Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

project1 virus (removed?) & desktop url shortcuts problem [RESOLVE


  • This topic is locked This topic is locked

#1
louuu

louuu

    Member

  • Member
  • PipPipPip
  • 223 posts
hi. a few days ago i downloaded a file on my computer and it started stalling and it was very slow. i immediately looked at my startup items (which i check all the time) and saw a new entry called project1 (which i assumed was some sort of virus), which was starting from the registry. i used system restore and went back before the time when this happened and then i rechecked my startup items and scanned the registry and it was completely gone. i also ran avg antispyware, superantispyware, kaspersky online scanner and norton antivirus 2007 and everything did come back clean. now a few days have passed and my computer is fine and working the way its supposed to be working, so i assume system restore worked and removed this problem/virus from my computer. however, what i did see or notice about a day later was that my desktop url shortcut icons were switching symbols/pictures by themselves. for instance, my yahoo url shortcut which normally had a yahoo icon now had an ebay icon (or the ebay symbol in letters) and my ebay url shortcut icon had a yahoo icon. the links themselves werent changed, just the icon picture. then later in the day my yahoo url shortcut had a omg! icon and my myspace url shortcut had an ebay icon picture. even when i rebooted these icons remained changed with the incorrect pictures/symbols. now today when i turned my computer on, all my icons are back to normal and they havent changed anymore since.

UPDATE 2 DAYS LATER ON 4/3/08: as i wait for someone to help me, i just want to say that another 2 days have passed and thankfully i havent had that icon problem anymore.

the reason now for my new topic is that im wondering what might of caused my url desktop shortcuts to switch icons by themself and also, there are alot of items in my hijack this log and im wondering if there is anything i should remove or clean up. PLEASE NOTE: ITEM 21 IN MY HIJACK THIS LOG IS LEGITIMATE and is my spector software that i use to monitor the other computer in my house. theres just alot of items in my hijack this log that i dont understand and i wanted someone with more experience to advise me. thanks in advance for your kind help, its sincerely appreciated.

2ND UPDATE 2 DAYS LATER ON 4/3/08: below is my hijack this log from the day i posted this message (which was 4/1/08), which was 2 days ago. below that log is a newer hijack this log that i ran today (4/3/08). i did this only in case the person who eventually helps me needed an updated hijack this log since 2 days have passed. thanks again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:07 PM, on 2008-04-01
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\RivaTuner v2.06\RivaTuner.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n...mp;bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ChoiceMail] "C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2570524930-4131161030-1994012012-1000\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /detectMem (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-2570524930-4131161030-1994012012-500\..\Run: [WindowsWelcomeCenter] "rundll32.exe" oobefldr.dll,ShowWelcomeCenter (User 'Administrator')
O4 - Startup: RivaTuner.lnk = C:\Program Files\RivaTuner v2.06\RivaTuner.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - https://support.dell...r/SysProExe.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O21 - SSODL: Disehdx - {067D4C36-6943-42D1-A670-937A2838BE45} - C:\Windows\system32\dskihdb.dll
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel® DHTrace Controller (DHTRACE) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel® NMSCore (NMSCore) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe
O23 - Service: Intel® Quality Manager (QualityManager) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Choice Mail (svcChoiceMail) - DigiPortal Software, Inc. - C:\Program Files\DigiPortal Software\ChoiceMail\\CMServer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9655 bytes

----------------------------------

heres the newer hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:17 AM, on 2008-04-03
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\RivaTuner v2.06\RivaTuner.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n...mp;bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ChoiceMail] "C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2570524930-4131161030-1994012012-1000\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /detectMem (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-2570524930-4131161030-1994012012-500\..\Run: [WindowsWelcomeCenter] "rundll32.exe" oobefldr.dll,ShowWelcomeCenter (User 'Administrator')
O4 - Startup: RivaTuner.lnk = C:\Program Files\RivaTuner v2.06\RivaTuner.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - https://support.dell...r/SysProExe.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O21 - SSODL: Disehdx - {067D4C36-6943-42D1-A670-937A2838BE45} - C:\Windows\system32\dskihdb.dll
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel® DHTrace Controller (DHTRACE) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel® NMSCore (NMSCore) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe
O23 - Service: Intel® Quality Manager (QualityManager) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Choice Mail (svcChoiceMail) - DigiPortal Software, Inc. - C:\Program Files\DigiPortal Software\ChoiceMail\\CMServer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9619 bytes

Edited by louuu, 02 April 2008 - 11:42 PM.

  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there you still appear to have a few elements there so lets remove them and see what happens. But first lets secure your system

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 5 and save it to your desktop.
  • Scroll down to where it says "JJava Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.

And so to work

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O21 - SSODL: Disehdx - {067D4C36-6943-42D1-A670-937A2838BE45} - C:\Windows\system32\dskihdb.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Windows\system32\dskihdb.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Logs required : OTMoveit and Combofix
  • 0

#3
louuu

louuu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 223 posts
hi and thanks for your help. im in the process of doing the first step with java, but i think you may have not seen where i said in my post the item 21 in my hijack this log is a legitimate item. its my spector software that i use to view the other computer in my home. i assume that since this item is a legitimate item, you do not want me to check it on the hijack this program and you do not want me to enter the line about it on the otmoveit program. being that i assume i shouldnt do this, do you still want me to run the otmoveit just for the purity line? ill wait to hear back from you and in the meantime, ill do the java and combofix and post those results here.
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes please I must have mistyped on my search :)

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • 0

#5
louuu

louuu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 223 posts
hi again. one question. when i updated my java as per your instructions, now java is in my startup items under msconfig. do i need to leave this in my startup items or can i uncheck it? as far as your instructions, ive completed everything youve asked. below are the logs you requested. ill wait to hear back from you, thanks.


otmoveit results
----------------

< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04032008_165213

------------------------------------------------

combofix results
----------------

ComboFix 08-04-03.2 - Lou 2008-04-03 16:58:24.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1981 [GMT -4:00]
Running from: C:\Users\Lou\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 20:48 --------- d-----w C:\Program Files\Java
2008-04-03 20:47 --------- d-----w C:\Program Files\Common Files\Java
2008-04-03 20:42 30,272 ----a-w C:\Windows\system32\drivers\pssdk31.drv
2008-04-01 19:26 --------- d-----w C:\Program Files\Trend Micro
2008-03-29 18:29 --------- d-----w C:\Users\Lou\AppData\Roaming\.BitTornado
2008-03-29 17:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-27 20:59 --------- d-----w C:\Program Files\FEAR Perseus Mandate
2008-03-27 18:54 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-27 15:09 --------- d-----w C:\Program Files\SpywareBlaster
2008-03-27 03:52 --------- d-----w C:\Users\Lou\AppData\Roaming\LimeWire
2008-03-21 00:10 --------- d-----w C:\Program Files\LG Drivers
2008-03-19 21:52 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-18 18:24 --------- d-----w C:\Program Files\Windows Mail
2008-03-09 02:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-07 18:40 13,035 ----a-w C:\Windows\system32\drivers\SymRedir.cat
2008-03-07 18:40 1,358 ----a-w C:\Windows\system32\drivers\SymRedir.inf
2008-03-07 18:39 39,984 ----a-w C:\Windows\system32\drivers\symids.sys
2008-03-07 18:39 37,936 ----a-w C:\Windows\system32\drivers\symndisv.sys
2008-03-07 18:39 27,696 ----a-w C:\Windows\system32\drivers\symredrv.sys
2008-03-07 18:39 191,536 ----a-w C:\Windows\system32\drivers\symtdi.sys
2008-03-07 18:39 145,968 ----a-w C:\Windows\system32\drivers\symfw.sys
2008-03-07 18:39 12,848 ----a-w C:\Windows\system32\drivers\symdns.sys
2008-03-07 01:32 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-03-07 01:32 23,904 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-03-07 01:32 10,537 ----a-w C:\Windows\system32\drivers\COH_Mon.cat
2008-03-05 20:03 479,752 ----a-w C:\Windows\System32\XAudio2_0.dll
2008-03-05 20:03 238,088 ----a-w C:\Windows\System32\xactengine3_0.dll
2008-03-05 20:00 25,608 ----a-w C:\Windows\System32\X3DAudio1_3.dll
2008-03-05 19:56 3,786,760 ----a-w C:\Windows\System32\D3DX9_37.dll
2008-03-05 19:56 1,420,824 ----a-w C:\Windows\System32\D3DCompiler_37.dll
2008-02-28 06:38 84,512 ----a-w C:\Users\Lou\AppData\Roaming\GDIPFONTCACHEV1.DAT
2008-02-28 04:10 --------- d-----w C:\Program Files\RivaTuner v2.06
2008-02-26 04:04 --------- d-----w C:\Program Files\ffdshow
2008-02-26 03:58 --------- d-----w C:\Users\Lou\AppData\Roaming\Winamp
2008-02-26 03:58 --------- d-----w C:\Program Files\Winamp
2008-02-26 01:54 --------- d-----w C:\Program Files\Common Files\NSV
2008-02-23 02:21 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2008-02-23 02:21 60,273 ----a-w C:\Windows\System32\pthreadGC2.dll
2008-02-21 00:04 --------- d-----w C:\Program Files\BitPim
2008-02-19 01:36 --------- d-----w C:\Program Files\QuickTime
2008-02-19 01:35 --------- d-----w C:\Program Files\Apple Software Update
2008-02-16 02:58 --------- d-----w C:\Users\Lou\AppData\Roaming\Roxio
2008-02-15 13:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-14 14:37 --------- d-----w C:\Program Files\DVD Shrink
2008-02-13 20:02 --------- d-----w C:\Users\Lou\AppData\Roaming\Leadertech
2008-02-13 14:25 --------- d-----w C:\Users\Lou\AppData\Roaming\dvdcss
2008-02-13 08:06 943,800 ----a-w C:\Windows\System32\winload.exe
2008-02-13 08:06 905,400 ----a-w C:\Windows\System32\winresume.exe
2008-02-13 08:06 613,888 ----a-w C:\Windows\System32\wpd_ci.dll
2008-02-13 08:06 595,456 ----a-w C:\Windows\System32\schedsvc.dll
2008-02-13 08:06 558,080 ----a-w C:\Windows\System32\oleaut32.dll
2008-02-13 08:06 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-02-13 08:06 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-02-13 08:06 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-02-13 08:06 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-02-13 08:06 15,872 ----a-w C:\Windows\system32\drivers\mouhid.sys
2008-02-13 08:06 15,872 ----a-w C:\Windows\system32\drivers\kbdhid.sys
2008-02-13 08:06 1,585,664 ----a-w C:\Windows\System32\setupapi.dll
2008-02-13 08:04 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-13 08:04 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-13 08:04 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-13 08:04 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-13 08:04 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-13 08:04 110,136 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-13 08:03 806,400 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-13 08:03 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 08:03 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 08:03 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 08:03 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 08:03 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 08:03 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-02-13 08:01 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-12 23:04 --------- d-----w C:\Program Files\BitTornado
2008-02-12 17:25 --------- d-----w C:\Program Files\Dell
2008-02-12 17:16 --------- d-----w C:\Program Files\Lumanate
2008-02-10 06:13 60,968 ----a-w C:\Users\Lou\GoToAssistDownloadHelper.exe
2008-02-10 01:03 --------- d-----w C:\Program Files\Citrix
2008-02-09 06:24 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-02-09 06:23 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2008-02-06 03:07 462,864 ----a-w C:\Windows\System32\d3dx10_37.dll
2008-01-28 19:06 811,008 ----a-w C:\Windows\System32\RESOCART.DLL
2008-01-28 19:06 3,268,608 ----a-w C:\Windows\System32\LANEBNT.EXE
2008-01-28 16:31 73,216 ----a-w C:\Windows\ST6UNST.EXE
2008-01-28 16:31 286,720 ------w C:\Windows\Setup1.exe
2008-01-26 06:30 22,328 ----a-w C:\Users\Lou\AppData\Roaming\PnkBstrK.sys
2008-01-22 19:46 164 ----a-w C:\install.dat
2008-01-18 18:51 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-01-18 18:51 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-01-18 18:51 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-01-18 18:51 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-01-18 18:51 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-01-18 18:51 299,008 ----a-w C:\Windows\System32\wlansec.dll
2008-01-18 18:51 289,280 ----a-w C:\Windows\System32\wlanmsm.dll
2008-01-18 18:51 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-01-18 18:51 2,923,520 ----a-w C:\Windows\explorer.exe
2008-01-18 18:51 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-01-18 18:50 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-01-18 18:50 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-01-18 18:50 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-01-18 18:49 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
.

((((((((((((((((((((((((((((( [email protected]_ 2.21.10.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 12:00:00 163,328 ----a-w C:\Windows\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w C:\Windows\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 12:00:00 73,728 ----a-w C:\Windows\fdsv.exe
+ 2000-08-31 12:00:00 80,412 ----a-w C:\Windows\grep.exe
+ 2000-08-31 12:00:00 98,816 ----a-w C:\Windows\sed.exe
- 2008-03-29 22:20:46 1,339,392 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-03 20:45:39 1,339,392 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-03-30 04:02:21 1,572,864 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-03 20:45:34 1,572,864 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2000-08-31 12:00:00 161,792 ----a-w C:\Windows\swreg.exe
+ 2000-08-31 12:00:00 136,704 ----a-w C:\Windows\swsc.exe
+ 2000-08-31 12:00:00 212,480 ----a-w C:\Windows\swxcacls.exe
- 2008-03-30 06:13:34 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-03 20:46:15 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-03-30 06:13:34 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-03 20:46:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-30 06:13:34 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-03 20:46:15 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-03-30 06:19:59 716,024 ----a-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Webroot\Spy Sweeper\Data\settings.dat
+ 2008-04-03 20:54:37 718,568 ----a-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Webroot\Spy Sweeper\Data\settings.dat
- 2008-03-30 06:15:13 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-04-03 20:58:20 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-01-16 19:08:07 135,168 ----a-w C:\Windows\System32\java.exe
+ 2008-02-22 05:23:35 135,168 ----a-w C:\Windows\System32\java.exe
- 2008-01-16 19:08:07 135,168 ----a-w C:\Windows\System32\javaw.exe
+ 2008-02-22 05:23:39 135,168 ----a-w C:\Windows\System32\javaw.exe
- 2008-01-16 19:08:07 139,264 ----a-w C:\Windows\System32\javaws.exe
+ 2008-02-22 06:33:32 139,264 ----a-w C:\Windows\System32\javaws.exe
- 2008-03-29 22:22:41 107,508 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-03 20:47:45 107,508 ----a-w C:\Windows\System32\perfc009.dat
- 2008-03-29 22:22:41 626,738 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-03 20:47:45 626,738 ----a-w C:\Windows\System32\perfh009.dat
- 2008-03-29 22:19:30 9,236 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2570524930-4131161030-1994012012-1001_UserData.bin
+ 2008-04-03 20:45:50 9,252 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2570524930-4131161030-1994012012-1001_UserData.bin
- 2008-03-29 22:19:30 98,588 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-03 20:45:50 99,162 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-03-29 18:34:57 48,716 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-03 20:45:46 49,070 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2000-08-31 12:00:00 49,152 ----a-w C:\Windows\VFind.exe
+ 2000-08-31 12:00:00 68,096 ----a-w C:\Windows\zip.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ChoiceMail"="C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe" [2007-10-02 13:23 5230592]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:35 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"NWEReboot"="" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 21:56 5367664]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 05:45 222208]

C:\Users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
RivaTuner.lnk - C:\Program Files\RivaTuner v2.06\RivaTuner.exe [2007-10-30 14:05:00 2650112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Disehdx"= {067D4C36-6943-42D1-A670-937A2838BE45} - C:\Windows\system32\dskihdb.dll [2008-01-16 22:37 761856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-27 14:54 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\Windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\Windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\Windows\pss\PowerReg Scheduler.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^RivaTuner.lnk]
path=C:\Users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RivaTuner.lnk
backup=C:\Windows\pss\RivaTuner.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 05:25 6731312 C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-10 00:59 115816 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]
--a------ 2007-06-27 11:18 215256 C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMCService]
C:\Program Files\ATI\Catalyst Media Center\CMCService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 06:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2007-11-15 10:23 202544 C:\Program Files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 10:24 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
--a------ 2006-11-02 08:35 125440 C:\Windows\ehome\ehTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3800 Series]
--a------ 2007-01-25 06:00 179200 C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 20:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
--a------ 2007-11-26 22:02 456072 C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-10-03 12:37 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-12-05 13:30 2295072 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 15:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
--a------ 2007-06-27 11:14 439512 C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-11-02 05:45 44544 C:\Windows\System32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-11-02 05:45 44544 C:\Windows\System32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
--a------ 2006-11-02 05:45 44544 C:\Windows\System32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2007-08-31 22:02 128296 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PivotSoftware]
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-18 11:36 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTunerStartupDaemon]
--a------ 2007-10-30 14:05 2650112 C:\Program Files\RivaTuner v2.06\RivaTuner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-09-12 04:40 405504 C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 17:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
--a------ 2008-01-23 15:48 344064 C:\Program Files\Enigma Software Group\SpyHunter\SHStartup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-03-27 14:54 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
--a------ 2008-01-29 18:38 583048 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 13:19 15872 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-16 22:38 1006264 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
%windir%\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-11-02 08:36 201728 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{75B9A9E2-CCE5-46EB-B3ED-1DF59A193BA8}"= C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:CyberLink PowerDVD DX
"{8EDE5A09-30DD-49D0-8D37-8A6A5171585E}"= C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:CyberLink PowerDVD DX Resident Program
"{43FBC295-3EF0-4FC0-9162-B897B0372F90}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{61EB5C2F-C598-4D27-AAB6-6A2FF946E1FC}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{4866BEB9-CAA9-420C-8FDC-FB495D64B0C6}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{ABD3D71D-0241-42CE-BBE8-330BAB6F9799}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{C32D4FDC-5C12-44D6-8676-4455AB00F13B}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{1E78DFEA-6E93-4EF4-A7D9-64439256B51C}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{F161FF10-733C-43BD-81C3-237FCE4A03C3}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{6514FDF2-C619-40E0-9DE4-0218407DBD53}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{052B1593-3434-46F4-B214-E38138044FD4}"= Disabled:UDP:C:\Program Files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{5F47FA16-C29E-4C22-B82C-CDC0B767B9BB}"= Disabled:TCP:C:\Program Files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"TCP Query User{F3150310-EBBA-4510-8495-06B2F24E2386}C:\\program files\\digiportal software\\choicemail\\choicemail.exe"= UDP:C:\program files\digiportal software\choicemail\choicemail.exe:ChoiceMail
"UDP Query User{46F5846B-4F82-495B-828C-63414E5D447B}C:\\program files\\digiportal software\\choicemail\\choicemail.exe"= TCP:C:\program files\digiportal software\choicemail\choicemail.exe:ChoiceMail
"{0994AFAE-7D6F-40E2-A4E3-AB9D9F932A27}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{D7004304-D273-46E2-BABD-5F4337514114}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{FC5DFF16-509E-4692-848F-1D7CA01E68D5}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{A827BA85-F1EB-4177-B4A5-97435E7CBD7B}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{7A9C5780-1252-4B16-BBC7-7F94AC9C97EC}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{D8FE101E-99A0-4805-BE69-40AD5A9796AA}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{13B2C350-B43A-4C6F-BADF-AB8E5D446EAC}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{66722616-712E-423C-93D2-179ACA53E78E}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{BAAFAA4B-06FC-446B-8047-10ADD1172357}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{2A057F64-63D3-4745-A231-297CE58439FC}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080331.001\IDSvix86.sys [2008-02-13 12:18]
R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};C:\Program Files\CyberLink\PowerDVD DX\000.fcl [2007-08-31 22:07]
R2 DQLWinService;DQLWinService;"C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe" [2007-02-12 12:46]
R2 NMSCore;Intel® NMSCore;"C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe" [2007-06-27 11:14]
R2 nmsunidr;UniDriver for NMS;C:\Windows\system32\DRIVERS\nmsunidr.sys [2007-02-18 21:34]
R2 QualityManager;Intel® Quality Manager;"C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe" [2007-06-27 11:17]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R2 svcChoiceMail;Choice Mail;C:\Program Files\DigiPortal Software\ChoiceMail\\CMServer.exe [2007-10-02 13:23]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 20:39]
R3 IntelDH;IntelDH Driver;C:\Windows\system32\Drivers\IntelDH.sys [2008-01-16 15:28]
R3 LazerUsb;Lumanate Lazer USB;C:\Windows\system32\DRIVERS\LazerUsb.sys [2007-10-16 21:19]
R3 PsSdk31;PsSdk31;C:\Windows\system32\Drivers\pssdk31.drv [2008-04-03 16:42]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-03-07 14:39]
S3 DHTRACE;Intel® DHTrace Controller;C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [2007-06-27 11:15]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 03:36]
S4 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S4 SpyHunter3 Service;SpyHunter3 Service;"C:\Program Files\Enigma Software Group\SpyHunter\SHService.exe" [2008-01-23 15:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 04:00:50 C:\Windows\Tasks\Casper Scheduled Copy of Disk 1 to Disk 2.job"
- C:\Program Files\Future Systems Solutions\Casper 4.0\CASPER.EXE?/COPY 1 2 /SIZE:57544704;24165872640;725930311680 /FS:FAT;NTFS;NTFS /VS:0x519C8406 /VT:0x2D4B48CE /uid:C58A96F3FDB1424E87047621A0D3D09C /AUTOSTART /Y
"2008-04-01 02:55:19 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Lou.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-04-01 04:30:02 C:\Windows\Tasks\wrSpySweeper_LC8EBE7589FC648EC93F760D755E3512A.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_LC8EBE7589FC648EC93F760D755E3512A
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 17:00:41
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-03 17:01:11
ComboFix-quarantined-files.txt 2008-04-03 21:01:08
ComboFix2.txt 2008-03-30 06:21:30
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
.
2008-03-18 18:11:50 --- E O F ---
  • 0

#6
louuu

louuu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 223 posts
oh, and heres the new hijack this log you requested.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:42 PM, on 2008-04-03
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\RivaTuner v2.06\RivaTuner.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n...mp;bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ChoiceMail] "C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2570524930-4131161030-1994012012-1000\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /detectMem (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-2570524930-4131161030-1994012012-500\..\Run: [WindowsWelcomeCenter] "rundll32.exe" oobefldr.dll,ShowWelcomeCenter (User 'Administrator')
O4 - Startup: RivaTuner.lnk = C:\Program Files\RivaTuner v2.06\RivaTuner.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - https://support.dell...r/SysProExe.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O21 - SSODL: Disehdx - {067D4C36-6943-42D1-A670-937A2838BE45} - C:\Windows\system32\dskihdb.dll
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel® DHTrace Controller (DHTRACE) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel® NMSCore (NMSCore) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe
O23 - Service: Intel® Quality Manager (QualityManager) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Choice Mail (svcChoiceMail) - DigiPortal Software, Inc. - C:\Program Files\DigiPortal Software\ChoiceMail\\CMServer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9566 bytes
  • 0

#7
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

hi again. one question. when i updated my java as per your instructions, now java is in my startup items under msconfig. do i need to leave this in my startup items or can i uncheck it?

Uncheck it

I can see nothing on your system that looks untoward. Are you experiencing any more problems ?
  • 0

#8
louuu

louuu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 223 posts
no, im not experienceing any problems at all now. even when i started this topic i didnt have anymore problems for a few days already. i just wanted to make sure everything was ok and there wasnt anything else that i needed to do. i also wanted advice on my hijack this log to make sure there wasnt anything there i needed to act on. and i was wondering if you would know why my desktop url shortcuts were changing pictures for a a day or so as per my first message? but right now everything is running fine.

Edited by louuu, 04 April 2008 - 08:44 AM.

  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi louuu from my side everything looks OK I have no explanation for your icons though :)

Now the best part of the day ----- Your log now appears clean :)

Double click OTMoveit once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveit wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself


Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe :)
  • 0

#10
louuu

louuu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 223 posts
i have done all the steps you asked me to do in your last message. i also already have the programs you recommended on my system. you have been a great help and your kind service is sincerely appreciated. im not sure what the conversion rate is from us dollars to pounds, but here in the united states you can get a real good lunch with 10 us dollars, so im going to paypal you 10 us dollars after i send this message as my way of saying thank you. its not much, but again, your kind help is appreciated. the money will come from my paypal email, which is e-mail deleted . thanks again and take care.

Edited by Essexboy, 04 April 2008 - 02:20 PM.

  • 0

#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Thank you very much. I shall raise a glass or two to you tomorrow night :)

I have deleted your e-mail so it doesn't get trawled :)
  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP