Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Folders keep poppin'! [RESOLVED]


  • This topic is locked This topic is locked

#1
Choknat

Choknat

    Member

  • Member
  • PipPip
  • 37 posts
Guys, a little help here...3 folders keep popping up everytime I open a hard drive or a removable hard drice [USB device]. they're names are "My Pictures.exe", "My Documents.exe", "PUPSRE.exe".... i cannot go back to my "CLEAN" restore point so this is my last resort..

oh, here's my LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:20 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\NORTON~1\NSR\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\inf\ssvhost.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\process.exe
E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM\..\Run: [NSRKey] C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Save and Restore] "C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [] C:\WINDOWS\inf\ssvhost.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [] 
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202213772328
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C7B5944-C76A-454B-8AD2-D752A41C0351}: NameServer = 202.78.97.41,202.78.97.35
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Norton Save and Restore - Symantec Corporation - C:\PROGRA~1\NORTON~1\NSR\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe

--
End of file - 13550 bytes


I updated my anti-virus/spyware but couldnt detect it.... many thanks in advance. :)
  • 0

Advertisements


#2
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello Choknat, and welcome to Geeks to Go! I'm Fredil. I'm currently reading over your log right now and I'll do my best to try to get your system clean :)

Since I'm still in training, there may be a slight delay between my posts because they must be checked by an expert. We'll get your problem solved eventually though :)
  • 0

#3
Choknat

Choknat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
ok.. im also a GeekU freshie.^^ i'm muddling the pointers right now, i'll just wait for your reply... thanks...
  • 0

#4
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello Choknat, and welcome to Geeks to Go :) I need a question answered though. When you said that "3 folders keep popping up", were the folders themselves called My Documents.exe, My Pictures.exe, and PUPSRE.exe, or did they contain files bearing these names? Also, I'll have to ask you to keep your USB and all other drives in this computer for the duration of the fix, and not plug them into any other computers, because you might inadvertently infect them. However, please perform the first step before plugging your USB in, and go no further until the drive is plugged in :)

Please read my entire post before commencing, and please follow my instructions in the order that they are given :) If you don't understand something, don't be afraid to ask!

1. Make Registry Script
------------------------------------------------

Please open a blank Notepad document. Copy and paste everything in the codebox below into the blank document:

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000b5

Go to File > Save As. Make sure "All types" is selected in the "Save as Type" menu. Name the file "fix.reg" and save it to your Desktop.

Double-click on fix.reg and you will get a prompt asking if you wish to merge with the registry. Please allow fix.reg to merge. You will then get a message saying that it has been successfully entered; press "OK". Reboot your computer, and attach your USB drive.

2. Fix Entries with HijackThis
------------------------------------------------

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present).

O4 - HKLM\..\Run: [] C:\WINDOWS\inf\ssvhost.exe
O4 - HKLM\..\Policies\Explorer\Run: [] 

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

3. Scan with ActiveScan
------------------------------------------------

Please go HERE to run Panda's ActiveScan.

Note:You must use Internet Explorer for this scan.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

4. Deckard's System Scanner
------------------------------------------------

Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close ALL open windows before running the scan.

Note: This program will clear your temporary files.

  • On the first run, Deckard's System Scanner will provide you with two warnings. Press "OK" and allow DSS to scan.
  • The entire scanning process will take about five minutes, often less.
  • During the scan you may get warnings about sigcheck.exe trying to access the Internet; please make sure you allow it to do so.
  • Your antivirus may also warn you about nircmd.exe; please make sure you do not delete nircmd.exe as it will cause DSS to malfunction.
  • Once the scan is complete, you will get two logfiles - a main.txt (which you see) and an extra.txt (which is minimized). Copy the contents of both into a reply.
On subsequent runs, DSS will only provide a significantly shortened main.txt and not an extra.txt.

In your next post
------------------------------------------------

  • ActiveScan log
  • DSS main.txt and extra.txt

  • 0

#5
Choknat

Choknat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
wait, when i double click the "fix.reg" it just opens a window which is the "Open with.." window and make me select a program to open the file. T_T it gives me a option to merge when I rightclick it but still after I select run, it goes to "open with" window..

the poppping folders are named "My Documents.exe" "My Pictures.exe" and "PUPSRE.exe".. those are the folder names.

Edited by Choknat, 02 April 2008 - 03:44 AM.

  • 0

#6
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello Choknat, let's try something else. Disregard my other directions and follow these ones :)

First, go to Start > Control Panel. Double-click on "Folder Options", and go to the "View" tab. Make sure that the box "Display the full path in the address bar" is checked; if it isn't, please check it. Press OK. Afterwards, plug your USB drive in. There should be a bar labelled "Address" under the toolbar, as with Internet Explorer - copy the text in there for all three folders into your next reply. Keep your USB drive in for the rest of the fix, and do not use it to transfer files to another computer.

Please read my entire post before commencing, and please follow my instructions in the order that they are given :) If you don't understand something, don't be afraid to ask!

1. Fix Entries with HijackThis
------------------------------------------------

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present).

O4 - HKLM\..\Run: [] C:\WINDOWS\inf\ssvhost.exe
O4 - HKLM\..\Policies\Explorer\Run: [] 

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

2. Scan with ActiveScan
------------------------------------------------

Please go HERE to run Panda's ActiveScan.

Note:You must use Internet Explorer for this scan.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

3. Deckard's System Scanner
------------------------------------------------

Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close ALL open windows before running the scan.

Note: This program will clear your temporary files.

  • On the first run, Deckard's System Scanner will provide you with two warnings. Press "OK" and allow DSS to scan.
  • The entire scanning process will take about five minutes, often less.
  • During the scan you may get warnings about sigcheck.exe trying to access the Internet; please make sure you allow it to do so.
  • Your antivirus may also warn you about nircmd.exe; please make sure you do not delete nircmd.exe as it will cause DSS to malfunction.
  • Once the scan is complete, you will get two logfiles - a main.txt (which you see) and an extra.txt (which is minimized). Copy the contents of both into a reply.
On subsequent runs, DSS will only provide a significantly shortened main.txt and not an extra.txt.

4. Fix File Associations
------------------------------------------------

Please go to Start > Run. In the box that appears, carefully copy and paste the following:

"%Userprofile%\Desktop\dss.exe" /daft

Accept the disclaimer, and click the "Scan" button. Place a checkmark next to everything that appears and press "Fix". Afterwards, close the window.

In your next post
------------------------------------------------

  • File paths
  • ActiveScan log
  • DSS main.txt and extra.txt

  • 0

#7
Choknat

Choknat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
i discovered that the scvchost.exe is the one making folders in my drives so when i end that process in the task manager it no longer produces folders.

i got the hijack this log correctly, which i think would make my drives secure from popping folders.. when i do the panda's activescan it got an error updating and cannot go further the process.

in case u still need the popping folder adress:
G:\My Pictures.exe
G:\My Documents.exe
G:\PUPSRE.exe

also in:
E:\My Pictures.exe
E:\My Documents.exe
E:\PUPSRE.exe
  • 0

#8
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello Choknat, can you do steps 3 and 4 in my last post? Disregard the ActiveScan log, just do the two things with DSS and post back main.txt and extra.txt. Thanks :)
  • 0

#9
Choknat

Choknat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
MAIN.TXT

Deckard's System Scanner v20071014.68
Run by microsoft on 2008-04-06 08:53:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as microsoft.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:16 AM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\NSR\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
E:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\microsoft\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MICROS~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM\..\Run: [NSRKey] C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Save and Restore] "C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202213772328
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C7B5944-C76A-454B-8AD2-D752A41C0351}: NameServer = 202.78.97.41,202.78.97.35
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Norton Save and Restore - Symantec Corporation - C:\PROGRA~1\NORTON~1\NSR\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe

--
End of file - 13098 bytes

-- Files created between 2008-03-06 and 2008-04-06 -----------------------------

2008-04-05 04:00:29 0 d-------- C:\Program Files\Panda Security
2008-04-01 01:41:32 20480 --a------ C:\process.exe <Not Verified; Bravo; process>
2008-03-27 01:39:30 20 --a------ C:\WINDOWS\drop32.dll
2008-03-26 09:58:00 0 d-------- C:\Documents and Settings\microsoft\Application Data\Apple Computer
2008-03-24 14:12:00 20480 --a------ C:\aviso.exe <Not Verified; SuriSoftware; Aviso>
2008-03-22 16:19:10 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-22 16:16:44 0 d-------- C:\Documents and Settings\microsoft\Application Data\SUPERAntiSpyware.com
2008-03-22 16:16:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-21 23:38:40 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-21 23:38:37 0 d-------- C:\Documents and Settings\microsoft\Application Data\Mozilla
2008-03-21 23:28:56 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-20 10:15:10 0 d-------- C:\Documents and Settings\microsoft\Application Data\Malwarebytes
2008-03-20 10:15:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-20 10:02:28 0 drahs---- C:\autorun.inf
2008-03-19 21:06:09 0 d-------- C:\Program Files\Norton AntiVirus
2008-03-19 21:05:15 0 d-------- C:\Program Files\Symantec
2008-03-16 17:34:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 16:44:24 0 d-------- C:\Program Files\Trend Micro
2008-03-16 13:44:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-16 13:23:22 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-16 13:23:22 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-16 13:23:21 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-16 13:23:21 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-16 13:23:21 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-16 13:23:21 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-16 12:43:57 0 d-------- C:\Documents and Settings\microsoft\Application Data\report
2008-03-16 10:32:50 0 d-------- C:\Documents and Settings\microsoft\Documents and Settings
2008-03-15 18:28:22 0 d-------- C:\Documents and Settings\microsoft\Application Data\Application Data
2008-03-15 18:28:21 0 d-------- C:\report
2008-03-14 23:52:58 0 d-------- C:\Documents and Settings\microsoft\Application Data\ZoomBrowser EX
2008-03-14 23:43:26 0 d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-03-14 23:38:52 0 d-------- C:\Program Files\QuickTime
2008-03-14 23:38:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-14 23:37:00 0 d-------- C:\Program Files\Common Files\Canon


-- Find3M Report ---------------------------------------------------------------

2008-04-05 04:13:10 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-22 16:16:14 0 d-------- C:\Program Files\Common Files
2008-03-14 23:44:26 0 d-------- C:\Program Files\Canon
2008-03-14 11:22:21 0 d-------- C:\Program Files\Norton SystemWorks Premier
2008-03-05 20:33:46 0 d-------- C:\Documents and Settings\microsoft\Application Data\Yahoo!
2008-03-05 20:15:47 0 d-------- C:\Program Files\Yahoo!
2008-02-26 09:53:35 0 d-------- C:\Documents and Settings\microsoft\Application Data\Adobe
2008-02-25 10:52:29 0 d-------- C:\Program Files\Google
2008-02-22 16:27:40 0 d-------- C:\Documents and Settings\microsoft\Application Data\Thinstall
2008-02-20 20:22:00 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-02-20 12:30:46 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-02-20 12:13:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-17 22:22:10 0 d-------- C:\Documents and Settings\microsoft\Application Data\Command & Conquer 3 Tiberium Wars
2008-02-15 05:05:01 0 d-------- C:\Documents and Settings\microsoft\Application Data\Symantec
2008-02-11 11:31:43 0 d-------- C:\Program Files\Common Files\Pure Networks Shared
2008-02-10 20:37:02 0 d-------- C:\Documents and Settings\microsoft\Application Data\Ahead
2008-02-09 14:48:40 0 d-------- C:\Program Files\2kxpinf
2008-02-09 07:46:40 0 d-------- C:\Program Files\FamilySearch
2008-02-08 12:39:52 0 d-------- C:\Program Files\Crack
2008-02-06 06:57:37 0 d-------- C:\Program Files\MSXML 6.0
2008-02-06 01:43:30 0 d-------- C:\Documents and Settings\microsoft\Application Data\Help
2008-02-06 01:35:33 0 d-------- C:\Documents and Settings\microsoft\Application Data\Leadertech
2008-02-06 01:34:51 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-06 01:32:52 0 d-------- C:\Program Files\Common Files\TiVo Shared
2008-02-06 01:32:19 0 d-------- C:\Program Files\Roxio
2008-02-06 00:32:54 0 d-------- C:\Program Files\Microsoft Student
2008-02-06 00:32:14 0 d-------- C:\Program Files\Learning Essentials
2008-02-06 00:24:25 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-02-06 00:18:03 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-05 19:36:26 62 --ahs---- C:\Documents and Settings\microsoft\Application Data\desktop.ini
2008-02-05 12:06:32 4716 --a------ C:\WINDOWS\gdrv.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
2008-02-05 12:04:37 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-02-05 11:48:34 0 -rahs---- C:\MSDOS.SYS
2008-02-05 11:48:34 0 -rahs---- C:\IO.SYS
2008-02-05 11:48:34 0 --a------ C:\CONFIG.SYS
2008-02-05 11:48:34 0 --a------ C:\AUTOEXEC.BAT
2008-02-05 11:46:23 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [07/05/2007 04:08 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [06/15/2007 04:45 PM C:\WINDOWS\SkyTel.exe]
"Gainward"="C:\Program Files\VDOTool\TBPanel.exe" [11/27/2007 02:36 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/28/2007 04:45 PM]
"nwiz"="nwiz.exe" [11/28/2007 04:45 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [11/28/2007 04:45 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [05/04/2007 10:59 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [01/12/2005 03:01 AM]
"VMSnap3"="C:\WINDOWS\VMSnap3.EXE" [08/30/2006 10:58 AM]
"Domino"="C:\WINDOWS\Domino.EXE" [06/28/2006 05:54 PM]
"NSRKey"="C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe" [03/26/2007 03:45 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [01/11/2008 07:54 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/26/2005 05:33 AM]
"DetectorApp"="C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe" [08/31/2005 06:15 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 04:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 04:50 PM]
"DAEMON Tools"="E:\Program Files\DAEMON Tools\daemon.exe" [11/09/2005 06:00 AM]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [10/01/2007 08:08 PM]
"Yahoo Messenger"="" []
"BigDog303"="C:\WINDOWS\VM303_STI.exe" []
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 05:59 PM]
"Norton Save and Restore"="C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe" [03/26/2007 03:45 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/14/2008 11:39 PM]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [01/14/2007 07:11 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [05/04/2007 10:39 AM]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [04/19/2007 01:26 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 08:00 PM]
"Yahoo! Pager"="E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [12/17/2007 05:13 PM]
"SUPERAntiSpyware"="E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

C:\Documents and Settings\microsoft\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 8:24:54 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetTaskbar"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d8e340e-d4a4-11dc-9c8b-001d7dbbcdd4}]
AutoRun\command- photos.zip.exe %1
Explore\command- photos.zip.exe %1
Open\command- photos.zip.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec0432bc-d413-11dc-9c81-001d7dbbcdd4}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe VBRuntime32.dll.vbs


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"



-- End of Deckard's System Scanner: finished at 2008-04-06 08:53:32 ------------



sir unfortunately it didnt produce a extra.txt :) so i just posted the main.txt... :) thanks..
  • 0

#10
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello Choknat, we got a lot to do here :) Are you ready? :)

Don't worry so much about DSS, the information will be obtained in due time. And I'm not old enough for you to call me sir :)

Please read my entire post before commencing, and please follow my instructions in the order that they are given :) If you don't understand something, don't be afraid to ask!

1. Make Registry Script
------------------------------------------------

Please open a blank Notepad document. Copy and paste everything in the codebox below into the blank document:

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000b5

Go to File > Save As. Make sure "All types" is selected in the "Save as Type" menu. Name the file "fix.reg" and save it to your Desktop.

Double-click on fix.reg and you will get a prompt asking if you wish to merge with the registry. Please allow fix.reg to merge. You will then get a message saying that it has been successfully entered; press "OK". Reboot your computer, and attach your USB drive if you haven't already done so. Do not remove it until we have completed the fix.

2. Make Batch File
------------------------------------------------

Please open a blank Notepad document. Copy and paste everything in the codebox below into the blank document:

@ECHO OFF
dir "%programfiles%\Crack">C:\peek.txt
start C:\peek.txt
DEL peek.bat

Go to File > Save As. Make sure "All types" is selected in the "Save as Type" menu. Name the file "peek.bat" and save it to your Desktop.

Double-click on peek.bat. You will get a black command prompt window for less than a second, then a Notepad window called peek.txt will open. Copy the contents of peek.txt into your next reply.

Note: If you needed to close the text document, the log is located at C:\peek.txt.

3. Submit File for Testing
------------------------------------------------

Please go to this website: Link

Once there, you will see a textbox in the middle of the screen. Copy and paste the following line into the textbox:

C:\WINDOWS\drop32.dll

Click the large "Send File" button. Your file will be scanned by MANY different antivirus engines, so until the top says Current status: Finished, don't close the window/copy the results! Once the scan is finished, copy and paste the entire table into a reply so it looks like this:

AhnLab-V3 2007.9.29.0 2007.09.28 -
AntiVir 7.6.0.18 2007.09.28 HEUR/Malware
Authentium 4.93.8 2007.09.28 -
Avast 4.7.1043.0 2007.09.28 -
AVG 7.5.0.488 2007.09.28 -
BitDefender 7.2 2007.09.28 -
CAT-QuickHeal 9.00 2007.09.28 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.09.28 -
DrWeb 4.33 2007.09.28 -
eSafe 7.0.15.0 2007.09.23 Suspicious Trojan/Worm
eTrust-Vet 31.2.5169 2007.09.27 -
Ewido 4.0 2007.09.28 -
FileAdvisor 1 2007.09.29 -
Fortinet 3.11.0.0 2007.09.28 -
F-Prot 4.3.2.48 2007.09.27 -
F-Secure 6.70.13030.0 2007.09.28 -
Ikarus T3.1.1.12 2007.09.28 -
Kaspersky 7.0.0.125 2007.09.29 -
McAfee 5130 2007.09.28 -
Microsoft 1.2803 2007.09.29 -
NOD32v2 2558 2007.09.28 -
Norman 5.80.02 2007.09.28 -
Panda 9.0.0.4 2007.09.28 -
Prevx1 V2 2007.09.29 Heuristic: Suspicious Self Modifying EXE
Rising 19.42.42.00 2007.09.28 -
Sophos 4.21.0 2007.09.28 -
Sunbelt 2.2.907.0 2007.09.28 VIPRE.Suspicious
Symantec 10 2007.09.28 -
TheHacker 6.2.6.073 2007.09.28 -
VBA32 3.12.2.4 2007.09.29 -
VirusBuster 4.3.26:9 2007.09.28 -
Webwasher-Gateway 6.0.1 2007.09.28 Heuristic.Malware


Post the results in your next post :)

4. Run OTMoveIt2
------------------------------------------------

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    G:\My Pictures.exe
    G:\My Documents.exe
    G:\PUPSRE.exe
    E:\My Pictures.exe
    E:\My Documents.exe
    E:\PUPSRE.exe
    C:\WINDOWS\System32\scvchost.exe
    C:\process.exe
    C:\autorun.inf
    E:\autorun.inf
    G:\autorun.inf
    C:\Program Files\2kxpinf

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

5. Scan with Kaspersky WebScanner
------------------------------------------------

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

6. Re-scan with DSS
------------------------------------------------

Please go to Start > Run. In the box that appears, carefully copy and paste the following:

"%userprofile%\Desktop\dss.exe" /config

Hit "Check All" and click "Scan!" DSS will produce main.txt and extra.txt, please post them back :)

In your next post
------------------------------------------------

It is almost certain that your logs will not fit into one post. They will get cut off. So, I recommend that you split the logs into two or maybe even three posts. I need this information - do not fail me :)
  • C:\peek.txt
  • VirusTotal log
  • OTMoveIt2 log
  • Kaspersky WebScanner log
  • DSS main.txt and extra.txt

  • 0

Advertisements


#11
Choknat

Choknat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
ok I did everything you have instructed EXCEPT for the kapersky webscanner due to its failure to download its activeX components [or something like that, I forgot].. :)

anyway here's the other Logs you need:

PEEK.TXT

Volume in drive C has no label.
Volume Serial Number is 4882-4C29

Directory of C:\Program Files\Crack

02/08/2008 12:39 PM <DIR> .
02/08/2008 12:39 PM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 41,792,483,328 bytes free

VIRUSTOTAL.LOG

Antivirus Version Last Update Result
AhnLab-V3 2008.4.4.1 2008.04.04 -
AntiVir 7.6.0.81 2008.04.05 -
Authentium 4.93.8 2008.04.05 -
Avast 4.7.1098.0 2008.04.06 -
AVG 7.5.0.516 2008.04.06 -
BitDefender 7.2 2008.04.06 -
CAT-QuickHeal 9.50 2008.04.05 -
ClamAV 0.92.1 2008.04.06 -
DrWeb 4.44.0.09170 2008.04.06 -
eSafe 7.0.15.0 2008.04.01 -
eTrust-Vet 31.3.5672 2008.04.04 -
Ewido 4.0 2008.04.06 -
F-Prot 4.4.2.54 2008.04.05 -
F-Secure 6.70.13260.0 2008.04.06 -
FileAdvisor 1 2008.04.06 -
Fortinet 3.14.0.0 2008.04.06 -
Ikarus T3.1.1.20 2008.04.06 -
Kaspersky 7.0.0.125 2008.04.06 -
McAfee 5267 2008.04.04 -
Microsoft 1.3408 2008.04.06 -
NOD32v2 3005 2008.04.06 -
Norman 5.80.02 2008.04.04 -
Panda 9.0.0.4 2008.04.06 -
Prevx1 V2 2008.04.06 -
Rising 20.38.60.00 2008.04.03 -
Sophos 4.28.0 2008.04.06 -
Sunbelt 3.0.1032.0 2008.04.05 -
Symantec 10 2008.04.06 -
TheHacker 6.2.92.266 2008.04.05 -
VBA32 3.12.6.4 2008.04.06 -
VirusBuster 4.3.26:9 2008.04.05 -
Webwasher-Gateway 6.6.2 2008.04.05 -


OTMOVEIT2 LOG

File/Folder G:\My Pictures.exe not found.
File/Folder G:\My Documents.exe not found.
File/Folder G:\PUPSRE.exe not found.
File/Folder E:\My Pictures.exe not found.
File/Folder E:\My Documents.exe not found.
File/Folder E:\PUPSRE.exe not found.
File/Folder C:\WINDOWS\System32\scvchost.exe not found.
File/Folder C:\process.exe not found.
C:\autorun.inf moved successfully.
Folder move failed. E:\autorun.inf scheduled to be moved on reboot.
Folder move failed. G:\autorun.inf scheduled to be moved on reboot.
C:\Program Files\2kxpinf\enu\drivers\win2k_xp moved successfully.
C:\Program Files\2kxpinf\enu\drivers moved successfully.
C:\Program Files\2kxpinf\enu moved successfully.
C:\Program Files\2kxpinf moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04062008_232515

Files moved on Reboot...
Folder move failed. E:\autorun.inf scheduled to be moved on reboot.
Folder move failed. G:\autorun.inf scheduled to be moved on reboot.

DSS MAIN.TXT

Deckard's System Scanner v20071014.68
Run by microsoft on 2008-04-06 23:50:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
12: 2008-04-06 15:50:33 UTC - RP73 - Deckard's System Scanner Restore Point
11: 2008-04-06 14:31:14 UTC - RP72 - Installed Microsoft ActiveSync
10: 2008-04-05 01:37:26 UTC - RP71 - System Checkpoint
9: 2008-04-02 05:21:58 UTC - RP70 - System Checkpoint
8: 2008-03-31 04:25:51 UTC - RP69 - Restore Operation


-- First Restore Point --
1: 2008-03-21 02:42:48 UTC - RP62 - CLEAN


Performed disk cleanup.



-- HijackThis (run as microsoft.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:14 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\NORTON~1\NSR\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
E:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\microsoft\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MICROS~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM\..\Run: [NSRKey] C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Save and Restore] "C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202213772328
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C7B5944-C76A-454B-8AD2-D752A41C0351}: NameServer = 202.78.97.41,202.78.97.35
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Norton Save and Restore - Symantec Corporation - C:\PROGRA~1\NORTON~1\NSR\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe

--
End of file - 13641 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080319-201913-127 O21 - SSODL: RamVolume - {590a0707-86c5-4b44-aacc-09eac802ecd5} - C:\WINDOWS\Installer\{590a0707-86c5-4b44-aacc-09eac802ecd5}\RamVolume.dll
backup-20080319-201913-199 O21 - SSODL: ComponentAlrt - {9c126442-4f35-43d5-95f1-8d832f6d5ec4} - C:\WINDOWS\Installer\{9c126442-4f35-43d5-95f1-8d832f6d5ec4}\ComponentAlrt.dll
backup-20080319-201913-331 O4 - HKLM\..\Run: [BM4bb17f1a] Rundll32.exe "C:\WINDOWS\system32\emwmcwdq.dll",s
backup-20080319-201913-530 O4 - HKLM\..\Run: [48824c86] rundll32.exe "C:\WINDOWS\system32\xfmsywjr.dll",b
backup-20080319-201913-563 O4 - HKLM\..\Run: [MalwareCore 7.4] "C:\Program Files\MalwareCore 7.4\MalwareCore 7.4.exe" /h
backup-20080319-201913-773 O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\microsoft\Local Settings\Temporary Internet Files\Content.IE5\WQRLNTS7\install_sbd_en[1].exe
backup-20080319-201913-784 O3 - Toolbar: etlrlws - {65F4F8C1-B31F-40B7-9D34-98CA11EAC387} - C:\WINDOWS\etlrlws.dll (file missing)
backup-20080319-201913-866 O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.36.0\HostIE.dll (file missing)
backup-20080319-201913-959 O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
backup-20080319-201914-528 O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
backup-20080319-201914-611 O22 - SharedTaskScheduler: djuka - {ee9f7cf5-cd49-4cd8-8ba6-1514e7a5c22c} - C:\WINDOWS\system32\wbchha.dll (file missing)
backup-20080321-102438-461 O2 - BHO: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.36.0\HostIE.dll (file missing)
backup-20080405-035405-264 O4 - HKLM\..\Run: [] C:\WINDOWS\inf\ssvhost.exe
backup-20080405-035405-539 O4 - HKLM\..\Policies\Explorer\Run: [] 

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R3 SASENUM - e:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 gdrv - c:\windows\gdrv.sys <Not Verified; Windows 2000 DDK provider; Windows 2000 DDK driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 USBDeviceService - c:\program files\roxio\mydvd\mydvd\usbdeviceservice.exe <Not Verified; ; USBDeviceService Module>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 840)
2007-04-19 12:41:36 294912 --a------ E:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\explorer.exe (pid 168)
2006-12-20 12:55:48 77824 --a------ E:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>
2007-01-31 11:39:00 32768 --a------ C:\Program Files\VDOTool\TBPanelExt.dll <Not Verified; ; TBPanelExt Module>
2007-11-28 16:45:31 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-02-27 11:39:26 61440 --a------ E:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware Context Menu Extension>
2005-10-07 15:05:32 125440 --a------ E:\Program Files\WinRAR\RarExt.dll


-- Scheduled Tasks -------------------------------------------------------------

2008-04-06 20:22:37 564 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - microsoft.job


-- Files created between 2008-03-06 and 2008-04-06 -----------------------------

2008-04-06 22:31:16 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-05 04:00:29 0 d-------- C:\Program Files\Panda Security
2008-03-27 01:39:30 20 --a------ C:\WINDOWS\drop32.dll
2008-03-26 09:58:00 0 d-------- C:\Documents and Settings\microsoft\Application Data\Apple Computer
2008-03-22 16:19:10 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-22 16:16:44 0 d-------- C:\Documents and Settings\microsoft\Application Data\SUPERAntiSpyware.com
2008-03-22 16:16:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-21 23:38:40 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-21 23:38:37 0 d-------- C:\Documents and Settings\microsoft\Application Data\Mozilla
2008-03-21 23:28:56 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-20 10:15:10 0 d-------- C:\Documents and Settings\microsoft\Application Data\Malwarebytes
2008-03-20 10:15:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-19 21:06:09 0 d-------- C:\Program Files\Norton AntiVirus
2008-03-19 21:05:15 0 d-------- C:\Program Files\Symantec
2008-03-16 17:34:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 16:44:24 0 d-------- C:\Program Files\Trend Micro
2008-03-16 13:44:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-16 13:23:22 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-16 13:23:22 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-16 13:23:21 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-16 13:23:21 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-16 13:23:21 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-16 13:23:21 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-16 12:43:57 0 d-------- C:\Documents and Settings\microsoft\Application Data\report
2008-03-16 10:32:50 0 d-------- C:\Documents and Settings\microsoft\Documents and Settings
2008-03-15 18:28:22 0 d-------- C:\Documents and Settings\microsoft\Application Data\Application Data
2008-03-15 18:28:21 0 d-------- C:\report
2008-03-14 23:52:58 0 d-------- C:\Documents and Settings\microsoft\Application Data\ZoomBrowser EX
2008-03-14 23:43:26 0 d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-03-14 23:38:52 0 d-------- C:\Program Files\QuickTime
2008-03-14 23:38:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-14 23:37:00 0 d-------- C:\Program Files\Common Files\Canon


-- Find3M Report ---------------------------------------------------------------

2008-04-06 23:33:24 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-06 22:32:26 2528 --a------ C:\Documents and Settings\microsoft\Application Data\$_hpcst$.hpc
2008-03-22 16:16:14 0 d-------- C:\Program Files\Common Files
2008-03-14 23:44:26 0 d-------- C:\Program Files\Canon
2008-03-14 11:22:21 0 d-------- C:\Program Files\Norton SystemWorks Premier
2008-03-05 20:33:46 0 d-------- C:\Documents and Settings\microsoft\Application Data\Yahoo!
2008-03-05 20:15:47 0 d-------- C:\Program Files\Yahoo!
2008-02-26 09:53:35 0 d-------- C:\Documents and Settings\microsoft\Application Data\Adobe
2008-02-25 10:52:29 0 d-------- C:\Program Files\Google
2008-02-22 16:27:40 0 d-------- C:\Documents and Settings\microsoft\Application Data\Thinstall
2008-02-20 20:22:00 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-02-20 12:30:46 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-02-20 12:13:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-17 22:22:10 0 d-------- C:\Documents and Settings\microsoft\Application Data\Command & Conquer 3 Tiberium Wars
2008-02-15 05:05:01 0 d-------- C:\Documents and Settings\microsoft\Application Data\Symantec
2008-02-11 11:31:43 0 d-------- C:\Program Files\Common Files\Pure Networks Shared
2008-02-10 20:37:02 0 d-------- C:\Documents and Settings\microsoft\Application Data\Ahead
2008-02-09 07:46:40 0 d-------- C:\Program Files\FamilySearch
2008-02-08 12:39:52 0 d-------- C:\Program Files\Crack
2008-02-06 06:57:37 0 d-------- C:\Program Files\MSXML 6.0
2008-02-06 01:43:30 0 d-------- C:\Documents and Settings\microsoft\Application Data\Help
2008-02-06 01:35:33 0 d-------- C:\Documents and Settings\microsoft\Application Data\Leadertech
2008-02-06 01:34:51 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-06 01:32:52 0 d-------- C:\Program Files\Common Files\TiVo Shared
2008-02-06 01:32:19 0 d-------- C:\Program Files\Roxio
2008-02-06 00:32:54 0 d-------- C:\Program Files\Microsoft Student
2008-02-06 00:32:14 0 d-------- C:\Program Files\Learning Essentials
2008-02-06 00:24:25 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-02-06 00:18:03 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-05 19:36:26 62 --ahs---- C:\Documents and Settings\microsoft\Application Data\desktop.ini
2008-02-05 12:06:32 4716 --a------ C:\WINDOWS\gdrv.sys <Not Verified; Windows 2000 DDK provider; Windows 2000 DDK driver>
2008-02-05 12:04:37 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-02-05 11:48:34 0 -rahs---- C:\MSDOS.SYS
2008-02-05 11:48:34 0 -rahs---- C:\IO.SYS
2008-02-05 11:48:34 0 --a------ C:\CONFIG.SYS
2008-02-05 11:48:34 0 --a------ C:\AUTOEXEC.BAT
2008-02-05 11:46:23 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [07/05/2007 04:08 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [06/15/2007 04:45 PM C:\WINDOWS\SkyTel.exe]
"Gainward"="C:\Program Files\VDOTool\TBPanel.exe" [11/27/2007 02:36 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/28/2007 04:45 PM]
"nwiz"="nwiz.exe" [11/28/2007 04:45 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [11/28/2007 04:45 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [05/04/2007 10:59 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [01/12/2005 03:01 AM]
"VMSnap3"="C:\WINDOWS\VMSnap3.EXE" [08/30/2006 10:58 AM]
"Domino"="C:\WINDOWS\Domino.EXE" [06/28/2006 05:54 PM]
"NSRKey"="C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe" [03/26/2007 03:45 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [01/11/2008 07:54 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/26/2005 05:33 AM]
"DetectorApp"="C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe" [08/31/2005 06:15 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 04:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 04:50 PM]
"DAEMON Tools"="E:\Program Files\DAEMON Tools\daemon.exe" [11/09/2005 06:00 AM]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [10/01/2007 08:08 PM]
"Yahoo Messenger"="" []
"BigDog303"="C:\WINDOWS\VM303_STI.exe" []
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 05:59 PM]
"Norton Save and Restore"="C:\PROGRA~1\NORTON~1\NSR\Agent\NSRTray.exe" [03/26/2007 03:45 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/14/2008 11:39 PM]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [01/14/2007 07:11 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [05/04/2007 10:39 AM]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [04/19/2007 01:26 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 08:00 PM]
"Yahoo! Pager"="E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [12/17/2007 05:13 PM]
"SUPERAntiSpyware"="E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 01:39 PM]

C:\Documents and Settings\microsoft\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 8:24:54 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetTaskbar"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d8e340e-d4a4-11dc-9c8b-001d7dbbcdd4}]
AutoRun\command- photos.zip.exe %1
Explore\command- photos.zip.exe %1
Open\command- photos.zip.exe %1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec0432bc-d413-11dc-9c81-001d7dbbcdd4}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe VBRuntime32.dll.vbs


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"



-- End of Deckard's System Scanner: finished at 2008-04-06 23:52:36 ------------

Edited by Choknat, 06 April 2008 - 10:02 AM.

  • 0

#12
Choknat

Choknat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
EXTRA.TXT

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU E4500 @ 2.20GHz
CPU 1: Intel® Core™2 Duo CPU E4500 @ 2.20GHz
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 1023.48 MiB / 430.3 MiB
Pagefile Memory (total/avail): 2460.2 MiB / 1841.57 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1903.4 MiB

C: is Fixed (NTFS) - 51.39 GiB total, 38.91 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 97.66 GiB total, 82.34 GiB free.
F: is CDROM (No Media)
G: is Removable (FAT)

\\.\PHYSICALDRIVE0 - ST3160215AS - 149.05 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 51.39 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 97.66 GiB - E:

\\.\PHYSICALDRIVE1 - JetFlash TS2GJFV10 USB Device - 1961.06 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 1967.97 MiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntivirusOverride is set.

FW: Norton AntiVirus v2007 (Symantec Corporation)
AV: Norton AntiVirus v2007 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"E:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"="E:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"E:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"="E:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"E:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"="E:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"E:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"="E:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"E:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"="E:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme:*:Enabled:GunBound"
"E:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="E:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\microsoft\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DESKTOP-1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\microsoft
LOGONSERVER=\\DESKTOP-1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MICROS~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MICROS~1\LOCALS~1\Temp
USERDOMAIN=DESKTOP-1
USERNAME=microsoft
USERPROFILE=C:\Documents and Settings\microsoft
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

microsoft (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> MsiExec.exe /I{0F122737-72B2-4095-8B3E-7AAE753DFD3D}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
A4 TECH PC Camera H --> C:\Program Files\InstallShield Installation Information\{CE3B8E96-B0AF-4871-9178-1519B58E3A93}\setup.exe -runfromtemp -l0x0009 -removeonly
Adobe Acrobat 8.1.2 Professional --> msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Digital Camera USB WIA Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\DC USB WIA\Uninst.isu" -c"C:\Program Files\Canon\DC USB WIA\SetupWia.dll"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon PhotoRecord --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PhotoRecord\Uninst.isu" -c"C:\Program Files\Canon\PhotoRecord\Program\uninstdll.dll"
Canon PowerShot A30 WIA Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PowerShot A30 WIA\Uninst.isu" -c"C:\Program Files\Canon\PowerShot A30 WIA\UNSTE114.dll"
Canon PowerShot A40 WIA Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PowerShot A40 WIA\Uninst.isu" -c"C:\Program Files\Canon\PowerShot A40 WIA\UNSTD113.dll"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon S300 --> C:\WINDOWS\system32\CNMS300.EXE [email protected]:\WINDOWS\IsUninst.exe -f"C:\BJPrinter\CNMWINDOWS\Canon S300 Installer\Inst\DeIsL1.isu" -pCanon S300-c"C:\BJPrinter\CNMWINDOWS\Canon S300 Installer\Inst\bjinst.dll
Canon Utilities CameraWindow --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowLauncher\Uninst.ini"
Canon Utilities CameraWindow DC --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDC\Uninst.ini"
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities MyCamera --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\MyCamera\Uninst.ini"
Canon Utilities MyCamera DC --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\MyCameraDC\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities RAW Image Converter --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\RAW Image Converter\Uninst.isu"
Canon Utilities RemoteCapture 2.2 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\RemoteCapture\Uninst.isu"
Canon Utilities RemoteCapture DC --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureDC\Uninst.ini"
Canon Utilities RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
Canon ZoomBrowser EX Memory Card Utility --> "C:\Program Files\Common Files\Canon\UIW\1.3.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX MCU\Uninst.ini"
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Command & Conquer 3 --> MsiExec.exe /I{B0C30E93-D3D9-4F04-A2AC-54749B573275}
Family History Library Catalog --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\FamilySearch\FHLC\Uninst.isu"
GunboundWC --> "E:\Program Files\softnyx\unins000.exe"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
Learning Essentials for Microsoft Office --> MsiExec.exe /X{B348E585-E872-41DF-8234-E2D49917CFBB}
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Math --> MsiExec.exe /I{07043840-959A-4B0D-8825-2C533F0DDB19}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Student 2007 for Learning Essentials --> RunDll32.exe advpack.dll, LaunchINFSectionEx C:\Program Files\Learning Essentials\1.0\en\US\Microsoft Student 2007\Uninstall\Uninstall.inf,Uninstall,,,N
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 7 Essentials --> MsiExec.exe /X{F61DD673-0030-4BB2-A382-7E57E97F1033}
Network Magic --> C:\Documents and Settings\All Users\Application Data\Pure Networks\Setup\nmsetup.exe /uninstall
Neverwinter Nights 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F20C1251-1D0A-4944-B2AE-678581B33B19}\SETUP.exe" -l0x9 -removeonly
Norton 360 --> MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton AntiVirus (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{830D8CBD-C668-49e2-A969-C2C2106332E0}_14_2_0_29\{830D8CBD-C668-49e2-A969-C2C2106332E0}.exe" /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
Norton Save and Restore --> MsiExec.exe /X{B0255743-165B-4BD5-8DA8-37DFB993B101}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerQuest PartitionMagic 8.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
REALTEK GbE & FE Ethernet PCI-E NIC Driver --> C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\SETUP.EXE" -l0x9 -removeonly
Roxio MyDVD --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Roxio UDF Reader --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Roxio Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SpywareBlaster 4.0 --> "E:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
VDOTool 5.9 --> "C:\Program Files\VDOTool\unins000.exe"
Windows Driver Package - Pure Networks, Inc. Pure Networks Device Discovery Driver (08/24/2007 4.6.7236.0) --> rundll32.exe C:\PROGRA~1\DIFX\B7A8D76A63BBE060C656AA54D656BF7D1C31D4C3\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\pnarp_EA1D46527BDDE0262D42D36737D2D9EC73FFB1A0\pnarp.inf
Windows Driver Package - Pure Networks, Inc. Pure Networks Wireless Driver (08/24/2007 4.6.7236.0) --> rundll32.exe C:\PROGRA~1\DIFX\B7A8D76A63BBE060C656AA54D656BF7D1C31D4C3\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\purendis_63F463FB269B562703E37AAC1A91B3A645B65380\purendis.inf
WinRAR archiver --> E:\Program Files\WinRAR\uninstall.exe
Yahoo! Messenger --> E:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U E:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! 工具列 --> C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE


-- Application Event Log -------------------------------------------------------

Event Record #/Type9605 / Error
Event Submitted/Written: 04/06/2008 05:33:17 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application nsrtray.exe, version 11.0.2.20309, faulting module nsrtray.exe, version 11.0.2.20309, fault address 0x000042e9.
Processing media-specific event for [nsrtray.exe!ws!]

Event Record #/Type9559 / Error
Event Submitted/Written: 04/06/2008 10:28:37 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application nsrtray.exe, version 11.0.2.20309, faulting module nsrtray.exe, version 11.0.2.20309, fault address 0x000042e9.
Processing media-specific event for [nsrtray.exe!ws!]

Event Record #/Type9536 / Error
Event Submitted/Written: 04/06/2008 09:13:37 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application gunbound.gme, version 0.0.2.40, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [gunbound.gme!ws!]

Event Record #/Type9471 / Error
Event Submitted/Written: 04/05/2008 06:40:10 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application nsrtray.exe, version 11.0.2.20309, faulting module nsrtray.exe, version 11.0.2.20309, fault address 0x000042e9.
Processing media-specific event for [nsrtray.exe!ws!]

Event Record #/Type9450 / Error
Event Submitted/Written: 04/05/2008 09:19:02 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application cnc3game.dat, version 1.0.2588.1237, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x00012a5b.
Processing media-specific event for [cnc3game.dat!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type20128 / Error
Event Submitted/Written: 04/06/2008 11:04:07 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Cardex service failed to start due to the following error:
%%183

Event Record #/Type20105 / Warning
Event Submitted/Written: 04/06/2008 10:00:17 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type20104 / Warning
Event Submitted/Written: 04/06/2008 08:51:31 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type20087 / Error
Event Submitted/Written: 04/06/2008 07:41:53 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Cardex service failed to start due to the following error:
%%183

Event Record #/Type20024 / Error
Event Submitted/Written: 04/06/2008 11:46:05 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Cardex service failed to start due to the following error:
%%183



-- End of Deckard's System Scanner: finished at 2008-04-06 23:52:36 ------------


so there it goes.. hope we can fix it even w/o the kapersky log... :)
  • 0

#13
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello Choknat, no worries about the Kaspersky log. Let's get a couple of other scans done.

Please read my entire post before commencing, and please follow my instructions in the order that they are given :) If you don't understand something, don't be afraid to ask!

1. Run SDFix
------------------------------------------------

You may want to save this page as an HTML file or copy the contents of this page to a Notepad or Word document as this part of our fix requires you to boot into Safe Mode, and you will not have Internet access.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

2. Scan with AVG Anti-Spyware
------------------------------------------------

You may want to save this page as an HTML file or copy the contents of this page to a Notepad or Word document as this part of our fix requires you to boot into Safe Mode, and you will not have Internet access.

First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select ""Do no automatically generate report""
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
In your next post
------------------------------------------------

  • SDFix log
  • AVG Anti-Spyware log

  • 0

#14
Choknat

Choknat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hi sir Fredil Yupigo,

I'm sorry mt reply is late.. my inetrnet provider is having some problem in the network so i cannot post it earlier.. anyways here's the two report you ask me to post.. Thanks! :)


SDFix: Version 1.167
Run by microsoft on Wed 04/09/2008 at 02:51 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 02:58:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:ed11adba
"s1"=dword:796cd7eb
"s2"=dword:67ce65c5
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:7f,34,af,1c,75,fc,d8,74,4e,fd,c7,ad,20,8d,8b,61,1b,5d,ba,58,66,..
"p0"="E:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,55,82,4a,5c,72,01,5b,c2,cd,a9,65,32,f3,95,ea,3a,2b,..
"khjeh"=hex:db,70,15,16,51,f7,f0,3a,c6,fe,e1,2a,5f,45,9d,39,28,f2,d3,4c,58,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:8c,98,61,6d,f7,a6,67,af,1a,51,19,c9,68,b0,9c,b7,aa,04,5e,55,99,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:7f,34,af,1c,75,fc,d8,74,4e,fd,c7,ad,20,8d,8b,61,1b,5d,ba,58,66,..
"p0"="E:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,55,82,4a,5c,72,01,5b,c2,cd,a9,65,32,f3,95,ea,3a,2b,..
"khjeh"=hex:db,70,15,16,51,f7,f0,3a,c6,fe,e1,2a,5f,45,9d,39,28,f2,d3,4c,58,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:8c,98,61,6d,f7,a6,67,af,1a,51,19,c9,68,b0,9c,b7,aa,04,5e,55,99,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000090

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"E:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"="E:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"E:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"="E:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"E:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"="E:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"E:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"="E:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"E:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"="E:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme:*:Enabled:GunBound"
"E:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="E:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 7 Apr 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 1 Dec 2007 13,239,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\1033\Update\BIT10.tmp"
Sat 1 Dec 2007 13,239,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\1033\Update\BIT11.tmp"
Sat 1 Dec 2007 13,239,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\1033\Update\BIT12.tmp"
Sat 1 Dec 2007 13,239,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\1033\Update\BIT13.tmp"
Sat 1 Dec 2007 13,239,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\1033\Update\BIT14.tmp"
Sat 1 Dec 2007 13,239,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\1033\Update\BIT15.tmp"
Sat 1 Dec 2007 13,239,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\1033\Update\BIT16.tmp"
Sat 1 Dec 2007 13,239,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\1033\Update\BIT18.tmp"
Sat 1 Dec 2007 13,239,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\1033\Update\BIT19.tmp"
Sat 1 Dec 2007 13,239,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\1033\Update\BIT1A.tmp"
Sat 1 Dec 2007 13,239,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\1033\Update\BIT1D.tmp"
Sat 1 Dec 2007 13,239,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\1033\Update\BIT29.tmp"
Sat 1 Dec 2007 13,239,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\1033\Update\BITF.tmp"

Finished!



Then the AVG Anti-Spyware:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:17:17 AM 4/10/2008

+ Scan result:



:mozilla.80:C:\Documents and Settings\microsoft\Application Data\Mozilla\Firefox\Profiles\bva7oqvr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.77:C:\Documents and Settings\microsoft\Application Data\Mozilla\Firefox\Profiles\bva7oqvr.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.78:C:\Documents and Settings\microsoft\Application Data\Mozilla\Firefox\Profiles\bva7oqvr.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.79:C:\Documents and Settings\microsoft\Application Data\Mozilla\Firefox\Profiles\bva7oqvr.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.111:C:\Documents and Settings\microsoft\Application Data\Mozilla\Firefox\Profiles\bva7oqvr.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.112:C:\Documents and Settings\microsoft\Application Data\Mozilla\Firefox\Profiles\bva7oqvr.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.49:C:\Documents and Settings\microsoft\Application Data\Mozilla\Firefox\Profiles\bva7oqvr.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.37:C:\Documents and Settings\microsoft\Application Data\Mozilla\Firefox\Profiles\bva7oqvr.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.


::Report end


There you go, Again im really really sorry for being so late.. hoping for your kind consideration. And advance thank you!! :) :) :)

Edited by Choknat, 10 April 2008 - 04:49 AM.

  • 0

#15
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello Choknat, doesn't look bad! One final scan and you might be good to go! :)

1. Re-scan with DSS
------------------------------------------------

Please go to Start > Run. In the box that appears, carefully copy and paste the following:

"%userprofile%\Desktop\dss.exe" /config

Hit "Check All" and click "Scan!" DSS will produce main.txt and extra.txt, please post them back :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP