Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unknown Malware/virus. [CLOSED]


  • This topic is locked This topic is locked

#1
phuxing

phuxing

    New Member

  • Member
  • Pip
  • 3 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:21 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.homepagec...sn.com/?wl=true
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {301AA8B2-AAC5-495F-9CF3-F217EB813C8A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A74B6DF-174F-4853-B343-F865BA5AC029} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{107F7F51-BC08-40C6-A2F5-9C9DB80ABD21}: NameServer = 66.21.97.115,66.21.97.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{526F7D45-CF53-4F3A-A3B1-A632C28DEBC9}: NameServer = 6.21.97.115,66.21.97.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F932784-93F3-4CBB-BAAE-3A302C8C37E2}: NameServer = 66.21.97.115,66.21.97.117
O17 - HKLM\System\CS1\Services\Tcpip\..\{107F7F51-BC08-40C6-A2F5-9C9DB80ABD21}: NameServer = 66.21.97.115,66.21.97.117
O20 - Winlogon Notify: qomlijh - qomlijh.dll (file missing)
O21 - SSODL: zip - {675e5d08-a3a0-4d3a-835f-79ab6a8de289} - (no file)
O21 - SSODL: UnknownChk - {7fccdd79-6ca8-424a-82eb-cda83d63b095} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Buddy Central Service 2 (BuddyCentralService) - Unknown owner - C:\Gunbound\Server\BuddyCenter\BuddyCenter2.exe (file missing)
O23 - Service: Buddy Service 2 (BuddyService) - Unknown owner - C:\Gunbound\Server\BuddyServ\BuddyServ2.exe (file missing)
O23 - Service: GunBound central service with database middleware funtionality (GunBound Central Service) - Unknown owner - C:\Gunbound\Server\Center\GunBoundCenter2.exe (file missing)
O23 - Service: GunBoundServ[8360] - Unknown owner - C:\Gunbound\Server\Gunbound8360\GunBoundServ2.exe (file missing)
O23 - Service: NVSvc - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 5711 bytes

Well all i really know about it is it starts through rundll32 and then hides itself and it likes to bluescreen my computer.
Any help cleaning up my hijack this such as removing the Nameservers,AVG,missing file stuff would be greatly apprecitated as well. Thanks for the help and if you need any more info let me know.
  • 0

Advertisements


#2
phuxing

phuxing

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
DSS Main.txt

Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-03 16:51:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
26: 2008-05-03 21:52:01 UTC - RP167 - Deckard's System Scanner Restore Point
25: 2008-05-03 08:00:32 UTC - RP166 - Software Distribution Service 3.0
24: 2008-05-02 08:00:52 UTC - RP165 - Software Distribution Service 3.0
23: 2008-05-01 20:22:05 UTC - RP164 - Software Distribution Service 3.0
22: 2008-05-01 20:20:14 UTC - RP163 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-04-18 01:08:08 UTC - RP142 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:44 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.homepagec...sn.com/?wl=true
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {301AA8B2-AAC5-495F-9CF3-F217EB813C8A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A74B6DF-174F-4853-B343-F865BA5AC029} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{107F7F51-BC08-40C6-A2F5-9C9DB80ABD21}: NameServer = 66.21.97.115,66.21.97.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{526F7D45-CF53-4F3A-A3B1-A632C28DEBC9}: NameServer = 6.21.97.115,66.21.97.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F932784-93F3-4CBB-BAAE-3A302C8C37E2}: NameServer = 66.21.97.115,66.21.97.117
O17 - HKLM\System\CS1\Services\Tcpip\..\{107F7F51-BC08-40C6-A2F5-9C9DB80ABD21}: NameServer = 66.21.97.115,66.21.97.117
O20 - Winlogon Notify: qomlijh - qomlijh.dll (file missing)
O21 - SSODL: zip - {675e5d08-a3a0-4d3a-835f-79ab6a8de289} - (no file)
O21 - SSODL: UnknownChk - {7fccdd79-6ca8-424a-82eb-cda83d63b095} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Buddy Central Service 2 (BuddyCentralService) - Unknown owner - C:\Gunbound\Server\BuddyCenter\BuddyCenter2.exe (file missing)
O23 - Service: Buddy Service 2 (BuddyService) - Unknown owner - C:\Gunbound\Server\BuddyServ\BuddyServ2.exe (file missing)
O23 - Service: GunBound central service with database middleware funtionality (GunBound Central Service) - Unknown owner - C:\Gunbound\Server\Center\GunBoundCenter2.exe (file missing)
O23 - Service: GunBoundServ[8360] - Unknown owner - C:\Gunbound\Server\Gunbound8360\GunBoundServ2.exe (file missing)
O23 - Service: NVSvc - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 5663 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SSHDRV65 - c:\windows\system32\drivers\sshdrv65.sys
R2 SVKP - c:\windows\system32\svkp.sys <Not Verified; AntiCracking; SVKP driver for NT>
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>

S2 NdisFileServices32 - c:\windows\system32\drivers\qnpfkn.sys (file missing)
S2 npkcrypt - c:\nexon\maplestory\npkcrypt.sys (file missing)
S2 zntport (NTPort Library Driver) - c:\windows\system32\zntport.sys (file missing)
S3 CEDRIVER51 - c:\documents and settings\owner\desktop\memhack 2.0.7.1j\dbk32.sys (file missing)
S3 CEDRIVER52 - c:\program files\cheat engine\dbk32.sys (file missing)
S3 DRIVER1111 - c:\documents and settings\owner\desktop\blowie\blowie32.sys (file missing)
S3 dtscsi - c:\windows\system32\drivers\dtscsi.sys (file missing)
S3 Dual2 - c:\documents and settings\owner\desktop\1008 aimbot+bypass-1\1008 aimbot+bypass\universalbypass\dual2.sys (file missing)
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 Engine - c:\documents and settings\owner\desktop\astrv135\asprstripperxp_v135\engine.sys (file missing)
S3 IlvMoneyDRIVER53 - c:\documents and settings\owner\desktop\ilvmoney1083.sys (file missing)
S3 IRIS5 (IRIS5 Protocol Driver) - c:\windows\system32\iris5.sys <Not Verified; eEye Digital Security; Iris Driver>
S3 PCD65X2 - c:\docume~1\owner\locals~1\temp\pcd65x2.sys (file missing)
S3 PCD65X3 - c:\docume~1\owner\locals~1\temp\pcd65x3.sys (file missing)
S3 PCD65X4 - c:\docume~1\owner\locals~1\temp\pcd65x4.sys (file missing)
S3 PCD65X5 - c:\docume~1\owner\locals~1\temp\pcd65x5.sys (file missing)
S3 PCD65X6 - c:\docume~1\owner\locals~1\temp\pcd65x6.sys (file missing)
S3 projectx1 - c:\documents and settings\owner\desktop\projectx_4.0 engine\projectx_4.0 engine\felipeze.sys (file missing)
S3 Revolution1 - c:\documents and settings\owner\desktop\revolution_engine_8.3_shak3\revolution_engine_8.3_shak3\shak3.sys (file missing)
S3 SoRa1 - c:\documents and settings\owner\desktop\sora_engine_2.3__1058_\sora engine 2.3\sora23.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 BuddyCentralService (Buddy Central Service 2) - c:\gunbound\server\buddycenter\buddycenter2.exe (file missing)
S3 BuddyService (Buddy Service 2) - c:\gunbound\server\buddyserv\buddyserv2.exe (file missing)
S3 GunBound Central Service (GunBound central service with database middleware funtionality) - c:\gunbound\server\center\gunboundcenter2.exe (file missing)
S3 GunBoundServ[8360] - c:\gunbound\server\gunbound8360\gunboundserv2.exe (file missing)
S4 BNBT Service - c:\documents and settings\owner\desktop\animetracker\bnbt.exe -s (file missing)
S4 FontCache3.0.0.0 (Windows Presentation Foundation Font Cache 3.0.0.0) - c:\windows\microsoft.net\framework\v3.0\wpf\presentationfontcache.exe (file missing)
S4 gusvc (Google Updater Service) - "c:\program files\google\common\google updater\googleupdaterservice.exe" (file missing)
S4 IDriverT (InstallDriver Table Manager) - "c:\program files\common files\installshield\driver\11\intel 32\idrivert.exe" (file missing)
S4 idsvc (Windows CardSpace) - "c:\windows\microsoft.net\framework\v3.0\windows communication foundation\infocard.exe" (file missing)
S4 LightScribeService (LightScribeService Direct Disc Labeling Service) - "c:\program files\common files\lightscribe\lssrvc.exe" (file missing)
S4 Macromedia Licensing Service - "c:\program files\common files\macromedia shared\service\macromedia licensing.exe" (file missing)
S4 MDM - "c:\program files\common files\microsoft shared\vs7debug\mdm.exe" (file missing)
S4 MySQL - "c:\program files\mysql\mysql server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\mysql\mysql server 5.0\my.ini" mysql (file missing)
S4 NetTcpPortSharing (Net.Tcp Port Sharing Service) - "c:\windows\microsoft.net\framework\v3.0\windows communication foundation\smsvchost.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Loopback Adapter
Device ID: ROOT\NET\0000
Manufacturer: Microsoft
Name: Microsoft Loopback Adapter
PNP Device ID: ROOT\NET\0000
Service: msloop

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: SCSI\CDROM&VEN_MAGICISO&PROD_VIRTUAL_DVD-ROM&REV_1.0A\1&2AFD7D61&0&0000
Manufacturer: (Standard CD-ROM drives)
Name: MagicISO Virtual DVD-ROM0000
PNP Device ID: SCSI\CDROM&VEN_MAGICISO&PROD_VIRTUAL_DVD-ROM&REV_1.0A\1&2AFD7D61&0&0000
Service: cdrom


-- Files created between 2008-04-03 and 2008-05-03 -----------------------------

2008-05-03 16:27:11 0 d-------- C:\Program Files\Trend Micro
2008-05-02 21:27:15 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-04-28 12:28:00 0 d-------- C:\Program Files\MSXML 4.0
2008-04-28 12:00:32 139536 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-04-28 12:00:14 171792 --a------ C:\WINDOWS\system32\wjview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-04-28 12:00:11 172304 --a------ C:\WINDOWS\system32\jview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-04-28 12:00:07 49424 --a------ C:\WINDOWS\system32\clspack.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-04-28 11:11:47 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-28 06:57:58 514509 --ahs---- C:\WINDOWS\system32\nnXwyJjl.ini2
2008-04-27 23:00:14 514777 --ahs---- C:\WINDOWS\system32\klVwGfhk.ini2
2008-04-27 21:04:08 515624 --ahs---- C:\WINDOWS\system32\DKQsBJjl.ini2
2008-04-27 13:06:31 515738 --ahs---- C:\WINDOWS\system32\ppqsYJjl.ini2
2008-04-26 13:55:04 0 d-------- C:\Program Files\Common Files\Corel
2008-04-26 12:56:51 0 d-------- C:\Program Files\WMA-MP3.com
2008-04-26 02:24:20 0 d-------- C:\Documents and Settings\Owner\.gimp-2.4
2008-04-26 02:22:00 0 d-------- C:\Program Files\GIMP-2.0
2008-04-26 02:19:36 518735 --ahs---- C:\WINDOWS\system32\efLkkUtv.ini2
2008-04-25 13:27:20 516203 --ahs---- C:\WINDOWS\system32\WyHjQtwa.ini2
2008-04-25 12:14:55 521026 --ahs---- C:\WINDOWS\system32\NWHjPqru.ini2
2008-04-25 11:45:41 94208 --a------ C:\WINDOWS\system32\bepsnwxw.exe
2008-04-25 11:08:52 418600 --ahs---- C:\WINDOWS\system32\StwHRXbc.ini2
2008-04-25 03:45:15 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-24 03:22:41 420625 --ahs---- C:\WINDOWS\system32\iRqrAJlm.ini2
2008-04-24 03:17:31 0 d-------- C:\WINDOWS\system32\814810
2008-04-24 03:11:54 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-04-24 02:59:52 0 d-------- C:\Documents and Settings\Owner\Application Data\DAEMON Tools
2008-04-20 15:19:01 0 d-------- C:\Program Files\Free WMA to MP3 Converter
2008-04-16 02:36:46 0 d-------- C:\Program Files\Alwil Software
2008-04-06 17:49:42 0 d-------- C:\WINDOWS\system32\209789
2008-04-05 12:35:36 0 d-------- C:\sysreset


-- Find3M Report ---------------------------------------------------------------

2008-05-03 15:30:20 0 d-------- C:\Program Files\Zoom Player
2008-04-28 10:14:56 18046 --ahs--c- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-27 19:17:30 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-04-27 19:08:15 0 d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-04-26 14:06:49 168 -r-hs---- C:\WINDOWS\system32\9E0F16F7B7.sys
2008-04-26 14:06:21 0 d-------- C:\Documents and Settings\Owner\Application Data\Corel
2008-04-26 13:55:04 0 d-------- C:\Program Files\Common Files
2008-04-26 13:55:03 0 d-------- C:\Program Files\Corel
2008-04-25 16:01:22 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-25 15:18:53 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-04-25 13:08:58 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-04-25 13:00:07 0 d-------- C:\Program Files\blcorp
2008-04-18 17:18:22 0 d-------- C:\Program Files\Audacity
2008-04-10 14:02:41 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-04-03 13:13:15 0 d-------- C:\Program Files\LimeWire
2008-04-03 12:42:02 0 d-------- C:\Program Files\Metacafe
2008-04-01 04:22:27 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-03-31 21:56:24 0 d-------- C:\Program Files\DivX
2008-03-31 21:55:59 0 d-------- C:\Program Files\AC3Filter
2008-03-29 19:36:26 164 --a------ C:\install.dat
2008-03-28 19:19:44 303104 --a------ C:\WINDOWS\fkdnrwsv.dll
2008-03-24 04:33:23 0 d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2008-03-24 04:33:15 0 d-------- C:\Program Files\MySpace
2008-03-20 20:59:41 0 d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-03-20 19:27:10 0 d-------- C:\Program Files\HHD Software
2008-03-19 18:58:18 0 d-------- C:\Program Files\ffdshow
2008-03-14 16:47:47 0 d-------- C:\Documents and Settings\Owner\Application Data\WinRAR
2008-03-13 17:21:36 0 d-------- C:\Program Files\Opera
2008-03-12 05:53:13 0 d-------- C:\Documents and Settings\Owner\Application Data\Business Logic
2008-03-12 05:49:22 0 d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2008-03-12 05:44:38 881 --a------ C:\Program Files\WinCleaner OneClick CleanUp.lnk <WINCLE~1.LNK>
2008-03-12 05:44:36 0 d-------- C:\Program Files\Business Logic Corporation
2008-03-12 04:28:25 0 d-------- C:\Documents and Settings\Owner\Application Data\Winamp2
2008-03-12 04:28:15 0 d-------- C:\Program Files\Winamp2
2008-03-12 03:49:30 0 d-------- C:\Documents and Settings\Owner\Application Data\.BitTornado
2008-03-12 03:47:53 0 d-------- C:\Program Files\BitTornado
2008-03-12 00:13:33 0 d-------- C:\Program Files\Avi2Dvd
2008-03-11 23:51:49 0 d-------- C:\Program Files\Image-Line
2008-03-11 23:49:27 0 d-------- C:\Program Files\VstPlugins
2008-03-11 23:47:17 0 d-------- C:\Documents and Settings\Owner\Application Data\Dev-Cpp
2008-03-11 23:45:55 0 d-------- C:\Program Files\Azureus
2008-03-11 23:27:09 0 d-------- C:\Program Files\WinZip2
2008-03-11 23:27:06 0 d-------- C:\Program Files\Windows NT
2008-03-11 23:27:03 0 d-------- C:\Program Files\Winamp
2008-03-11 23:27:03 0 d-------- C:\Program Files\Web Publish
2008-03-11 23:27:03 0 d-------- C:\Program Files\VirtualDub-1.5.6
2008-03-11 23:26:58 0 d-------- C:\Program Files\SHOUTcast
2008-03-11 23:26:58 0 d-------- C:\Program Files\SetSpeed
2008-03-11 23:26:57 0 d-------- C:\Program Files\QuickTime
2008-03-11 23:26:57 0 d-------- C:\Program Files\PolyFinder
2008-03-11 23:25:59 0 d-------- C:\Program Files\Iris
2008-03-11 23:25:56 0 d-------- C:\Program Files\HashTab Shell Extension
2008-03-11 23:25:55 0 d-------- C:\Program Files\GSpot
2008-03-11 23:25:53 0 d-------- C:\Program Files\Far
2008-03-11 23:25:49 0 d-------- C:\Program Files\EasyPHP1-8
2008-03-11 23:25:40 0 d-------- C:\Program Files\Common Files\Motive
2008-03-11 23:25:36 0 d-------- C:\Program Files\Common Files\LightScribe
2008-03-11 23:25:28 0 d-------- C:\Program Files\CIF USB Camera
2008-03-11 23:25:27 0 d-------- C:\Program Files\CD Audio Reader Filter
2008-03-11 23:24:45 0 d-------- C:\Program Files\Abyss Web Server
2008-03-11 23:24:45 0 d-------- C:\Program Files\7-Zip
2008-03-11 21:30:18 0 d--h----- C:\Documents and Settings\Owner\Application Data\Hangame
2008-03-11 21:29:23 0 d-------- C:\Program Files\sysreset
2008-03-11 19:37:59 306 --a------ C:\WINDOWS\system32\c3bfc44.exe
2008-03-11 18:28:28 306 --a------ C:\WINDOWS\system32\bfc692f.exe
2008-03-11 18:28:27 306 --a------ C:\WINDOWS\system32\bfc6556.exe
2008-03-11 16:09:28 306 --a------ C:\WINDOWS\system32\b7d2624.exe
2008-03-11 14:36:40 306 --a------ C:\WINDOWS\system32\b2818f3.exe
2008-03-10 16:50:14 306 --a------ C:\WINDOWS\system32\67c1c86.exe
2008-03-10 16:50:13 306 --a------ C:\WINDOWS\system32\67c18fc.exe
2008-03-09 20:56:19 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-03-09 20:56:19 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-03-06 00:31:51 0 d-------- C:\Program Files\Java
2008-03-03 18:33:56 20992 --a------ C:\WINDOWS\system32\12a22e0.exe
2008-03-03 18:10:39 20992 --a------ C:\WINDOWS\system32\114e418.exe
2008-03-03 17:12:28 20992 --a------ C:\WINDOWS\system32\df56dd.exe
2008-03-03 17:12:06 23666 --a------ C:\WINDOWS\system32\dee065.exe
2008-03-03 15:15:20 20992 --a------ C:\WINDOWS\system32\7466c4.exe
2008-03-03 14:28:15 20992 --a------ C:\WINDOWS\system32\494f07.exe
2008-03-03 14:05:22 20992 --a------ C:\WINDOWS\system32\3437ad.exe
2008-03-03 10:39:19 306 --a------ C:\WINDOWS\system32\c08ee.exe
2008-03-03 09:54:55 0 d-------- C:\Program Files\MSBuild
2008-03-03 09:54:36 0 d-------- C:\Program Files\Reference Assemblies
2008-03-03 09:46:31 0 d-------- C:\Program Files\MSXML 6.0
2008-02-29 15:47:35 18 --ahs---- C:\WINDOWS\system32\TMyUpdate.dll
2008-02-29 15:47:35 62 --ahs---- C:\WINDOWS\system32\TMyGeneric.dll
2008-02-29 15:45:06 262 --ahs---- C:\WINDOWS\TMy.dll
2008-02-20 21:05:44 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-02-20 21:04:16 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-02-20 21:04:16 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-02-20 21:04:04 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-02-20 21:04:04 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivXョ>
2008-02-20 21:04:04 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivXョ>
2008-02-20 21:04:04 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivXョ>
2008-02-20 21:03:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{301AA8B2-AAC5-495F-9CF3-F217EB813C8A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A74B6DF-174F-4853-B343-F865BA5AC029}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 12:37 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [02/01/2008 03:32 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"D1sableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomlijh]
qomlijh.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtUkkLfe

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Metacafe.lnk]
backup=C:\WINDOWS\pss\Metacafe.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!1_pgaccount]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!1_ProcessGuard_Startup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AbyssWebServer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bjh2vaja]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMcfd0f0f0]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cce3c36c]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
"C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\daedjw]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
"C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dzjjmvtw]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC-Cleaner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyWay]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\services]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"InCDsrv"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"seclogon"=2 (0x2)
"SbieSvc"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"gusvc"=3 (0x3)
"AVGEMS"=2 (0x2)
"aawservice"=3 (0x3)
"WZCSVC"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"Spooler"=2 (0x2)
"SharedAccess"=2 (0x2)
"O&O Defrag"=3 (0x3)
"MySQL"=2 (0x2)
"LightScribeService"=2 (0x2)
"SBCSSvc"=3 (0x3)
"MDM"=3 (0x3)
"usnjsvc"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FontCache3.0.0.0"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f2f35eb-be60-11dc-a9fa-0010b54862a2}]
AutoRun\command- G:\Autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8300 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-03 16:54:37 ------------
  • 0

#3
phuxing

phuxing

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 1900+
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 511.48 MiB / 231.61 MiB
Pagefile Memory (total/avail): 2481.28 MiB / 2235.02 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.55 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.27 GiB total, 10.41 GiB free.
D: is CDROM (CDFS)
E: is Fixed (NTFS) - 76.32 GiB total, 0.14 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - Maxtor 6Y080L0 - 76.33 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 76.32 GiB - E:

\\.\PHYSICALDRIVE0 - WDC WD400BB-00DEA0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.27 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

AV: AVG 7.5.516 v7.5.516 (Grisoft)
AV: avast! antivirus 4.8.1169 [VPS 080503-0] v4.8.1169 (ALWIL Software) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Hangame\\JAPANESE\\Gunster.exe"="C:\\Hangame\\JAPANESE\\Gunster.exe:*:Enabled:Gunstrike"
"C:\\Program Files\\ProxyWay\\proxyway.exe"="C:\\Program Files\\ProxyWay\\proxyway.exe:*:Disabled:proxyway"
"C:\\Program Files\\Abyss Web Server\\abyssws.exe"="C:\\Program Files\\Abyss Web Server\\abyssws.exe:*:Enabled:Abyss Web Server X1"
"C:\\Gunbound2\\Broker Emu v0.1.exe"="C:\\Gunbound2\\Broker Emu v0.1.exe:*:Enabled:Broker Emu v0.1"
"C:\\Documents and Settings\\Owner\\Desktop\\Root Folders\\Infantry Related\\SuckMe\\SuckMeori\\GSERVER.exe"="C:\\Documents and Settings\\Owner\\Desktop\\Root Folders\\Infantry Related\\SuckMe\\SuckMeori\\GSERVER.exe:*:Enabled:GSERVER"
"C:\\Gunbound\\Broker Emu v0.1.exe"="C:\\Gunbound\\Broker Emu v0.1.exe:*:Enabled:Broker Emu v0.1"
"C:\\Program Files\\sysreset\\mirc.exe"="C:\\Program Files\\sysreset\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Java\\jre1.5.0\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"="C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme:*:Enabled:GunBound"
"C:\\WINDOWS\\system32\\lrjqnkeo.exe"="C:\\WINDOWS\\system32\\lrj"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\ijji\\JAPANESE\\Gunster.exe"="C:\\ijji\\JAPANESE\\Gunster.exe:*:Enabled:ガンストライク"
"C:\\Program Files\\Hangame\\JAPANESE\\Gunster.exe"="C:\\Program Files\\Hangame\\JAPANESE\\Gunster.exe:*:Enabled:Gunstrike"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:ipsec"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winxdku.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winxdku.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winaicxpa.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winaicxpa.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\wininnrsk.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\wininnrsk.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winarvayq.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winarvayq.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\wineuje.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\wineuje.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winxxax.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winxxax.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\wingymh.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\wingymh.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\wingwqq.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\wingwqq.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winfynh.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winfynh.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winfdet.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winfdet.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winrahe.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winrahe.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winovfd.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winovfd.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winrirkem.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winrirkem.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winrbkh.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winrbkh.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winbvicg.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winbvicg.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winmjsks.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winmjsks.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winvhhcm.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winvhhcm.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winpsrrnq.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winpsrrnq.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winypflyk.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winypflyk.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winjqbwt.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winjqbwt.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winbfuw.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winbfuw.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\wineloqv.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\wineloqv.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winrmtojr.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winrmtojr.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winexyu.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winexyu.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winegtimo.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winegtimo.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winmlmy.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winmlmy.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winfmtu.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winfmtu.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winkdai.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winkdai.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winpplrv.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winpplrv.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winoryhd.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winoryhd.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winpymbq.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winpymbq.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winveol.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winveol.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winqhmmb.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winqhmmb.exe:*:Enabled:ipsec"
"C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winooaby.exe"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\winooaby.exe:*:Enabled:ipsec"
"C:\\WINDOWS\\system32\\bfc5a69.exe"="C:\\WINDOWS\\system32\\bfc5a69.exe:*:Disabled:ipsec"
"C:\\WINDOWS\\system32\\bfc2d.exe"="C:\\WINDOWS\\system32\\bfc2d.exe:*:Disabled:ipsec"
"C:\\WINDOWS\\system32\\b7d1b18.exe"="C:\\WINDOWS\\system32\\b7d1b18.exe:*:Disabled:ipsec"
"C:\\WINDOWS\\system32\\745520.exe"="C:\\WINDOWS\\system32\\745520.exe:*:Disabled:ipsec"
"C:\\WINDOWS\\system32\\67c0620.exe"="C:\\WINDOWS\\system32\\67c0620.exe:*:Disabled:ipsec"
"C:\\WINDOWS\\system32\\493f28.exe"="C:\\WINDOWS\\system32\\493f28.exe:*:Disabled:ipsec"
"C:\\WINDOWS\\system32\\3437ad.exe"="C:\\WINDOWS\\system32\\3437ad.exe:*:Disabled:ipsec"
"C:\\WINDOWS\\system32\\33bb87.exe"="C:\\WINDOWS\\system32\\33bb87.exe:*:Disabled:ipsec"
"C:\\WINDOWS\\system32\\114e418.exe"="C:\\WINDOWS\\system32\\114e418.exe:*:Disabled:ipsec"
"C:\\WINDOWS\\system32\\114b3a1.exe"="C:\\WINDOWS\\system32\\114b3a1.exe:*:Disabled:ipsec"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:ipsec"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:ipsec"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Disabled:Morpheus"
"C:\\sysreset\\mirc.exe"="C:\\sysreset\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpace Instant Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OWNER-424048B96
ComSpec=C:\WINDOWS\system32\cmd.exe
DXSDK_DIR=C:\Program Files\Microsoft DirectX SDK (June 2006)\
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
INCLUDE=c:\Program Files\Microsoft.NET\SDK\v1.1\include\
LIB=c:\Program Files\Microsoft.NET\SDK\v1.1\Lib\
LOGONSERVER=\\OWNER-424048B96
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path="C:\Program Files\Microsoft DirectX SDK (June 2006)\Utilities\Bin\x86";C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 6 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0602
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=OWNER-424048B96
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
VS71COMNTOOLS=c:\Program Files\Microsoft Visual Studio .NET 2003\Common7\Tools\
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\InstallShield Installation Information\{BB8AE808-F003-4C7F-B56B-8C80EEAFFE23}\setup.exe" --u:{BB8AE808-F003-4C7F-B56B-8C80EEAFFE23}
--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
7-Zip 4.19 beta --> "C:\Program Files\7-Zip\Uninstall.exe"
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
AIM 6 --> C:\Program Files\AIM6\uninst.exe
ArcSoft PhotoImpression 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AAB2A3A6-6789-4260-9966-517498589AB5}\setup.exe" -l0x9
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
BitTornado 0.3.18 --> C:\Program Files\BitTornado\uninst.exe
Combined Community Codec Pack 2008-01-24 --> "C:\Program Files\Combined Community Codec Pack\unins001.exe"
Corel Paint Shop Pro Photo X2 --> MsiExec.exe /X{64E72FB1-2343-4977-B4A8-262CD53D0BD3}
CoreVorbis Audio Decoder (remove only) --> "C:\WINDOWS\system32\CoreVorbis-uninstall.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVC305 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1A3ADB5A-2491-4F7A-BD6D-5F8C9B4714B0}\Setup.exe"
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
EasyPHP 1.8 --> "C:\Program Files\EasyPHP1-8\unins000.exe"
Eye Candy 3 --> C:\UNWISE.EXE C:\INSTALL.LOG
ffdshow (remove only) --> "C:\Program Files\ffdshow\uninstall.exe"
Free WMA to MP3 Converter 1.16 --> "C:\Program Files\Free WMA to MP3 Converter\unins000.exe"
GIMP 2.4.5 --> "C:\Program Files\GIMP-2.0\setup\unins000.exe"
Haali Media Splitter --> "C:\Program Files\Haali\MatroskaSplitter\uninstall.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Product Detection --> MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
J2SE Development Kit 5.0 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150000}
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LimeWire 4.14.8 --> "C:\Program Files\LimeWire\uninstall.exe"
MagicDisc 2.5.79 --> C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
Metacafe --> C:\Program Files\Metacafe\uninstaller.exe
Microsoft DirectX SDK (June 2006) --> MsiExec.exe /I{799F774D-7D7B-4B5B-BCA4-E69F5BEEFC7B}
Microsoft Office Excel Viewer 2003 --> MsiExec.exe /I{90840409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual Basic 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Basic 2005 Express Edition - ENU\setup.exe
Microsoft Visual Basic 2005 Express Edition - ENU --> MsiExec.exe /X{577AD794-8B34-40B4-9E7A-BE4CFFE396E6}
Microsoft Web Publishing Wizard 1.53 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
mIRC --> "C:\sysreset\mirc.exe" -uninstall
MS HKSCS-2001 Support --> RunDll32.exe advpack.dll,LaunchINFSection hkscs2001.inf,Uninstall
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
MySQL Server 5.0 --> MsiExec.exe /I{2FEB25F8-C3CB-49A2-AE79-DE17FFAFB5D9}
MySQL Tools for 5.0 --> MsiExec.exe /I{EC561602-C0B9-4FAA-A175-1B3273639AC3}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
O&O Defrag Professional Edition --> MsiExec.exe /I{53480330-E1D1-41CA-B8F8-7F78644F7F50}
Opera 9.26 --> MsiExec.exe /X{FB706A00-C234-4716-AB1F-27DCB192C664}
Protected Music Converter 1.0.0.7 --> "C:\Program Files\WMA-MP3.com\Protected Music Converter\unins000.exe"
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
Recorder --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Recorder\ST6UNST.LOG"
Registry Mechanic 7.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
The Rosetta Stone --> C:\WINDOWS\unvise32.exe C:\Program Files\The Rosetta Stone\TRS Support\uninstal.log
Ulead MediaStudio Pro 8.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6E71574-2126-4E95-816E-32B2411C94BA}\setup.exe" -l0x9
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
Visual Basic 4 Runtime Files --> C:\WINDOWS\ST4UNST.EXE -n "C:\WINDOWS\system32\ST4UNST.LOG"
Winamp --> "C:\Program Files\Winamp2\UninstWA.exe"
WinCleaner OneClick Cleanup Version 10 --> "C:\Program Files\blcorp\WCCSC\unins000.exe"
WinCleaner OneClick Professional Clean Version 11 Trial Edition --> "C:\Program Files\Business Logic Corporation\WinCleaner\unins000.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
WinISO 5.3 --> "C:\Program Files\WinISO\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Zoom Player (remove only) --> "C:\Program Files\Zoom Player\uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type608084 / Error
Event Submitted/Written: 05/03/2008 03:01:41 AM
Event ID/Source: 1024 / MsiInstaller
Event Description:
Product: Microsoft .NET Framework 1.1 - Update '{8D1D0E9A-C799-4D28-9E29-0061D1E66E43}' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft....k/?LinkId=23127

Event Record #/Type608083 / Error
Event Submitted/Written: 05/03/2008 03:01:40 AM
Event ID/Source: 11706 / MsiInstaller
Event Description:
Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source could be found for product Microsoft .NET Framework 1.1. The Windows installer cannot continue.

Event Record #/Type608079 / Error
Event Submitted/Written: 05/02/2008 02:41:00 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module flash9c.ocx, version 9.0.45.0, fault address 0x00030681.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type608076 / Error
Event Submitted/Written: 05/02/2008 03:03:49 AM
Event ID/Source: 1024 / MsiInstaller
Event Description:
Product: Microsoft .NET Framework 1.1 - Update '{8D1D0E9A-C799-4D28-9E29-0061D1E66E43}' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft....k/?LinkId=23127

Event Record #/Type608075 / Error
Event Submitted/Written: 05/02/2008 03:03:47 AM
Event ID/Source: 11706 / MsiInstaller
Event Description:
Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source could be found for product Microsoft .NET Framework 1.1. The Windows installer cannot continue.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type407 / Error
Event Submitted/Written: 05/03/2008 04:12:14 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460

Event Record #/Type405 / Error
Event Submitted/Written: 05/03/2008 04:07:39 PM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The Routing and Remote Access service terminated with service-specific error 3 (0x3).

Event Record #/Type398 / Error
Event Submitted/Written: 05/03/2008 04:07:31 PM
Event ID/Source: 20152 / RemoteAccess
Event Description:
The currently configured authentication provider failed to load and initialize successfully. The system cannot find the path specified.

Event Record #/Type392 / Error
Event Submitted/Written: 05/03/2008 04:07:29 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The NTPort Library Driver service failed to start due to the following error:
%%2

Event Record #/Type391 / Error
Event Submitted/Written: 05/03/2008 04:07:29 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The npkcrypt service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-05-03 16:54:37 ------------
  • 0

#4
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there phuxing,

I am looking over your logs and will be back with you shortly.

Edited by Mike, 05 May 2008 - 07:24 AM.

  • 0

#5
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi phuxing,

Please follow my instructions in the order they were given, if you come across something you don't understand or don't feel comfortable doing, don't hesitate to ask and I will get you sorted out :)

Very Important!

You have a backdoor trojan installed on your computer.
Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again.
It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure.
Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. When should I re-format?

If you choose to reformat please let me know in your next post. Otherwise please proceed with the fixes.

I see you have no firewall installed, this leaves you wide open to re-infection. Please download one of the following firewalls.


If you cannot download it now please do so AFTER the following steps

Step 1. Running SDFix

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
Step 2. Combofix

Please go here to install and download the Recovery Console.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Step 3. Running MalwareByte's Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply

Please post the Report.txt from SDFix.
Combofix.txt
The log from MalwareByte's Anti-Malware.
A new Hijack This log.
Also please tell me if you want to remove AVG7 and use Avast!, I would recommend staying with AVG though.
  • 0

#6
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP