavasoft
2008-03-28 07:16:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 22:17:08 4096 --a------ C:\Windows\winsystem.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\userconfig9x.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32WINWGPX.EXE
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32winsystem.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32winlogonpc.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32vcatchpi.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32vbsys2.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32thun32.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32thun.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32temp#01.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32taack.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32taack.dat
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32sysreq.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32ssvchost.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32ssvchost.com
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32ssurf022.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32sncntr.exe
2008-03-27 22:17:08 0 d-------- C:\Windows\system32smp
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32Rundl1.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32regm64.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32regc64.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32psoft1.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32psof1.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32ps1.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32newsd32.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32netode.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32mwin32.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32mtr2.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32msvchost.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32mssecu.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32msnbho.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32msgp.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32medup020.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32medup012.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32hxiwlgpm.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32hxiwlgpm.dat
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32hoproxy.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32h@tkeysh@@k.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32emesx.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32dpcproxy.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32bsva-egihsg52.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32bdn.com
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32awtoolb.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32anticipator.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32akttzn.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\mssecu.exe
2008-03-27 22:17:08 0 d-------- C:\Windows\mslagent
2008-03-27 22:17:08 4096 --a------ C:\Windows\iTunesMusic.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\FVProtect.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\bdn.com
2008-03-27 22:17:08 4096 --a------ C:\Windows\a.bat
2008-03-27 22:17:08 0 d-------- C:\Users\Ryan\Desktopvirii
2008-03-27 22:17:08 4096 --a------ C:\Users\Ryan\DesktopFWebdEditor.exe
2008-03-27 22:17:08 4096 --a------ C:\Users\Ryan\Desktopfwebd.exe
2008-03-27 22:17:08 4096 --a------ C:\Users\Ryan\Desktopfilemanagerclient.exe
2008-03-27 22:17:08 0 d-------- C:\Program Files\Inet Delivery
2008-03-27 22:17:00 90112 --a------ C:\Windows\system32\zcbelebc.exe
2008-03-27 22:17:00 0 d-------- C:\Users\All Users\rsnozato
2008-03-22 23:53:49 0 d-------- C:\Users\All Users\Yahoo!
2008-03-22 23:52:20 0 d-------- C:\Program Files\Yahoo!
2008-03-15 11:01:08 22 --a------ C:\Users\All Users\ReturnCounter.dat
2008-03-15 10:04:45 0 d-------- C:\Program Files\Phanku eTaxCanada 2007
2008-03-15 10:03:29 0 d-------- C:\tax
2008-03-02 15:09:21 180224 --a------ C:\Windows\system32\xvidvfw.dll
2008-03-02 15:09:21 765952 --a------ C:\Windows\system32\xvidcore.dll
2008-03-02 15:09:21 0 d-------- C:\Program Files\Xvid


-- Find3M Report ---------------------------------------------------------------

2008-03-31 16:56:11 35 --a------ C:\Users\Ryan\AppData\Roaming\SetValue.bat
2008-03-31 16:56:11 691 --a------ C:\Users\Ryan\AppData\Roaming\GetValue.vbs
2008-03-31 16:53:05 0 d-------- C:\Users\Ryan\AppData\Roaming\DNA
2008-03-30 17:14:27 0 d-------- C:\Users\Ryan\AppData\Roaming\BitTorrent
2008-03-30 17:09:07 0 d-------- C:\Users\Ryan\AppData\Roaming\Grisoft
2008-03-30 14:15:26 0 d-------- C:\Users\Ryan\AppData\Roaming\STOIK
2008-03-30 14:03:21 0 d-------- C:\Users\Ryan\AppData\Roaming\BearShare
2008-03-28 07:16:42 0 d-------- C:\Program Files\Common Files
2008-03-12 03:12:25 0 d-------- C:\Program Files\Windows Mail
2008-03-04 22:19:59 0 d-------- C:\Program Files\Instant CD & DVD Burner
2008-03-04 00:08:12 22 --a------ C:\Users\Ryan\AppData\Roaming\ReturnCounter.dat
2008-02-28 22:25:41 0 d-------- C:\Users\Ryan\AppData\Roaming\Elluminate
2008-02-06 04:01:58 0 d-------- C:\Program Files\MSXML 4.0
2008-02-04 19:59:00 0 d-------- C:\Program Files\Rainbow Technologies
2008-02-04 19:37:29 0 d-------- C:\Program Files\ESRI
2008-02-04 19:36:55 0 d-------- C:\Users\Ryan\AppData\Roaming\ESRI
2008-02-04 19:22:13 0 d-------- C:\Program Files\Common Files\ESRI
2008-02-04 19:21:31 0 d-------- C:\Program Files\ArcGIS
2008-02-04 19:20:47 0 d-------- C:\Program Files\Leica Geosystems
2008-02-03 13:54:35 0 d-------- C:\Users\Ryan\AppData\Roaming\LimeWire
2008-02-01 19:20:45 0 d-------- C:\Program Files\LimeWire
2008-02-01 19:10:01 0 d-------- C:\Program Files\Ares
2008-02-01 18:52:00 0 d-------- C:\Program Files\BearShare Applications


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [12/08/2007 10:00 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 08:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [08/06/2007 09:35 PM]
"BurnQuick Queue"="C:\Program Files\BurnQuick\BQTray.exe" [09/01/2007 02:27 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 06:55 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/09/2008 04:02 AM]
"WindowsWelcomeCenter"="oobefldr.dll,ShowWelcomeCenter" []
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 10:05 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [01/18/2008 08:02 PM]
"BitTorrent DNA"="C:\Users\Ryan\Program Files\DNA\btdna.exe" [03/28/2008 10:08 PM]
"kxkmozcn"="C:\Windows\system32\zcbelebc.exe" [03/27/2008 10:17 PM]

C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [12/2/2007 8:36:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"HjfnwIoLfU"=C:\ProgramData\rsnozato\vwvefena.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-03-31 17:10:15 ------------
-------------------------------------------------------------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: English

CPU 0: AMD Turion™ 64 Mobile Technology ML-34
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 893.94 MiB / 438.37 MiB
Pagefile Memory (total/avail): 2048.92 MiB / 1370.13 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.37 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 39.73 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2080AH ATA Device - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AS: AVG Anti-Spyware v7, 5, 1, 43 (GRISOFT s.r.o.) Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Ryan\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RYAN-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Ryan
LOCALAPPDATA=C:\Users\Ryan\AppData\Local
LOGONSERVER=\\RYAN-PC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2402
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Ryan\AppData\Local\Temp
TMP=C:\Users\Ryan\AppData\Local\Temp
USERDOMAIN=Ryan-PC
USERNAME=Ryan
USERPROFILE=C:\Users\Ryan
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Ryan


-- Add/Remove Programs ---------------------------------------------------------

2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
ArcGIS Desktop --> MsiExec.exe /I{40F8FD5F-4701-48D6-A8FC-1F188007DF38}
ArcGIS License Manager --> C:\PROGRA~1\ESRI\License\arcgis9x\UNWISE32.EXE C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS~1.LOG "License Manager"
Ares 2.0.9 --> "C:\Program Files\Ares\uninstall.exe"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BearShare --> C:\Program Files\BearShare Applications\BearShare\UninstallSurvey.exe C:\PROGRA~1\BEARSH~1\BEARSH~1\UNWISE.EXE C:\PROGRA~1\BEARSH~1\BEARSH~1\INSTALL.LOG
BitTorrent --> "C:\Program Files\BitTorrent\BitTorrent.exe" /UNINSTALL
BurnQuick --> "C:\Windows\BurnQuick\uninstall.exe" "/U:C:\Program Files\BurnQuick\Uninstall\uninstall.xml"
Cheetah CD Burner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{808C1CB2-5632-4ABF-B4D2-4B54519E3A9A}\Setup.exe"
Conexant AC-Link Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -Iqta3091.inf
DNA --> "C:\Users\Ryan\Program Files\DNA\btdna.exe" /UNINSTALL
Free CD Ripper 3.1 --> "C:\Program Files\FreeCDRipper\unins000.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Guitar Pro 5.2 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Instant CD & DVD Burner --> "C:\Program Files\Instant CD & DVD Burner\unins000.exe"
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LimeWire 4.17.2 --> "C:\Program Files\LimeWire\uninstall.exe"
MagicDisc 2.5.79 --> C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Phanku eTaxCanada 2007 --> MsiExec.exe /I{0F68009B-F32C-4BD9-9D60-D634665E84E1}
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
Python 2.1 --> C:\Python21\\Python21\UNWISE.EXE C:\Python21\\Python21\INSTALL.LOG
Python 2.1 combined Win32 extensions --> C:\Python21\UNWISE~1.EXE C:\Python21\w32inst.log
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Sentinel System Driver 5.42.1 (32-bit) --> MsiExec.exe /I{F02598C2-2A5F-4593-8F09-439F3317B2C8}
STOIK Capturer --> MsiExec.exe /X{CD7F9976-33AE-4C07-BAE5-FCB50CA6E371}
Update for Outlook 2007 Junk Email Filter (kb947945) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {E397056B-7AE5-4FF1-8B13-276BF8201847}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type3770 / Success
Event Submitted/Written: 03/31/2008 05:00:59 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type3766 / Success
Event Submitted/Written: 03/31/2008 05:00:08 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type3765 / Success
Event Submitted/Written: 03/31/2008 05:00:07 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type3764 / Success
Event Submitted/Written: 03/31/2008 04:59:52 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type3753 / Warning
Event Submitted/Written: 03/31/2008 04:58:18 PM
Event ID/Source: 6000 / Wlclntfy
Event Description:
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type21505 / Warning
Event Submitted/Written: 03/31/2008 05:08:18 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Ryan-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Ryan-PC27 can't undo changes that you allow.

For more information please see the following:
%Ryan-PC275

Scan ID: {4BCD9911-08CF-494F-9133-69476F22F3E6}

User: Ryan-PC\Ryan

Name: %Ryan-PC271

ID: %Ryan-PC272

Severity ID: %Ryan-PC273

Category ID: %Ryan-PC274

Path Found: %Ryan-PC276

Alert Type: %Ryan-PC278

Detection Type: 1.1.1505.02

Event Record #/Type21504 / Warning
Event Submitted/Written: 03/31/2008 05:08:18 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Ryan-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Ryan-PC27 can't undo changes that you allow.

For more information please see the following:
%Ryan-PC275

Scan ID: {A60BB8C6-B921-4254-BBD4-706DE1FAF322}

User: Ryan-PC\Ryan

Name: %Ryan-PC271

ID: %Ryan-PC272

Severity ID: %Ryan-PC273

Category ID: %Ryan-PC274

Path Found: %Ryan-PC276

Alert Type: %Ryan-PC278

Detection Type: 1.1.1505.02

Event Record #/Type21503 / Warning
Event Submitted/Written: 03/31/2008 05:08:17 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Ryan-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Ryan-PC27 can't undo changes that you allow.

For more information please see the following:
%Ryan-PC275

Scan ID: {8D8DE573-9589-4F6B-85BE-82FAA1758DCA}

User: Ryan-PC\Ryan

Name: %Ryan-PC271

ID: %Ryan-PC272

Severity ID: %Ryan-PC273

Category ID: %Ryan-PC274

Path Found: %Ryan-PC276

Alert Type: %Ryan-PC278

Detection Type: 1.1.1505.02

Event Record #/Type21502 / Warning
Event Submitted/Written: 03/31/2008 05:08:15 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Ryan-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Ryan-PC27 can't undo changes that you allow.

For more information please see the following:
%Ryan-PC275

Scan ID: {497B0784-03F8-4D98-A762-706D4AEA36AA}

User: Ryan-PC\Ryan

Name: %Ryan-PC271

ID: %Ryan-PC272

Severity ID: %Ryan-PC273

Category ID: %Ryan-PC274

Path Found: %Ryan-PC276

Alert Type: %Ryan-PC278

Detection Type: 1.1.1505.02

Event Record #/Type21501 / Warning
Event Submitted/Written: 03/31/2008 05:08:15 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Ryan-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Ryan-PC27 can't undo changes that you allow.

For more information please see the following:
%Ryan-PC275

Scan ID: {207C9B73-60B7-4018-B76B-658BDF5B8163}

User: Ryan-PC\Ryan

Name: %Ryan-PC271

ID: %Ryan-PC272

Severity ID: %Ryan-PC273

Category ID: %Ryan-PC274

Path Found: %Ryan-PC276

Alert Type: %Ryan-PC278

Detection Type: 1.1.1505.02



-- End of Deckard's System Scanner: finished at 2008-03-31 17:10:15 ------------
  • 0

#4
Rorschach112
Posted 31 March 2008 - 01:58 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [kxkmozcn] C:\Windows\system32\zcbelebc.exe
O4 - HKLM\..\Policies\Explorer\Run: [HjfnwIoLfU] C:\ProgramData\rsnozato\vwvefena.exe


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\ProgramData\rsnozato
C:\Windows\winsystem.exe
C:\Windows\userconfig9x.dll
C:\Windows\system32WINWGPX.EXE
C:\Windows\system32winsystem.exe
C:\Windows\system32winlogonpc.exe
C:\Windows\system32vcatchpi.dll
C:\Windows\system32vbsys2.dll
C:\Windows\system32thun32.dll
C:\Windows\system32thun.dll
C:\Windows\system32temp#01.exe
C:\Windows\system32taack.exe
C:\Windows\system32taack.dat
C:\Windows\system32sysreq.exe
C:\Windows\system32ssvchost.exe
C:\Windows\system32ssvchost.com
C:\Windows\system32ssurf022.dll
C:\Windows\system32sncntr.exe
C:\Windows\system32smp
C:\Windows\system32Rundl1.exe
C:\Windows\system32regm64.dll
C:\Windows\system32regc64.dll
C:\Windows\system32psoft1.exe
C:\Windows\system32psof1.exe
C:\Windows\system32ps1.exe
C:\Windows\system32newsd32.exe
C:\Windows\system32netode.exe
C:\Windows\system32mwin32.exe
C:\Windows\system32mtr2.exe
C:\Windows\system32msvchost.exe
C:\Windows\system32mssecu.exe
C:\Windows\system32msnbho.dll
C:\Windows\system32msgp.exe
C:\Windows\system32medup020.dll
C:\Windows\system32medup012.dll
C:\Windows\system32hxiwlgpm.exe
C:\Windows\system32hxiwlgpm.dat
C:\Windows\system32hoproxy.dll
C:\Windows\system32h@tkeysh@@k.dll
C:\Windows\system32emesx.dll
C:\Windows\system32dpcproxy.exe
C:\Windows\system32bsva-egihsg52.exe
C:\Windows\system32bdn.com
C:\Windows\system32awtoolb.dll
C:\Windows\system32anticipator.dll
C:\Windows\system32akttzn.exe
C:\Windows\mssecu.exe
C:\Windows\mslagent
C:\Windows\iTunesMusic.exe
C:\Windows\FVProtect.exe
C:\Windows\bdn.com
C:\Windows\a.bat
C:\Users\Ryan\Desktopvirii
C:\Users\Ryan\DesktopFWebdEditor.exe
C:\Users\Ryan\Desktopfwebd.exe
C:\Users\Ryan\Desktopfilemanagerclient.exe
C:\Program Files\Inet Delivery
C:\Windows\system32\zcbelebc.exe
C:\Users\All Users\rsnozato
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new DSS log
  • 0

#5
ryan38
Posted 31 March 2008 - 02:11 PM

ryan38

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hi there,

After copying the items into the OTMoveit2 and pressing the red moveit button an error occurs stating:

C:\windows\system32regc64.dll is either not designed to run on Windows or it contains an error. Try Installing the program again using the original installation media or contact your system administrator or the software vendor for support.


not sure what to do?
EDIT


acutally there seems to be a number of errors with different files

Edited by ryan38, 31 March 2008 - 02:13 PM.

  • 0

#6
Rorschach112
Posted 31 March 2008 - 02:13 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Try it once more but remove C:\Windows\system32regc64.dll from the list of files to be moved

If it happens again just reboot and post a new DSS log
  • 0

#7
ryan38
Posted 31 March 2008 - 02:23 PM

ryan38

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
here is the DDS Main Log... didn't get an extra log so im assuming you only need this!!

Deckard's System Scanner v20071014.68
Run by Ryan on 2008-03-31 17:50:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 894 MiB (1024 MiB recommended).


-- HijackThis (run as Ryan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:55 PM, on 3/31/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\ProgramData\rsnozato\vwvefena.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Users\Ryan\Program Files\DNA\btdna.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Ryan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ryan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [BurnQuick Queue] C:\Program Files\BurnQuick\BQTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Ryan\Program Files\DNA\btdna.exe"
O4 - HKLM\..\Policies\Explorer\Run: [HjfnwIoLfU] C:\ProgramData\rsnozato\vwvefena.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4899 bytes

-- Files created between 2008-02-29 and 2008-03-31 -----------------------------

2008-03-31 16:56:11 2910 --a------ C:\Windows\system32\tmp.reg
2008-03-31 16:55:40 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-03-31 16:55:40 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-31 16:55:40 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-31 16:55:40 82432 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-31 16:55:40 51200 --a------ C:\Windows\system32\dumphive.exe
2008-03-31 16:55:39 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-31 16:55:39 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-30 18:53:11 0 d-------- C:\Program Files\Trend Micro
2008-03-30 17:08:03 0 d-------- C:\Users\All Users\Grisoft
2008-03-30 17:02:19 0 d-------- C:\help
2008-03-30 14:15:12 0 d-------- C:\Program Files\STOIK Imaging
2008-03-30 14:13:45 0 d-------- C:\vid
2008-03-28 22:08:00 0 d-------- C:\Users\Ryan\Program Files
2008-03-28 07:18:45 0 d-------- C:\Program Files\Lavasoft
2008-03-28 07:18:44 0 d-------- C:\Users\All Users\Lavasoft
2008-03-28 07:16:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 22:17:08 4096 --a------ C:\Windows\winsystem.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\userconfig9x.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32WINWGPX.EXE
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32winsystem.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32winlogonpc.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32vcatchpi.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32vbsys2.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32thun32.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32thun.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32temp#01.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32taack.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32taack.dat
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32sysreq.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32ssvchost.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32ssvchost.com
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32ssurf022.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32sncntr.exe
2008-03-27 22:17:08 0 d-------- C:\Windows\system32smp
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32Rundl1.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32regm64.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32regc64.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32psoft1.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32psof1.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32ps1.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32newsd32.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32netode.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32mwin32.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32mtr2.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32msvchost.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32mssecu.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32msnbho.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32msgp.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32medup020.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32medup012.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32hxiwlgpm.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32hxiwlgpm.dat
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32hoproxy.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32h@tkeysh@@k.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32emesx.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32dpcproxy.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32bsva-egihsg52.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32bdn.com
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32awtoolb.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32anticipator.dll
2008-03-27 22:17:08 4096 --a------ C:\Windows\system32akttzn.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\mssecu.exe
2008-03-27 22:17:08 0 d-------- C:\Windows\mslagent
2008-03-27 22:17:08 4096 --a------ C:\Windows\iTunesMusic.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\FVProtect.exe
2008-03-27 22:17:08 4096 --a------ C:\Windows\bdn.com
2008-03-27 22:17:08 4096 --a------ C:\Windows\a.bat
2008-03-27 22:17:08 0 d-------- C:\Users\Ryan\Desktopvirii
2008-03-27 22:17:08 4096 --a------ C:\Users\Ryan\DesktopFWebdEditor.exe
2008-03-27 22:17:08 4096 --a------ C:\Users\Ryan\Desktopfwebd.exe
2008-03-27 22:17:08 4096 --a------ C:\Users\Ryan\Desktopfilemanagerclient.exe
2008-03-27 22:17:08 0 d-------- C:\Program Files\Inet Delivery
2008-03-27 22:17:00 90112 --a------ C:\Windows\system32\zcbelebc.exe
2008-03-27 22:17:00 0 d-------- C:\Users\All Users\rsnozato
2008-03-22 23:53:49 0 d-------- C:\Users\All Users\Yahoo!
2008-03-22 23:52:20 0 d-------- C:\Program Files\Yahoo!
2008-03-15 11:01:08 22 --a------ C:\Users\All Users\ReturnCounter.dat
2008-03-15 10:04:45 0 d-------- C:\Program Files\Phanku eTaxCanada 2007
2008-03-15 10:03:29 0 d-------- C:\tax
2008-03-02 15:09:21 180224 --a------ C:\Windows\system32\xvidvfw.dll
2008-03-02 15:09:21 765952 --a------ C:\Windows\system32\xvidcore.dll
2008-03-02 15:09:21 0 d-------- C:\Program Files\Xvid


-- Find3M Report ---------------------------------------------------------------

2008-03-31 17:47:15 0 d-------- C:\Users\Ryan\AppData\Roaming\DNA
2008-03-31 16:56:11 35 --a------ C:\Users\Ryan\AppData\Roaming\SetValue.bat
2008-03-31 16:56:11 691 --a------ C:\Users\Ryan\AppData\Roaming\GetValue.vbs
2008-03-30 17:14:27 0 d-------- C:\Users\Ryan\AppData\Roaming\BitTorrent
2008-03-30 17:09:07 0 d-------- C:\Users\Ryan\AppData\Roaming\Grisoft
2008-03-30 14:15:26 0 d-------- C:\Users\Ryan\AppData\Roaming\STOIK
2008-03-30 14:03:21 0 d-------- C:\Users\Ryan\AppData\Roaming\BearShare
2008-03-28 07:16:42 0 d-------- C:\Program Files\Common Files
2008-03-12 03:12:25 0 d-------- C:\Program Files\Windows Mail
2008-03-04 22:19:59 0 d-------- C:\Program Files\Instant CD & DVD Burner
2008-03-04 00:08:12 22 --a------ C:\Users\Ryan\AppData\Roaming\ReturnCounter.dat
2008-02-28 22:25:41 0 d-------- C:\Users\Ryan\AppData\Roaming\Elluminate
2008-02-06 04:01:58 0 d-------- C:\Program Files\MSXML 4.0
2008-02-04 19:59:00 0 d-------- C:\Program Files\Rainbow Technologies
2008-02-04 19:37:29 0 d-------- C:\Program Files\ESRI
2008-02-04 19:36:55 0 d-------- C:\Users\Ryan\AppData\Roaming\ESRI
2008-02-04 19:22:13 0 d-------- C:\Program Files\Common Files\ESRI
2008-02-04 19:21:31 0 d-------- C:\Program Files\ArcGIS
2008-02-04 19:20:47 0 d-------- C:\Program Files\Leica Geosystems
2008-02-03 13:54:35 0 d-------- C:\Users\Ryan\AppData\Roaming\LimeWire
2008-02-01 19:20:45 0 d-------- C:\Program Files\LimeWire
2008-02-01 19:10:01 0 d-------- C:\Program Files\Ares
2008-02-01 18:52:00 0 d-------- C:\Program Files\BearShare Applications


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [12/08/2007 10:00 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 08:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [08/06/2007 09:35 PM]
"BurnQuick Queue"="C:\Program Files\BurnQuick\BQTray.exe" [09/01/2007 02:27 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 06:55 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/09/2008 04:02 AM]
"WindowsWelcomeCenter"="oobefldr.dll,ShowWelcomeCenter" []
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 10:05 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [01/18/2008 08:02 PM]
"BitTorrent DNA"="C:\Users\Ryan\Program Files\DNA\btdna.exe" [03/28/2008 10:08 PM]

C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [12/2/2007 8:36:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"HjfnwIoLfU"=C:\ProgramData\rsnozato\vwvefena.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-03-31 17:51:40 ------------
  • 0

#8
Rorschach112
Posted 31 March 2008 - 02:41 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Under Additional Scans check the boxes beside Reg - App Paths, Reg - Bot Check, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg - File Additional Folder Scans, File - Lop Check, and File - Purity Scan.
  • Under Drivers change it to Non-Microsoft.
  • Check the box beside Scan All User Accounts at the top
  • Under Files Created Within and Files Modified Within change it to 90 days.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way
  • 0

#9
ryan38
Posted 31 March 2008 - 02:48 PM

ryan38

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Here it is

Thanks

Attached Files


  • 0

#10
Rorschach112
Posted 31 March 2008 - 03:13 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Start OTScanIt. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> vwvefena.exe -> %AllUsersProfile%\rsnozato\vwvefena.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Windows Defender ->
< Run [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Sidebar ->
< Run [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Sidebar ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 90 days]
NY -> a.bat -> %SystemRoot%\a.bat
NY -> bdn.com -> %SystemRoot%\bdn.com
NY -> 5 C:\Windows\*.tmp files -> C:\Windows\*.tmp
NY -> system32akttzn.exe -> %SystemRoot%\system32akttzn.exe
NY -> system32anticipator.dll -> %SystemRoot%\system32anticipator.dll
NY -> system32awtoolb.dll -> %SystemRoot%\system32awtoolb.dll
NY -> system32bdn.com -> %SystemRoot%\system32bdn.com
NY -> system32bsva-egihsg52.exe -> %SystemRoot%\system32bsva-egihsg52.exe
NY -> system32dpcproxy.exe -> %SystemRoot%\system32dpcproxy.exe
NY -> system32emesx.dll -> %SystemRoot%\system32emesx.dll
NY -> system32h@tkeysh@@k.dll -> %SystemRoot%\system32h@tkeysh@@k.dll
NY -> system32hoproxy.dll -> %SystemRoot%\system32hoproxy.dll
NY -> system32hxiwlgpm.dat -> %SystemRoot%\system32hxiwlgpm.dat
NY -> system32hxiwlgpm.exe -> %SystemRoot%\system32hxiwlgpm.exe
NY -> system32medup012.dll -> %SystemRoot%\system32medup012.dll
NY -> system32medup020.dll -> %SystemRoot%\system32medup020.dll
NY -> system32msgp.exe -> %SystemRoot%\system32msgp.exe
NY -> system32msnbho.dll -> %SystemRoot%\system32msnbho.dll
NY -> system32mssecu.exe -> %SystemRoot%\system32mssecu.exe
NY -> system32msvchost.exe -> %SystemRoot%\system32msvchost.exe
NY -> system32mtr2.exe -> %SystemRoot%\system32mtr2.exe
NY -> system32mwin32.exe -> %SystemRoot%\system32mwin32.exe
NY -> system32netode.exe -> %SystemRoot%\system32netode.exe
NY -> system32newsd32.exe -> %SystemRoot%\system32newsd32.exe
NY -> system32ps1.exe -> %SystemRoot%\system32ps1.exe
NY -> system32psof1.exe -> %SystemRoot%\system32psof1.exe
NY -> system32psoft1.exe -> %SystemRoot%\system32psoft1.exe
NY -> system32regc64.dll -> %SystemRoot%\system32regc64.dll
NY -> system32regm64.dll -> %SystemRoot%\system32regm64.dll
NY -> system32Rundl1.exe -> %SystemRoot%\system32Rundl1.exe
NY -> system32smp -> %SystemRoot%\system32smp
NY -> system32sncntr.exe -> %SystemRoot%\system32sncntr.exe
NY -> system32ssurf022.dll -> %SystemRoot%\system32ssurf022.dll
NY -> system32ssvchost.com -> %SystemRoot%\system32ssvchost.com
NY -> system32ssvchost.exe -> %SystemRoot%\system32ssvchost.exe
NY -> system32sysreq.exe -> %SystemRoot%\system32sysreq.exe
NY -> system32taack.dat -> %SystemRoot%\system32taack.dat
NY -> system32taack.exe -> %SystemRoot%\system32taack.exe
NY -> system32temp#01.exe -> %SystemRoot%\system32temp#01.exe
NY -> system32thun.dll -> %SystemRoot%\system32thun.dll
NY -> system32thun32.dll -> %SystemRoot%\system32thun32.dll
NY -> system32VBIEWER.OCX -> %SystemRoot%\system32VBIEWER.OCX
NY -> system32vbsys2.dll -> %SystemRoot%\system32vbsys2.dll
NY -> system32vcatchpi.dll -> %SystemRoot%\system32vcatchpi.dll
NY -> system32winlogonpc.exe -> %SystemRoot%\system32winlogonpc.exe
NY -> system32winsystem.exe -> %SystemRoot%\system32winsystem.exe
NY -> system32WINWGPX.EXE -> %SystemRoot%\system32WINWGPX.EXE
NY -> userconfig9x.dll -> %SystemRoot%\userconfig9x.dll
NY -> winsystem.exe -> %SystemRoot%\winsystem.exe
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> rsnozato -> %AllUsersProfile%\rsnozato
NY -> GetValue.vbs -> %AppData%\GetValue.vbs
NY -> ReturnCounter.dat -> %AppData%\ReturnCounter.dat
NY -> SetValue.bat -> %AppData%\SetValue.bat
NY -> SmitfraudFix -> %UserProfile%\Desktop\SmitfraudFix
NY -> SmitfraudFix.exe -> %UserProfile%\Desktop\SmitfraudFix.exe
[Files/Folders - Modified Within 90 days]
NY -> zcbelebc.exe -> %SystemRoot%\System32\zcbelebc.exe
NY -> a.bat -> %SystemRoot%\a.bat
NY -> 5 C:\Windows\*.tmp files -> C:\Windows\*.tmp
NY -> bdn.com -> %SystemRoot%\bdn.com
NY -> iTunesMusic.exe -> %SystemRoot%\iTunesMusic.exe
NY -> mssecu.exe -> %SystemRoot%\mssecu.exe
NY -> system32akttzn.exe -> %SystemRoot%\system32akttzn.exe
NY -> system32anticipator.dll -> %SystemRoot%\system32anticipator.dll
NY -> system32awtoolb.dll -> %SystemRoot%\system32awtoolb.dll
NY -> system32bdn.com -> %SystemRoot%\system32bdn.com
NY -> system32bsva-egihsg52.exe -> %SystemRoot%\system32bsva-egihsg52.exe
NY -> system32dpcproxy.exe -> %SystemRoot%\system32dpcproxy.exe
NY -> system32emesx.dll -> %SystemRoot%\system32emesx.dll
NY -> system32h@tkeysh@@k.dll -> %SystemRoot%\system32h@tkeysh@@k.dll
NY -> system32hoproxy.dll -> %SystemRoot%\system32hoproxy.dll
NY -> system32hxiwlgpm.dat -> %SystemRoot%\system32hxiwlgpm.dat
NY -> system32hxiwlgpm.exe -> %SystemRoot%\system32hxiwlgpm.exe
NY -> system32medup012.dll -> %SystemRoot%\system32medup012.dll
NY -> system32medup020.dll -> %SystemRoot%\system32medup020.dll
NY -> system32msgp.exe -> %SystemRoot%\system32msgp.exe
NY -> system32msnbho.dll -> %SystemRoot%\system32msnbho.dll
NY -> system32mssecu.exe -> %SystemRoot%\system32mssecu.exe
NY -> system32msvchost.exe -> %SystemRoot%\system32msvchost.exe
NY -> system32mtr2.exe -> %SystemRoot%\system32mtr2.exe
NY -> system32mwin32.exe -> %SystemRoot%\system32mwin32.exe
NY -> system32netode.exe -> %SystemRoot%\system32netode.exe
NY -> system32newsd32.exe -> %SystemRoot%\system32newsd32.exe
NY -> system32ps1.exe -> %SystemRoot%\system32ps1.exe
NY -> system32psof1.exe -> %SystemRoot%\system32psof1.exe
NY -> system32psoft1.exe -> %SystemRoot%\system32psoft1.exe
NY -> system32regc64.dll -> %SystemRoot%\system32regc64.dll
NY -> system32regm64.dll -> %SystemRoot%\system32regm64.dll
NY -> system32Rundl1.exe -> %SystemRoot%\system32Rundl1.exe
NY -> system32smp -> %SystemRoot%\system32smp
NY -> system32sncntr.exe -> %SystemRoot%\system32sncntr.exe
NY -> system32ssurf022.dll -> %SystemRoot%\system32ssurf022.dll
NY -> system32ssvchost.com -> %SystemRoot%\system32ssvchost.com
NY -> system32ssvchost.exe -> %SystemRoot%\system32ssvchost.exe
NY -> system32sysreq.exe -> %SystemRoot%\system32sysreq.exe
NY -> system32taack.dat -> %SystemRoot%\system32taack.dat
NY -> system32taack.exe -> %SystemRoot%\system32taack.exe
NY -> system32temp#01.exe -> %SystemRoot%\system32temp#01.exe
NY -> system32thun.dll -> %SystemRoot%\system32thun.dll
NY -> system32thun32.dll -> %SystemRoot%\system32thun32.dll
NY -> system32VBIEWER.OCX -> %SystemRoot%\system32VBIEWER.OCX
NY -> system32vbsys2.dll -> %SystemRoot%\system32vbsys2.dll
NY -> system32vcatchpi.dll -> %SystemRoot%\system32vcatchpi.dll
NY -> system32winlogonpc.exe -> %SystemRoot%\system32winlogonpc.exe
NY -> system32winsystem.exe -> %SystemRoot%\system32winsystem.exe
NY -> system32WINWGPX.EXE -> %SystemRoot%\system32WINWGPX.EXE
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> rsnozato -> %AllUsersProfile%\rsnozato
NY -> SetValue.bat -> %AppData%\SetValue.bat
[Extra Files]
Purity
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.


Then reboot and post a new DSS Log
  • 0

Advertisements

#11
ryan38
Posted 31 March 2008 - 03:23 PM

ryan38

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
It seems once again there were a number of files that had errors... i skipped those files then it asked me to reboot.. no log was created though or atleast it never opened. I went ahead and did a dss log for you here it is.

Deckard's System Scanner v20071014.68
Run by Ryan on 2008-03-31 18:50:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 894 MiB (1024 MiB recommended).


-- HijackThis (run as Ryan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:10 PM, on 3/31/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\BurnQuick\BQTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Users\Ryan\Program Files\DNA\btdna.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Ryan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ryan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [BurnQuick Queue] C:\Program Files\BurnQuick\BQTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Ryan\Program Files\DNA\btdna.exe"
O4 - HKLM\..\Policies\Explorer\Run: [HjfnwIoLfU] C:\ProgramData\rsnozato\vwvefena.exe
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4716 bytes

-- Files created between 2008-02-29 and 2008-03-31 -----------------------------

2008-03-31 16:56:11 2910 --a------ C:\Windows\system32\tmp.reg
2008-03-31 16:55:40 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-03-31 16:55:40 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-31 16:55:40 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-31 16:55:40 82432 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-31 16:55:40 51200 --a------ C:\Windows\system32\dumphive.exe
2008-03-31 16:55:39 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-31 16:55:39 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-30 18:53:11 0 d-------- C:\Program Files\Trend Micro
2008-03-30 17:08:03 0 d-------- C:\Users\All Users\Grisoft
2008-03-30 17:02:19 0 d-------- C:\help
2008-03-30 14:15:12 0 d-------- C:\Program Files\STOIK Imaging
2008-03-30 14:13:45 0 d-------- C:\vid
2008-03-28 22:08:00 0 d-------- C:\Users\Ryan\Program Files
2008-03-28 07:18:45 0 d-------- C:\Program Files\Lavasoft
2008-03-28 07:18:44 0 d-------- C:\Users\All Users\Lavasoft
2008-03-28 07:16:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 22:17:08 0 d-------- C:\Windows\mslagent
2008-03-27 22:17:08 4096 --a------ C:\Windows\FVProtect.exe
2008-03-27 22:17:08 0 d-------- C:\Users\Ryan\Desktopvirii
2008-03-27 22:17:08 4096 --a------ C:\Users\Ryan\DesktopFWebdEditor.exe
2008-03-27 22:17:08 4096 --a------ C:\Users\Ryan\Desktopfwebd.exe
2008-03-27 22:17:08 4096 --a------ C:\Users\Ryan\Desktopfilemanagerclient.exe
2008-03-27 22:17:08 0 d-------- C:\Program Files\Inet Delivery
2008-03-22 23:53:49 0 d-------- C:\Users\All Users\Yahoo!
2008-03-22 23:52:20 0 d-------- C:\Program Files\Yahoo!
2008-03-15 11:01:08 22 --a------ C:\Users\All Users\ReturnCounter.dat
2008-03-15 10:04:45 0 d-------- C:\Program Files\Phanku eTaxCanada 2007
2008-03-15 10:03:29 0 d-------- C:\tax
2008-03-02 15:09:21 180224 --a------ C:\Windows\system32\xvidvfw.dll
2008-03-02 15:09:21 765952 --a------ C:\Windows\system32\xvidcore.dll
2008-03-02 15:09:21 0 d-------- C:\Program Files\Xvid


-- Find3M Report ---------------------------------------------------------------

2008-03-31 18:46:57 0 d-------- C:\Users\Ryan\AppData\Roaming\DNA
2008-03-30 17:14:27 0 d-------- C:\Users\Ryan\AppData\Roaming\BitTorrent
2008-03-30 17:09:07 0 d-------- C:\Users\Ryan\AppData\Roaming\Grisoft
2008-03-30 14:15:26 0 d-------- C:\Users\Ryan\AppData\Roaming\STOIK
2008-03-30 14:03:21 0 d-------- C:\Users\Ryan\AppData\Roaming\BearShare
2008-03-28 07:16:42 0 d-------- C:\Program Files\Common Files
2008-03-12 03:12:25 0 d-------- C:\Program Files\Windows Mail
2008-03-04 22:19:59 0 d-------- C:\Program Files\Instant CD & DVD Burner
2008-02-28 22:25:41 0 d-------- C:\Users\Ryan\AppData\Roaming\Elluminate
2008-02-06 04:01:58 0 d-------- C:\Program Files\MSXML 4.0
2008-02-04 19:59:00 0 d-------- C:\Program Files\Rainbow Technologies
2008-02-04 19:37:29 0 d-------- C:\Program Files\ESRI
2008-02-04 19:36:55 0 d-------- C:\Users\Ryan\AppData\Roaming\ESRI
2008-02-04 19:22:13 0 d-------- C:\Program Files\Common Files\ESRI
2008-02-04 19:21:31 0 d-------- C:\Program Files\ArcGIS
2008-02-04 19:20:47 0 d-------- C:\Program Files\Leica Geosystems
2008-02-03 13:54:35 0 d-------- C:\Users\Ryan\AppData\Roaming\LimeWire
2008-02-01 19:20:45 0 d-------- C:\Program Files\LimeWire
2008-02-01 19:10:01 0 d-------- C:\Program Files\Ares
2008-02-01 18:52:00 0 d-------- C:\Program Files\BearShare Applications


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 08:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [08/06/2007 09:35 PM]
"BurnQuick Queue"="C:\Program Files\BurnQuick\BQTray.exe" [09/01/2007 02:27 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 06:55 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/09/2008 04:02 AM]
"WindowsWelcomeCenter"="oobefldr.dll,ShowWelcomeCenter" []
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 10:05 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [01/18/2008 08:02 PM]
"BitTorrent DNA"="C:\Users\Ryan\Program Files\DNA\btdna.exe" [03/28/2008 10:08 PM]

C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [12/2/2007 8:36:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"HjfnwIoLfU"=C:\ProgramData\rsnozato\vwvefena.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-03-31 18:52:16 ------------
  • 0

#12
Rorschach112
Posted 31 March 2008 - 03:38 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\Policies\Explorer\Run: [HjfnwIoLfU] C:\ProgramData\rsnozato\vwvefena.exe

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please run the OTMoveIt2 by OldTimer again.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Windows\mslagent /d
C:\Windows\FVProtect.exe /d
C:\Users\Ryan\Desktopvirii /d 
C:\Users\Ryan\DesktopFWebdEditor.exe /d
C:\Users\Ryan\Desktopfwebd.exe /d 
C:\Users\Ryan\Desktopfilemanagerclient.exe /d
C:\Program Files\Inet Delivery /d
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new DSS log
  • 0

#13
ryan38
Posted 31 March 2008 - 03:49 PM

ryan38

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
ok this time no errors came up!

Here is the first log and then followed by the DSS Log

File/Folder C:\Windows\mslagent /d not found.
File/Folder C:\Windows\FVProtect.exe /d not found.
File/Folder C:\Users\Ryan\Desktopvirii /d not found.
File/Folder C:\Users\Ryan\DesktopFWebdEditor.exe /d not found.
File/Folder C:\Users\Ryan\Desktopfwebd.exe /d not found.
File/Folder C:\Users\Ryan\Desktopfilemanagerclient.exe /d not found.
File/Folder C:\Program Files\Inet Delivery /d not found.
[Custom Input]
< purity >

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03312008_191152


-----------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Ryan on 2008-03-31 19:15:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 84% (more than 75%).
Total Physical Memory: 894 MiB (1024 MiB recommended).


-- HijackThis (run as Ryan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:56 PM, on 3/31/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Users\Ryan\Program Files\DNA\btdna.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Ryan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ryan.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [BurnQuick Queue] C:\Program Files\BurnQuick\BQTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Ryan\Program Files\DNA\btdna.exe"
O4 - HKLM\..\Policies\Explorer\Run: [HjfnwIoLfU] C:\ProgramData\rsnozato\vwvefena.exe
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4647 bytes

-- Files created between 2008-02-29 and 2008-03-31 -----------------------------

2008-03-31 16:56:11 2910 --a------ C:\Windows\system32\tmp.reg
2008-03-31 16:55:40 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-03-31 16:55:40 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-31 16:55:40 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-31 16:55:40 82432 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-31 16:55:40 51200 --a------ C:\Windows\system32\dumphive.exe
2008-03-31 16:55:39 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-31 16:55:39 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-30 18:53:11 0 d-------- C:\Program Files\Trend Micro
2008-03-30 17:08:03 0 d-------- C:\Users\All Users\Grisoft
2008-03-30 17:02:19 0 d-------- C:\help
2008-03-30 14:15:12 0 d-------- C:\Program Files\STOIK Imaging
2008-03-30 14:13:45 0 d-------- C:\vid
2008-03-28 22:08:00 0 d-------- C:\Users\Ryan\Program Files
2008-03-28 07:18:45 0 d-------- C:\Program Files\Lavasoft
2008-03-28 07:18:44 0 d-------- C:\Users\All Users\Lavasoft
2008-03-28 07:16:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 22:17:08 0 d-------- C:\Windows\mslagent
2008-03-27 22:17:08 4096 --a------ C:\Windows\FVProtect.exe
2008-03-27 22:17:08 0 d-------- C:\Users\Ryan\Desktopvirii
2008-03-27 22:17:08 4096 --a------ C:\Users\Ryan\DesktopFWebdEditor.exe
2008-03-27 22:17:08 4096 --a------ C:\Users\Ryan\Desktopfwebd.exe
2008-03-27 22:17:08 4096 --a------ C:\Users\Ryan\Desktopfilemanagerclient.exe
2008-03-27 22:17:08 0 d-------- C:\Program Files\Inet Delivery
2008-03-22 23:53:49 0 d-------- C:\Users\All Users\Yahoo!
2008-03-22 23:52:20 0 d-------- C:\Program Files\Yahoo!
2008-03-15 11:01:08 22 --a------ C:\Users\All Users\ReturnCounter.dat
2008-03-15 10:04:45 0 d-------- C:\Program Files\Phanku eTaxCanada 2007
2008-03-15 10:03:29 0 d-------- C:\tax
2008-03-02 15:09:21 180224 --a------ C:\Windows\system32\xvidvfw.dll
2008-03-02 15:09:21 765952 --a------ C:\Windows\system32\xvidcore.dll
2008-03-02 15:09:21 0 d-------- C:\Program Files\Xvid


-- Find3M Report ---------------------------------------------------------------

2008-03-31 19:12:46 0 d-------- C:\Users\Ryan\AppData\Roaming\DNA
2008-03-30 17:14:27 0 d-------- C:\Users\Ryan\AppData\Roaming\BitTorrent
2008-03-30 17:09:07 0 d-------- C:\Users\Ryan\AppData\Roaming\Grisoft
2008-03-30 14:15:26 0 d-------- C:\Users\Ryan\AppData\Roaming\STOIK
2008-03-30 14:03:21 0 d-------- C:\Users\Ryan\AppData\Roaming\BearShare
2008-03-28 07:16:42 0 d-------- C:\Program Files\Common Files
2008-03-12 03:12:25 0 d-------- C:\Program Files\Windows Mail
2008-03-04 22:19:59 0 d-------- C:\Program Files\Instant CD & DVD Burner
2008-02-28 22:25:41 0 d-------- C:\Users\Ryan\AppData\Roaming\Elluminate
2008-02-06 04:01:58 0 d-------- C:\Program Files\MSXML 4.0
2008-02-04 19:59:00 0 d-------- C:\Program Files\Rainbow Technologies
2008-02-04 19:37:29 0 d-------- C:\Program Files\ESRI
2008-02-04 19:36:55 0 d-------- C:\Users\Ryan\AppData\Roaming\ESRI
2008-02-04 19:22:13 0 d-------- C:\Program Files\Common Files\ESRI
2008-02-04 19:21:31 0 d-------- C:\Program Files\ArcGIS
2008-02-04 19:20:47 0 d-------- C:\Program Files\Leica Geosystems
2008-02-03 13:54:35 0 d-------- C:\Users\Ryan\AppData\Roaming\LimeWire
2008-02-01 19:20:45 0 d-------- C:\Program Files\LimeWire
2008-02-01 19:10:01 0 d-------- C:\Program Files\Ares
2008-02-01 18:52:00 0 d-------- C:\Program Files\BearShare Applications


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 08:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [08/06/2007 09:35 PM]
"BurnQuick Queue"="C:\Program Files\BurnQuick\BQTray.exe" [09/01/2007 02:27 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 06:55 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/09/2008 04:02 AM]
"WindowsWelcomeCenter"="oobefldr.dll,ShowWelcomeCenter" []
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 10:05 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [01/18/2008 08:02 PM]
"BitTorrent DNA"="C:\Users\Ryan\Program Files\DNA\btdna.exe" [03/28/2008 10:08 PM]

C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [12/2/2007 8:36:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"HjfnwIoLfU"=C:\ProgramData\rsnozato\vwvefena.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-03-31 19:17:47 ------------
  • 0

#14
Rorschach112
Posted 31 March 2008 - 03:52 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Think I made a mistake thats why :)

One more attempt then we will try something else


1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\Policies\Explorer\Run: [HjfnwIoLfU] C:\ProgramData\rsnozato\vwvefena.exe

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Windows\mslagent
C:\Windows\FVProtect.exe
C:\Users\Ryan\Desktopvirii
C:\Users\Ryan\DesktopFWebdEditor.exe
C:\Users\Ryan\Desktopfwebd.exe
C:\Users\Ryan\Desktopfilemanagerclient.exe
C:\Program Files\Inet Delivery
C:\ProgramData\rsnozato
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new DSS log
  • 0

#15
ryan38
Posted 31 March 2008 - 04:04 PM

ryan38

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Ok here are the next two logs

first one followed by DSS log

Folder move failed. C:\Windows\mslagent scheduled to be moved on reboot.
File move failed. C:\Windows\FVProtect.exe scheduled to be moved on reboot.
C:\Users\Ryan\Desktopvirii moved successfully.
C:\Users\Ryan\DesktopFWebdEditor.exe moved successfully.
C:\Users\Ryan\Desktopfwebd.exe moved successfully.
C:\Users\Ryan\Desktopfilemanagerclient.exe moved successfully.
Folder move failed. C:\Program Files\Inet Delivery scheduled to be moved on reboot.
File/Folder C:\ProgramData\rsnozato not found.
[Custom Input]
< purity >

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03312008_192702

---------------------------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Ryan on 2008-03-31 19:31:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 894 MiB (1024 MiB recommended).


-- HijackThis (run as Ryan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:05 PM, on 3/31/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Users\Ryan\Program Files\DNA\btdna.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Ryan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ryan.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [BurnQuick Queue] C:\Program Files\BurnQuick\BQTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Ryan\Program Files\DNA\btdna.exe"
O4 - HKLM\..\Policies\Explorer\Run: [HjfnwIoLfU] C:\ProgramData\rsnozato\vwvefena.exe
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4583 bytes

-- Files created between 2008-02-29 and 2008-03-31 -----------------------------

2008-03-31 16:56:11 2910 --a------ C:\Windows\system32\tmp.reg
2008-03-31 16:55:40 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-03-31 16:55:40 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-31 16:55:40 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-31 16:55:40 82432 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-31 16:55:40 51200 --a------ C:\Windows\system32\dumphive.exe
2008-03-31 16:55:39 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-31 16:55:39 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-30 18:53:11 0 d-------- C:\Program Files\Trend Micro
2008-03-30 17:08:03 0 d-------- C:\Users\All Users\Grisoft
2008-03-30 17:02:19 0 d-------- C:\help
2008-03-30 14:15:12 0 d-------- C:\Program Files\STOIK Imaging
2008-03-30 14:13:45 0 d-------- C:\vid
2008-03-28 22:08:00 0 d-------- C:\Users\Ryan\Program Files
2008-03-28 07:18:45 0 d-------- C:\Program Files\Lavasoft
2008-03-28 07:18:44 0 d-------- C:\Users\All Users\Lavasoft
2008-03-28 07:16:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 22:17:08 0 d-------- C:\Windows\mslagent
2008-03-27 22:17:08 4096 --a------ C:\Windows\FVProtect.exe
2008-03-27 22:17:08 0 d-------- C:\Program Files\Inet Delivery
2008-03-22 23:53:49 0 d-------- C:\Users\All Users\Yahoo!
2008-03-22 23:52:20 0 d-------- C:\Program Files\Yahoo!
2008-03-15 11:01:08 22 --a------ C:\Users\All Users\ReturnCounter.dat
2008-03-15 10:04:45 0 d-------- C:\Program Files\Phanku eTaxCanada 2007
2008-03-15 10:03:29 0 d-------- C:\tax
2008-03-02 15:09:21 180224 --a------ C:\Windows\system32\xvidvfw.dll
2008-03-02 15:09:21 765952 --a------ C:\Windows\system32\xvidcore.dll
2008-03-02 15:09:21 0 d-------- C:\Program Files\Xvid


-- Find3M Report ---------------------------------------------------------------

2008-03-31 19:27:41 0 d-------- C:\Users\Ryan\AppData\Roaming\DNA
2008-03-30 17:14:27 0 d-------- C:\Users\Ryan\AppData\Roaming\BitTorrent
2008-03-30 17:09:07 0 d-------- C:\Users\Ryan\AppData\Roaming\Grisoft
2008-03-30 14:15:26 0 d-------- C:\Users\Ryan\AppData\Roaming\STOIK
2008-03-30 14:03:21 0 d-------- C:\Users\Ryan\AppData\Roaming\BearShare
2008-03-28 07:16:42 0 d-------- C:\Program Files\Common Files
2008-03-12 03:12:25 0 d-------- C:\Program Files\Windows Mail
2008-03-04 22:19:59 0 d-------- C:\Program Files\Instant CD & DVD Burner
2008-02-28 22:25:41 0 d-------- C:\Users\Ryan\AppData\Roaming\Elluminate
2008-02-06 04:01:58 0 d-------- C:\Program Files\MSXML 4.0
2008-02-04 19:59:00 0 d-------- C:\Program Files\Rainbow Technologies
2008-02-04 19:37:29 0 d-------- C:\Program Files\ESRI
2008-02-04 19:36:55 0 d-------- C:\Users\Ryan\AppData\Roaming\ESRI
2008-02-04 19:22:13 0 d-------- C:\Program Files\Common Files\ESRI
2008-02-04 19:21:31 0 d-------- C:\Program Files\ArcGIS
2008-02-04 19:20:47 0 d-------- C:\Program Files\Leica Geosystems
2008-02-03 13:54:35 0 d-------- C:\Users\Ryan\AppData\Roaming\LimeWire
2008-02-01 19:20:45 0 d-------- C:\Program Files\LimeWire
2008-02-01 19:10:01 0 d-------- C:\Program Files\Ares
2008-02-01 18:52:00 0 d-------- C:\Program Files\BearShare Applications


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 08:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [08/06/2007 09:35 PM]
"BurnQuick Queue"="C:\Program Files\BurnQuick\BQTray.exe" [09/01/2007 02:27 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 06:55 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/09/2008 04:02 AM]
"WindowsWelcomeCenter"="oobefldr.dll,ShowWelcomeCenter" []
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 10:05 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [01/18/2008 08:02 PM]
"BitTorrent DNA"="C:\Users\Ryan\Program Files\DNA\btdna.exe" [03/28/2008 10:08 PM]

C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [12/2/2007 8:36:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"HjfnwIoLfU"=C:\ProgramData\rsnozato\vwvefena.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-03-31 19:33:14 ------------
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP