Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unknown Trojan, Duplicate Unkillable Firefox.exe's in Process List


  • This topic is locked This topic is locked

#1
BreakTheB0x

BreakTheB0x

    New Member

  • Member
  • Pip
  • 5 posts
UPDATE 7-01-08: My PayPal Account has been hacked into and a charge was run for a gaming site, someone is using the Trojan to Keylog me. I used my paypal that morning to buy a license for Trillian (Stupid, I realize that now).

Paypal has refunded me and I changed my passwords on another machine here at the office, but I'm getting desperate for a solution to this as I have been unable to find a previous issue that's solution has worked for me.

NOTE: I read a few places that a similar infection involving Firefox.exe was known as "PoisionIvy", but I was not able to find any of the files that have been linked to that virus in other forums.

Problem: Duplicate Firefox.exe processes, impostors register about 4,000-16,000k Mem Usage and replicate when End Process is used.

Steps Taken before finding Geeks to Go!
1. Updated to WinXP SP3 (This is around when the problem started, but I'm sure the SP3 update was unrelated)
2. Ran Spybot S&D, Full Scan with Updated Definitions. (No Threats Found)
3. Ran Symantec Anti-Virus (No Threats Found - I'm aware it's a terrible anti-virus, I have to use this for my employer-owned machine.)
4. Scanned Duplicate "Firefox.exe" Processes with Security Task Manager. (http://www.neuber.co...ager/index.html)
(Result: Filepath points to legit C:\Program Files\Mozilla Firefox\Firefox.exe file for both the true process and the impostor, STM does not register either as a threat. If I uninstall Firefox or block the process from starting via STM the nasty fake Firefox does not appear.)
5. Googled: Firefox.exe Virus, clicked around a bit, found Geeks to Go.

Steps Taken Post-Google Search (Per your "You Must Read This Before Posting A Hijackthis Log" guidelines)

1. ATF Cleaner - All Unneeded Files Cleaned.
2. System Restore Point - Created new Restore Point.
3. Malwarebytes' Anti-Malware and SUPERAntiSpyware Home Edition installed, updated, scans run, and log files saved.

(NOTE: My understanding of the instructions for SAP were that only the following options should be checked; Close browsers before scanning, Scan for tracking cookies, Terminate memory threats before quarantining. If this is incorrect than guide needs to be updated for clarification, as "Please leave the others unchecked." could mean leave the default checks alone, and do not check anything else, or (as I read it) run the scan with only the three options listed checked)

4. Ran PandaScan, it found some goodies, will post the log.

5. Windows was already up to date as of discovering this virus.

6. Tried several scans several times, occasionally one or the other would catch something, but that persistent Firefox.exe process just won't die!

Any assistance would be greatly appreciated, I'm not looking forward to calling in IT to fix this and have them blame me and them cut off my internet (which they have done in the past).

Logs Below;

Panda
;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-06-24 14:56:50
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Symantec AntiVirus Corporate Edition 9.0.3.1000 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00288208 Application/HideWindow.S HackTools No 0 Yes No C:\Program Files\MS Updater\hide.exe
01271851 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{BD332DF2-6043-405F-A6DD-6B9C6FB67FB6}\RP383\A0041891.DLL
01271851 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\Uninstall Ask Toolbar.dll
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location 2
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description 2
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware 1.18
Database version: 886

9:50:55 AM 6/24/2008
mbam-log-6-24-2008 (09-50-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 103640
Time elapsed: 38 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\AUTOEXEC.BAT (Trojan.Agent) -> Quarantined and deleted successfully.

SuperAntiSpyware
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/23/2008 at 01:21 PM

Application Version : 4.15.1000

Core Rules Database Version : 3488
Trace Rules Database Version: 1479

Scan type : Complete Scan
Total Scan Time : 01:11:33

Memory items scanned : 417
Memory threats detected : 0
Registry items scanned : 5806
Registry threats detected : 0
File items scanned : 68089
File threats detected : 4

Adware.Search-Exe
C:\PROGRAM FILES\OCE REMOTE LOGIC\BIN\SE.EXE

Adware.Jraun/WinEssential
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BD332DF2-6043-405F-A6DD-6B9C6FB67FB6}\RP378\A0040705.EXE

Trojan.Dropper/SVCHost-Fake
C:\WINDOWS\TASKS\SVCHOST.EXE
C:\WINDOWS\Prefetch\SVCHOST.EXE-318C200A.pf

I cleaned up the results found by both spyware tools and ran a new scan with no new results, but still haven't managed to rid myself of what Panda found, which is what I do believe is causing the firefox.exe duplicates.

HijackThis!
(Clean scan after reboot)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:57 PM, on 6/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1179238355921
O17 - HKLM\System\CCS\Services\Tcpip\..\{423001F8-9EFB-48FF-B288-2D780A1F12DE}: NameServer = 208.57.0.11,208.57.0.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{423001F8-9EFB-48FF-B288-2D780A1F12DE}: NameServer = 208.57.0.11,208.57.0.10
O17 - HKLM\System\CS3\Services\Tcpip\..\{423001F8-9EFB-48FF-B288-2D780A1F12DE}: NameServer = 208.57.0.11,208.57.0.10
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 7316 bytes

Many thanks!
-BreakTheB0x

Edited by BreakTheB0x, 01 July 2008 - 04:28 PM.

  • 0

Advertisements


#2
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Hello BreakTheB0x and Welcome to Geeks to Go!

Sorry for the delay.
We've been quite busy this week.

Since the state of your computer is different form the time you posted you log. I need you to run a few scans again.
Please stick with me until I give you the all clear. :)

Let's start.

First,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next,

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Logs required on next post.

- MBAM log
- Super Antispyware log
- New HijackThis log
  • 0

#3
BreakTheB0x

BreakTheB0x

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
No worries on the delay, I was just wondering if you all died or something. I'm glad you're still alive and kicking, this nasty piece of software is making my computer drag it's feet.

Malwarebytes' Anti-Malware 1.19
Database version: 914
Windows 5.1.2600 Service Pack 3

9:39:55 AM 7/2/2008
mbam-log-7-2-2008 (09-39-55).txt

Scan type: Quick Scan
Objects scanned: 44694
Time elapsed: 5 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/02/2008 at 10:51 AM

Application Version : 4.15.1000

Core Rules Database Version : 3495
Trace Rules Database Version: 1486

Scan type : Complete Scan
Total Scan Time : 01:09:01

Memory items scanned : 515
Memory threats detected : 0
Registry items scanned : 6059
Registry threats detected : 0
File items scanned : 64995
File threats detected : 0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:07 AM, on 7/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-2935130677-1690843657-1110412475-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1179238355921
O17 - HKLM\System\CCS\Services\Tcpip\..\{423001F8-9EFB-48FF-B288-2D780A1F12DE}: NameServer = 208.57.0.11,208.57.0.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{423001F8-9EFB-48FF-B288-2D780A1F12DE}: NameServer = 208.57.0.11,208.57.0.10
O17 - HKLM\System\CS3\Services\Tcpip\..\{423001F8-9EFB-48FF-B288-2D780A1F12DE}: NameServer = 208.57.0.11,208.57.0.10
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 7679 bytes

Edited by BreakTheB0x, 02 July 2008 - 12:03 PM.

  • 0

#4
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Looks ok to me but let's do a deep just to be sure.

Please download and unzip IceSword to its own folder on your desktop
If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.

Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.

Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.

Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.

Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.

Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks

  • 0

#5
BreakTheB0x

BreakTheB0x

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Process:

System Idle Process
System
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\smss.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\RTHDCPL.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\adirks\Desktop\IceSword122en\IceSword.exe

Started Service:

Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:Ati HotKey Poller Display Name:Ati HotKey Poller
Service Name:AudioSrv Display Name:Windows Audio
Service Name:BackupExecAgentAccelerator Display Name:Backup Exec Remote Agent for Windows Servers
Service Name:BITS Display Name:Background Intelligent Transfer Service
Service Name:Browser Display Name:Computer Browser
Service Name:ccEvtMgr Display Name:Symantec Event Manager
Service Name:ccSetMgr Display Name:Symantec Settings Manager
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:DefWatch Display Name:Symantec AntiVirus Definition Watcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:dmserver Display Name:Logical Disk Manager
Service Name:Dot3svc Display Name:Wired AutoConfig
Service Name:EapHost Display Name:Extensible Authentication Protocol Service
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:helpsvc Display Name:Help and Support
Service Name:HidServ Display Name:HID Input Service
Service Name:iPod Service Display Name:iPod Service
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage


Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RemoteRegistry Display Name:Remote Registry
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:Symantec AntiVirus Display Name:Symantec AntiVirus
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:wscsvc Display Name:Security Center
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WZCSVC Display Name:Wireless Zero Configuration


Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RTHDCPL
RTHDCPL.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Alcmtr
ALCMTR.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
vptray
C:\PROGRA~1\SYMANT~1\VPTray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NeroFilterCheck
"C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
"C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunesHelper
"C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SkyTel
SkyTel.EXE

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SpybotSD TeaTimer
"C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\adirks\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\adirks\Start Menu\Programs\Startup
SpywareGuard.lnk
C:\Program Files\SpywareGuard\sgmain.exe (Remark£º)

SSDT
KModule Name: UNKNOWN
(Here is the rest of the info, don't know if "UNKNOWN" helps much)
Index: 0X1F
Current Address: OXE1C9E680
Original Address: 0X80585563
Name: NTConnectPort

Message Hook:
(Entries for WH_Keyboard)
C:\Windows\System32\CTFMON.EXE
C:\Windows\System32\ATI2EVXX.EXE
C:\Windows\EXPLORER.EXE (X5 SEPERATE ENTRIES)
C:\Windows\RTHDCPL.EXE
C:\Program Files\Spybot - Search & Destroy\TEATIMER.EXE
C:\Program Files\Spyware Guard\SGMAIN.EXE
C:\Program Files\Spyware Guard\SGBHP.EXE
C:\Program Files\iTunes\ITUNESHELPER.EXE
C:\Program Files\Common Files\Ahead\LIB\NMBMONITOR.EXE
C:\Program Files\Common Files\Ahead\LIB\NMINDEXSTORESVR.EXE
  • 0

#6
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Let's see what this scan will show


Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.

Click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt
  • 0

#7
BreakTheB0x

BreakTheB0x

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Deckard's System Scanner v20071014.68
Run by adirks on 2008-07-03 13:28:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
98: 2008-07-03 20:28:35 UTC - RP399 - Deckard's System Scanner Restore Point
97: 2008-07-03 18:53:28 UTC - RP398 - System Checkpoint
96: 2008-07-02 15:54:21 UTC - RP397 - System Checkpoint
95: 2008-07-01 14:43:21 UTC - RP396 - System Checkpoint
94: 2008-06-30 13:03:25 UTC - RP395 - System Checkpoint


-- First Restore Point --
1: 2008-04-05 08:03:52 UTC - RP302 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as adirks.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:56 PM, on 7/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\adirks\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\adirks.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Start.bat
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1179238355921
O17 - HKLM\System\CCS\Services\Tcpip\..\{423001F8-9EFB-48FF-B288-2D780A1F12DE}: NameServer = 208.57.0.11,208.57.0.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{423001F8-9EFB-48FF-B288-2D780A1F12DE}: NameServer = 208.57.0.11,208.57.0.10
O17 - HKLM\System\CS3\Services\Tcpip\..\{423001F8-9EFB-48FF-B288-2D780A1F12DE}: NameServer = 208.57.0.11,208.57.0.10
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 7106 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080623-150254-546 O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 1172)
2008-06-23 12:08:50 294912 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\explorer.exe (pid 1592)
2008-06-23 12:08:58 77824 --a------ C:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>
2005-11-15 11:07:16 1802240 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll <Not Verified; Nero AG; Nero Digital Tools>
2007-05-22 10:59:22 128512 --a------ C:\Program Files\WinRAR\RarExt.dll
2006-11-10 19:18:26 73728 --a------ C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll <Not Verified; Nero AG; Nero BackItUp>


-- Files created between 2008-06-03 and 2008-07-03 -----------------------------

2008-06-27 11:05:36 0 d-------- C:\Program Files\Trillian
2008-06-24 15:28:36 0 d-------- C:\WINDOWS\Prefetch
2008-06-24 15:20:54 0 d-------- C:\WINDOWS\system32\scripting
2008-06-24 15:20:53 0 d-------- C:\WINDOWS\system32\en
2008-06-24 15:20:53 0 d-------- C:\WINDOWS\l2schemas
2008-06-24 15:20:52 0 d-------- C:\WINDOWS\system32\bits
2008-06-24 15:18:19 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-24 10:45:01 0 d-------- C:\Program Files\Panda Security
2008-06-23 14:54:49 0 d-------- C:\Program Files\MS Updater
2008-06-23 10:57:58 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-23 10:57:45 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-23 10:57:45 0 d-------- C:\Documents and Settings\adirks\Application Data\SUPERAntiSpyware.com
2008-06-23 10:53:33 0 d-------- C:\Documents and Settings\adirks\Application Data\Malwarebytes
2008-06-23 10:53:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-23 10:53:29 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-23 10:53:19 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-23 10:47:14 0 d-------- C:\Program Files\Trend Micro
2008-06-23 09:26:50 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-23 09:26:46 0 d-------- C:\Program Files\Security Task Manager
2008-06-20 16:16:31 0 d-------- C:\Program Files\SpywareGuard
2008-06-20 16:03:05 241664 --a------ C:\Program Files\Uninstall Ask Toolbar.dll <Not Verified; Ask.com; Ask Toolbar for Internet Explorer>
2008-06-19 08:37:37 176235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2008-06-19 08:37:35 0 d-------- C:\WINDOWS\PrimoPDF4
2008-06-19 08:37:35 0 d-------- C:\Program Files\activePDF
2008-06-16 11:13:52 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-16 11:11:50 0 d-------- C:\Program Files\AskPBar
2008-06-16 09:35:35 0 d-------- C:\Program Files\Avolve


-- Find3M Report ---------------------------------------------------------------

2008-07-02 15:52:28 0 d-------- C:\Program Files\Symantec AntiVirus
2008-06-26 14:58:10 6181 --a------ C:\Documents and Settings\adirks\Application Data\PrimoPDFSet.xml
2008-06-26 11:22:36 310 --a------ C:\Documents and Settings\adirks\Application Data\APUSet.xml
2008-06-24 15:21:17 0 d-------- C:\Program Files\Messenger
2008-06-24 15:20:52 0 d-------- C:\Program Files\Movie Maker
2008-06-24 15:18:00 0 d-------- C:\Program Files\Windows NT
2008-06-23 10:57:22 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-23 10:53:19 0 d-------- C:\Program Files\Common Files
2008-06-20 15:56:51 0 d-------- C:\Program Files\GIMP-2.0
2008-06-18 15:25:01 0 d-------- C:\Program Files\Acro Software
2008-06-18 14:05:48 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-06-17 16:09:50 0 d-------- C:\Program Files\MySpace
2008-06-16 11:06:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-06 16:56:48 0 d-------- C:\Documents and Settings\adirks\Application Data\gtk-2.0
2008-06-04 09:49:05 0 d-------- C:\Documents and Settings\adirks\Application Data\Adobe
2008-05-30 11:11:21 0 d-------- C:\Program Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [08/14/2006 12:00 PM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 04:43 PM C:\WINDOWS\Alcmtr.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/10/2004 04:02 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [12/30/2004 12:19 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 03:40 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"SkyTel"="SkyTel.EXE" [05/16/2006 04:04 PM C:\WINDOWS\SkyTel.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 05:12 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 12:43 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [11/16/2006 07:04 PM]

C:\Documents and Settings\adirks\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]
Start.bat [5/14/2008 2:20:43 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06/23/2008 12:08 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 06/23/2008 12:08 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0bc73943-c34f-11db-bedf-806d6172696f}]
AutoRun\command- D:\setup.exe

*Newly Created Service* - ARDLB
*Newly Created Service* - ISDRV122

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{181E34DA-8AAF-51A4-113B-C5C8DE522977}]
C:\WINDOWS\system32:wupdate.exe



-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
127.0.0.1 d.abnad.net

26314 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-03 13:33:35 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 3.00GHz
Percentage of Memory in Use: 39%
Physical Memory (total/avail): 1023.11 MiB / 618.35 MiB
Pagefile Memory (total/avail): 2460.38 MiB / 2076.25 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1904 MiB

A: is Removable (No Media)
B: is Network (NTFS)
C: is Fixed (NTFS) - 74.53 GiB total, 43.34 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
Q: is Network (NTFS)

\\.\PHYSICALDRIVE0 - ST380815AS - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\adirks\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LIV-DETAILING6
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\adirks
LANG=C
LOGONSERVER=\\LIV-DETAILING6
LOGSCRIPT=C:\Program Files\UniPrint\Log Files
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Intel\DMIX;C:\PROGRA~1\COMMON~1\AUTODE~1;c:\foxprg;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0605
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\adirks\LOCALS~1\Temp
TMP=C:\DOCUME~1\adirks\LOCALS~1\Temp
USERDOMAIN=LIV-DETAILING6
USERNAME=adirks
USERPROFILE=C:\Documents and Settings\adirks
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Backup (admin)
test (new local, admin)
adirks (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AutoCAD 2000 --> C:\WINDOWS\uninst.exe -fC:\r2000\DeIsL1.isu -c"C:\r2000\unacad.dll
AutoCAD 2000 Migration Assistance --> C:\WINDOWS\uninst.exe -fC:\r2000\migration\DeIsL1.isu
Autodesk DWF Viewer 7 --> MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}
BurnInTest v3.0 Pro --> "C:\Program Files\BurnInTest\unins000.exe"
CADS Beam Detailer --> C:\CADS-mdi\UNWISE.EXE C:\CADS-mdi\Install.log
CADS Circular Bar Detailer --> C:\CADS-mdi\UNWISE.EXE C:\CADS-mdi\CADS-CBA\install.log
CADS Column Detailer --> C:\CADS-mdi\UNWISE.EXE C:\CADS-mdi\CADS-CO\install.log
CADS Pad Footing Detailer --> C:\CADS-mdi\UNWISE.EXE C:\CADS-mdi\CADS-PFD\install.log
CADS Panel Detailer --> C:\CADS-mdi\UNWISE.EXE C:\CADS-mdi\CADS-PN\install.log
CADS RCToolBox --> C:\CADS-mdi\UNWISE.EXE C:\CADS-mdi\RCToolBox\install.log
CADS Slab Panel Detailer --> C:\CADS-mdi\UNWISE.EXE C:\CADS-mdi\CADS-SPD\install.log
Citrix Web Client --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
GTK+ 2.10.13 runtime environment --> "C:\Program Files\Common Files\GTK\2.0\setup\unins000.exe"
Harris Detailing --> MsiExec.exe /I{47BD2EB2-EB8E-4F7E-A41B-AB3B3F192ECF}
Harris Detailing 2.6 --> MsiExec.exe /I{E6D9E0D4-E0ED-478B-B57E-BDFD279EC465}
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® PRO Network Connections 11.2.0.69 --> MsiExec.exe /i{2222B364-0854-4265-B32E-A142DB9DC7BB} ARPREMOVE=1
iSqFt Full Viewer V4.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19A71C4F-94D9-44EA-AC98-FF8A045273AB}\Setup.exe" CPUninstall
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Konica Scantrip --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Konica\Scantrip\DeIsL1.isu" -c"C:\Program Files\Konica\Scantrip\_ISREG32.DLL"
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 7 Ultra Edition --> MsiExec.exe /I{235BBFC6-D863-4066-A01A-3BD504C31033}
Océ Remote Logic --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F81CE0B1-B4C3-11D4-8159-00C04F050B4C}\Setup.exe" -l0x9
Océ WPD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3597D6BD-0E73-11D5-AB8A-00D0B7A62D54}\Setup.exe" -l0x9 DoUninstall:
On-Screen Takeoff --> C:\Program Files\InstallShield Installation Information\{690CEFE2-3B21-4D9D-849D-463270CC09A1}\setup.exe -runfromtemp -l0x0409
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PrimoPDF --> "C:\WINDOWS\PrimoPDF4\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstallPrimoPDF4.xml"
Print Exec LT --> "C:\Program Files\Print Exec LT\UninstallerData\Uninstall Print Exec LT.exe"
ProjectDox Components --> MsiExec.exe /I{4055077E-416C-4A3C-A52A-05A450AC13FC}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
RebarCAD --> C:\CADS-mdi\UNWISE.EXE C:\CADS-mdi\install.log
Security Task Manager 1.7f --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SmartFTP Client --> MsiExec.exe /I{C169D3BB-9A27-43F5-9979-09A0D65FE95C}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec AntiVirus --> MsiExec.exe /I{848AC794-8B81-440A-81AE-6474337DB527}
TBS WMP Plug-in --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{DB5F474C-B584-417F-810B-DEBBC1893C2A}
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
UniPrint Client 3.5.1 --> C:\PROGRA~1\UniPrint\Client\UNWISE.EXE C:\PROGRA~1\UniPrint\Client\INSTALL.LOG
VERITAS Backup Exec Remote Agent for Windows Servers --> MsiExec.exe /I{5E98EE22-F59B-4ED0-82BE-010A6F886C3E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}


-- Application Event Log -------------------------------------------------------

Event Record #/Type3628 / Error
Event Submitted/Written: 07/03/2008 01:30:26 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application itunes.exe, version 7.6.2.9, faulting module itunes.exe, version 7.6.2.9, fault address 0x0010cb0f.
Processing media-specific event for [itunes.exe!ws!]

Event Record #/Type3533 / Warning
Event Submitted/Written: 06/25/2008 09:10:04 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}', feature 'Complete' failed during request for component '{AFF22926-A739-4E3B-A969-57E406191443}'

Event Record #/Type3532 / Warning
Event Submitted/Written: 06/25/2008 09:10:04 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}', feature 'Complete', component '{B2B6EDF3-22B8-47B3-8358-4D1976F0949D}' failed. The resource 'C:\Program Files\SUPERAntiSpyware\Quarantine\' does not exist.

Event Record #/Type3507 / Warning
Event Submitted/Written: 06/25/2008 03:03:09 AM
Event ID/Source: 1020 / ASP.NET 2.0.50727.0
Event Description:
Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.

Event Record #/Type3492 / Warning
Event Submitted/Written: 06/24/2008 03:30:06 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5447 / Warning
Event Submitted/Written: 07/03/2008 10:36:57 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type5440 / Warning
Event Submitted/Written: 07/03/2008 05:31:35 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type5422 / Error
Event Submitted/Written: 07/02/2008 03:52:05 PM / 07/02/2008 03:52:19 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type5411 / Warning
Event Submitted/Written: 07/01/2008 06:14:51 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type5410 / Warning
Event Submitted/Written: 07/01/2008 03:26:03 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-07-03 13:33:35 ------------
  • 0

#8
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Nothing out of the ordinary there.
Let's run an online scan.

Next,

Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon.
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.

Then,

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Finally,

Please do an online scan with Kaspersky WebScanner

Temporarily disable your resident Antivirus software before proceeding.

Welcome Information page will open. Click on Accept
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded, click on Scan
    • Now under that section select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Enable you Anti-Virus protection once scan is done.
  • 0

#9
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP