Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

My System Is Obliterated


  • This topic is locked This topic is locked

#1
atearwhofellnot

atearwhofellnot

    Member

  • Member
  • PipPip
  • 64 posts
Hi, It's been a long long time since I've showed my face here.. We've had a rough past and I apologize for that.

I come to you today with a serious issue

There is a nasty new virus on the net. I have forgotten the name as I have just gotten my PC back from Ram Technologies.. (My MB went out less than 40 minutes after I thought I fixed the infection)(unrelated issue)

I was unable to uninstall ANYTHING, PC would hang endlessly on shutdown... Most programs wouldn't Load... IE Starcraft and Spybot.... According to my Registry cleaners.. ALL of my uninstall entries were damaged..


I just did a 25 day system restore, I am able to load some programs, and Uninstall things.. But Spybot still wont load... Starcraft wont load.. And some other aps wont load either.

Also If I try to load the program It will appear in my task manager And when I kill the process, It stays listed however it's memory usage stays the same.

Kaspersky Says I am clean.

Prevx CSI says I'm clean

AVG says I'm clean.

Help :/

PS HIJACK this log below







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:07 PM, on 8/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Anthony\Desktop\utorrent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Anthony\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1215925461312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1215925945187
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 4214 bytes

Edited by atearwhofellnot, 16 August 2008 - 12:19 PM.

  • 0

Advertisements


#2
atearwhofellnot

atearwhofellnot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Accidentally made a second post, Sorry.

Edited by atearwhofellnot, 16 August 2008 - 12:48 PM.

  • 0

#3
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello atearwhofellnot

Welcome to G2Go. :)
=====================
Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon.
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.
=============
Download GMER from Here :
Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
  • 0

#4
atearwhofellnot

atearwhofellnot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
DAFT Fixed one association.. An important one for my gaming :) Thanks for that.

Here is the log for GMER it is EXTENSIVE..........
Sorry for the delay on posting this, I was asleep and GMER had to scan about 3 TB Of Data after I woke up XD

GMER crashed on a .txt file. SO I am rescanning now without that drive since it didn't find anything on it in the first place.
  • 0

#5
atearwhofellnot

atearwhofellnot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
The first time I scanned it seemed to find ALOT more.. So I am rescanning but here is what I have now!




GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-16 20:59:46
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT pxfsf.sys ZwAlertResumeThread [0xBA59E83D]
SSDT pxfsf.sys ZwAllocateUserPhysicalPages [0xBA59E847]
SSDT pxfsf.sys ZwAllocateVirtualMemory [0xBA59E851]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwClose [0xB51FE370]
SSDT pxfsf.sys ZwCompactKeys [0xBA59E865]
SSDT pxfsf.sys ZwCompressKey [0xBA59E86F]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwConnectPort [0xB51FC420]
SSDT pxfsf.sys ZwCreateDirectoryObject [0xBA59E879]
SSDT pxfsf.sys ZwCreateEvent [0xBA59E883]
SSDT pxfsf.sys ZwCreateEventPair [0xBA59E88D]
SSDT pxfsf.sys ZwCreateFile [0xBA59E897]
SSDT pxfsf.sys ZwCreateIoCompletion [0xBA59E8A1]
SSDT pxfsf.sys ZwCreateJobObject [0xBA59E8AB]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateKey [0xB51EF7A0]
SSDT pxfsf.sys ZwCreateMailslotFile [0xBA59E8BF]
SSDT pxfsf.sys ZwCreateMutant [0xBA59E8C9]
SSDT pxfsf.sys ZwCreateNamedPipeFile [0xBA59E8D3]
SSDT pxfsf.sys ZwCreatePort [0xBA59E8DD]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcess [0xB51FE0A0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcessEx [0xB51FE210]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSection [0xB51FEE70]
SSDT pxfsf.sys ZwCreateSemaphore [0xBA59E905]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xB51FE940]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateThread [0xB51FF7B0]
SSDT pxfsf.sys ZwCreateTimer [0xBA59E923]
SSDT pxfsf.sys ZwCreateToken [0xBA59E92D]
SSDT pxfsf.sys ZwDeleteFile [0xBA59E937]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwDeleteKey [0xB51EF8A0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwDeleteValueKey [0xB51EF920]
SSDT pxfsf.sys ZwDeviceIoControlFile [0xBA59E955]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwDuplicateObject [0xB51FE510]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwEnumerateKey [0xB51EF9B0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwEnumerateValueKey [0xB51EFA60]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwFlushKey [0xB51EFB10]
SSDT pxfsf.sys ZwFreeUserPhysicalPages [0xBA59E97D]
SSDT pxfsf.sys ZwFreeVirtualMemory [0xBA59E987]
SSDT pxfsf.sys ZwImpersonateAnonymousToken [0xBA59E991]
SSDT pxfsf.sys ZwImpersonateThread [0xBA59E99B]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwInitializeRegistry [0xB51EFB90]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadDriver [0xB51FBFD0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadKey [0xB51F0590]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadKey2 [0xB51EFBB0]
SSDT pxfsf.sys ZwLockRegistryKey [0xBA59E9C3]
SSDT pxfsf.sys ZwLockVirtualMemory [0xBA59E9CD]
SSDT pxfsf.sys ZwMapViewOfSection [0xBA59E9D7]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwNotifyChangeKey [0xB51EFC80]
SSDT pxfsf.sys ZwOpenFile [0xBA59E9E1]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenKey [0xB51EFD60]
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xBAE898AC]
SSDT pxfsf.sys ZwOpenProcessToken [0xBA59E9FF]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenSection [0xB51FECA0]
SSDT pxfsf.sys ZwOpenThread [0xBA59EA13]
SSDT pxfsf.sys ZwOpenThreadToken [0xBA59EA1D]
SSDT pxfsf.sys ZwProtectVirtualMemory [0xBA59EA27]
SSDT pxfsf.sys ZwQueryInformationProcess [0xBA59EA31]
SSDT pxfsf.sys ZwQueryInformationThread [0xBA59EA3B]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQueryKey [0xB51EFE30]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQueryMultipleValueKey [0xB51EFEE0]
SSDT pxfsf.sys ZwQueryOpenSubKeys [0xBA59EA59]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQuerySystemInformation [0xB51FF460]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQueryValueKey [0xB51EFF90]
SSDT pxfsf.sys ZwQueueApcThread [0xBA59EA6D]
SSDT pxfsf.sys ZwReadFile [0xBA59EA77]
SSDT pxfsf.sys ZwReadVirtualMemory [0xBA59EA81]
SSDT pxfsf.sys ZwRenameKey [0xBA59EA8B]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwReplaceKey [0xB51F0040]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwRequestWaitReplyPort [0xB51FCA00]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwRestoreKey [0xB51F00D0]
SSDT pxfsf.sys ZwResumeProcess [0xBA59EAA9]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwResumeThread [0xB51FF760]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSaveKey [0xB51F02D0]
SSDT pxfsf.sys ZwSaveKeyEx [0xBA59EAC7]
SSDT pxfsf.sys ZwSaveMergedKeys [0xBA59EAD1]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetContextThread [0xB51FFAE0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationFile [0xB52000A0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationKey [0xB51F0360]
SSDT pxfsf.sys ZwSetInformationProcess [0xBA59EAEF]
SSDT pxfsf.sys ZwSetInformationThread [0xBA59EAF9]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSecurityObject [0xB51FAC20]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSystemInformation [0xB51FEB20]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetValueKey [0xB51F0400]
SSDT pxfsf.sys ZwSuspendProcess [0xBA59EB17]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSuspendThread [0xB51FF710]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwSystemDebugControl [0xB51FC2E0]
SSDT pxfsf.sys ZwTerminateJobObject [0xBA59EB35]
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xBAE89812]
SSDT pxfsf.sys ZwTerminateThread [0xBA59EB49]
SSDT pxfsf.sys ZwUnloadDriver [0xBA59EB53]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwUnloadKey [0xB51F0550]
SSDT pxfsf.sys ZwUnloadKeyEx [0xBA59EB67]
SSDT pxfsf.sys ZwUnlockVirtualMemory [0xBA59EB71]
SSDT pxfsf.sys ZwUnmapViewOfSection [0xBA59EB7B]
SSDT pxfsf.sys ZwWriteFile [0xBA59EB85]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwWriteVirtualMemory [0xB51FE3D0]

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAF74 2 Bytes JMP B52004C0 \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab)
.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess + 3 804EAF77 2 Bytes [ D1, 34 ]
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EF902 5 Bytes JMP B52009C0 \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab)
.text ntkrnlpa.exe!ZwCallbackReturn + 2C4C 805044D8 24 Bytes CALL 68D3FF36
.text ntkrnlpa.exe!ZwCallbackReturn + 2C68 805044F4 16 Bytes [ A0, F7, 1E, B5, BF, E8, 59, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504508 12 Bytes CALL 60F0FF66
.text ntkrnlpa.exe!ZwCallbackReturn + 2C8C 80504518 24 Bytes [ 70, EE, 1F, B5, 05, E9, 59, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2D48 805045D4 12 Bytes [ D0, BF, 1F, B5, 90, 05, 1F, ... ]
.text ...
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? pxfsf.sys The system cannot find the file specified. !
? \WINDOWS\system32\DRIVERS\pxcom.SYS The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B7D2A8AC 4 Bytes JMP 8AD3D250
? System32\Drivers\aqalzxh7.SYS The system cannot find the file specified. !
? system32\DRIVERS\pxrd.sys The system cannot find the file specified. !
? system32\DRIVERS\pxtdi.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6CEAB4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6CEBFA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6CEB7C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6CF728] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6CF5FE] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6E1C5A] sptd.sys

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 396079301
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1239124592
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x63 0x10 0x1E 0x67 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBC 0x81 0x0F 0x0C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE2 0xB4 0x8C 0x2A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xE8 0xE3 0x6B 0xA9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x63 0x10 0x1E 0x67 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBC 0x81 0x0F 0x0C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE2 0xB4 0x8C 0x2A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xE8 0xE3 0x6B 0xA9 ...

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

Edited by atearwhofellnot, 16 August 2008 - 08:01 PM.

  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download mbr.exe by GMER.

Save the file to your desktop.
Double click it and it will produce a text file on your desktop named mbr.txt
Post the contents of that file please.
  • 0

#7
atearwhofellnot

atearwhofellnot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Nevermind about the rescanning, My explorer.exe has crashed and wont reopen :) So I am heading to work. Thanks for your help :)
  • 0

#8
atearwhofellnot

atearwhofellnot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
  • 0

#9
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#10
atearwhofellnot

atearwhofellnot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
I actually ran that earlier. I'm clean according to it However, I am going to rerun it with a full system scan since this is my last reply of the evening. I will return in 11 hours.

Thanks so much for your help!
  • 0

Advertisements


#11
atearwhofellnot

atearwhofellnot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
I removed Craagle even though it is technically a clean file ... I don't really need it so I took it off. All other problems found I let it clean.





Malwarebytes' Anti-Malware 1.24
Database version: 1059
Windows 5.1.2600 Service Pack 3

8:03:59 AM 8/17/2008
mbam-log-8-17-2008 (08-03-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 114187
Time elapsed: 1 hour(s), 17 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\PdmHist\ed4.80ABF6C001C90010.history\00000005.bak (Adware.Craagle) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{563D6947-7B5F-4D43-A882-5130BD5F875A}\RP12\A0005270.dll (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{563D6947-7B5F-4D43-A882-5130BD5F875A}\RP75\A0032917.exe (Adware.Craagle) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{563D6947-7B5F-4D43-A882-5130BD5F875A}\RP77\A0033980.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{563D6947-7B5F-4D43-A882-5130BD5F875A}\RP77\A0033981.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#13
atearwhofellnot

atearwhofellnot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 6000+
Percentage of Memory in Use: 17%
Physical Memory (total/avail): 3326.42 MiB / 2727.83 MiB
Pagefile Memory (total/avail): 5210.17 MiB / 4710.79 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.33 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 111.78 GiB total, 77.28 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 698.64 GiB total, 65.5 GiB free.
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (FAT32)
L: is CDROM (No Media)
M: is Fixed (FAT32) - 149.01 GiB total, 148.8 GiB free.
N: is Fixed (NTFS) - 931.51 GiB total, 861.04 GiB free.
O: is Fixed (NTFS) - 465.75 GiB total, 13.69 GiB free.

\\.\PHYSICALDRIVE1 - ST3120213AS - 111.79 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 111.78 GiB - C:

\\.\PHYSICALDRIVE0 - WDC WD7500AAKS-00RBA0 - 698.64 GiB - 1 partition
\PARTITION0 - Installable File System - 698.64 GiB - E:

\\.\PHYSICALDRIVE10 - Apple iPod USB Device - 941.31 MiB - 1 partition
\PARTITION0 - 16-bit FAT - 968 MiB - K:

\\.\PHYSICALDRIVE5 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE6 -

\\.\PHYSICALDRIVE7 -

\\.\PHYSICALDRIVE8 -

\\.\PHYSICALDRIVE9 -

\\.\PHYSICALDRIVE2 - WD 10EAVS External USB Device - 931.51 GiB - 1 partition
\PARTITION0 - Installable File System - 931.51 GiB - N:

\\.\PHYSICALDRIVE4 - WD 1600JB External USB Device - 149.05 GiB - 1 partition
\PARTITION0 - Unknown - 149.05 GiB - M:

\\.\PHYSICALDRIVE3 - WDC WD50 00AAJB-00UHA0 USB Device - 465.76 GiB - 1 partition
\PARTITION0 - Installable File System - 465.75 GiB - O:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Anthony\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HACKERZ-2EF0F9B
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Anthony
LOGONSERVER=\\HACKERZ-2EF0F9B
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 67 Stepping 3, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4303
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Anthony\LOCALS~1\Temp
TMP=C:\DOCUME~1\Anthony\LOCALS~1\Temp
USERDOMAIN=HACKERZ-2EF0F9B
USERNAME=Anthony
USERPROFILE=C:\Documents and Settings\Anthony
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Anthony (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\NuNInst.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
AIM 6 --> C:\Program Files\AIM6\uninst.exe
All My Movies 4.9 GAOTD --> "C:\Program Files\AllMyMovies\unins000.exe"
AMD Processor Driver --> C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe -runfromtemp -l0x0009 -removeonly
Apple Mobile Device Support --> MsiExec.exe /I{35B91753-5789-4517-9CF1-2CCE3A8CF4F1}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
arniWORX awxDTools - Daemon-Tools ShellExtension - 1.0.6.0 --> "C:\Program Files\DAEMON Tools\unins000.exe"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
CABAL Online --> "C:\Program Files\OGPlanet\CABAL Online\unins000.exe"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
DriverAgent by TouchStone Software --> RunDll32.exe advpack.dll,LaunchINFSection driveragent_exe.inf,TVICHW32Remove
Drivers Install For Linksys Easylink Advisor --> MsiExec.exe /I{A1960A82-DB70-474D-A86B-FA74466103C6}
DScaler 5 Mpeg Decoders --> "C:\Program Files\DScaler5\unins000.exe"
EVGA Display Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEF3EFE7-5159-436D-9BF0-CCC633179EB4}\Setup.exe" -l0x9 -removeonly
Hardware sensors monitor 4.4 --> "C:\Program Files\Hmonitor\unins000.exe"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\Anthony\Desktop\Anti-Virus\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{EF6C4600-306D-4F6A-A119-C2A877D25B4A}
IZArc 3.81 --> "C:\Program Files\IZArc\unins000.exe"
Jane's Hotel --> "C:\Program Files\Realore\Janes Hotel\unins000.exe"
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
K-Lite Codec Pack 4.1.0 (Full) --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Linksys EasyLink Advisor 1.6 (0044) --> rundll32 C:\PROGRA~1\LINKSY~1\AUInst.dll,ExUninstall
Logitech QuickCam --> MsiExec.exe /X{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}
Magic ISO Maker v5.3 (build 0216) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Webcam Recorder 16.0 --> MsiExec.exe /I{71C0C4C9-C1EB-4993-89D1-6CFF96175B77}
MSXML 6.0 Parser (KB925673) --> MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
Nero 8 --> MsiExec.exe /X{D6C9AF27-9414-46C8-B9D8-D878BA041033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
Opera 9.51 --> MsiExec.exe /X{179624B1-2683-45ED-965A-B72189EB5820}
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
RealMedia (remove only) --> "C:\Program Files\RealMedia\uninstall.exe"
REALTEK GbE & FE Ethernet PCI-E NIC Driver --> C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\SETUP.EXE" -l0x9 -removeonly
RegDoctor 1.84 --> "C:\Program Files\RegDoctor\unins000.exe"
Security Task Manager 1.7f --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Skype 3.1 --> "C:\Program Files\Skype\Phone\unins000.exe"
Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}
Smart DVD/CD Burner --> C:\PROGRA~1\SMARTD~1\UNWISE.EXE C:\PROGRA~1\SMARTD~1\INSTALL.LOG
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Unlocker 1.8.7 --> C:\Program Files\Unlocker\uninst.exe
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Zoom Player (remove only) --> "C:\Program Files\Zoom Player\uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type991 / Error
Event Submitted/Written: 08/16/2008 02:15:23 PM
Event ID/Source: 0 / a2service.exe
Event Description:
The service process could not connect to the service controller

Event Record #/Type987 / Error
Event Submitted/Written: 08/16/2008 00:30:46 PM
Event ID/Source: 1013 / MsiInstaller
Event Description:
Product: Prevx 2.0 Agent -- At least one component of the product is still running.
Please shutdown all Prevx processes under all user accounts and try again.

Event Record #/Type981 / Success
Event Submitted/Written: 08/16/2008 00:25:57 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type974 / Warning
Event Submitted/Written: 08/16/2008 00:10:12 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type973 / Error
Event Submitted/Written: 08/16/2008 00:00:38 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application ccleaner.exe, version 1.32.0.345, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1935 / Warning
Event Submitted/Written: 08/17/2008 06:28:03 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type1934 / Warning
Event Submitted/Written: 08/17/2008 05:23:19 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type1933 / Warning
Event Submitted/Written: 08/17/2008 04:50:13 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type1932 / Warning
Event Submitted/Written: 08/17/2008 04:33:40 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type1930 / Error
Event Submitted/Written: 08/16/2008 09:15:22 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service usnjsvc with arguments ""
in order to run the server:
{98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}



-- End of Deckard's System Scanner: finished at 2008-08-17 08:13:36 ------------




Deckard's System Scanner v20071014.68
Run by Anthony on 2008-08-17 08:12:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
86: 2008-08-17 13:12:12 UTC - RP86 - Deckard's System Scanner Restore Point
85: 2008-08-16 19:47:58 UTC - RP85 - Installed Java™ 6 Update 7
84: 2008-08-16 19:46:38 UTC - RP84 - Removed Java™ 6 Update 7
83: 2008-08-16 19:13:01 UTC - RP83 - Software Distribution Service 3.0
82: 2008-08-16 18:36:31 UTC - RP82 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-07-13 00:44:53 UTC - RP1 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Anthony.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:33 AM, on 8/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Anthony\Desktop\utorrent.exe
C:\Documents and Settings\Anthony\Desktop\dss.exe
C:\DOCUME~1\Anthony\Desktop\Anthony.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1215925461312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1215925945187
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 4205 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 hmonitor - c:\windows\system32\drivers\hmonitor.sys

S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S3 XDva186 - c:\windows\system32\xdva186.sys (file missing)
S3 XDva190 - c:\windows\system32\xdva190.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 PLFlash DeviceIoControl Service - c:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application>

S4 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
S4 CSIScanner - "c:\program files\prevxcsi\prevxcsi.exe" /service (file missing)
S4 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-07 12:21:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-07-17 and 2008-08-17 -----------------------------

2008-08-16 14:49:04 0 d-------- C:\Program Files\Java
2008-08-16 14:48:03 0 d-------- C:\Program Files\Common Files\Java
2008-08-16 14:44:20 0 d-------- C:\Documents and Settings\Anthony\.SunDownloadManager
2008-08-16 12:12:18 0 d-------- C:\Program Files\Xvid
2008-08-16 12:12:13 0 d-------- C:\Documents and Settings\Anthony\Application Data\Jane s Hotel
2008-08-16 12:12:10 0 dr-h----- C:\Documents and Settings\Anthony\Recent
2008-08-16 12:12:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-16 12:12:04 0 d-------- C:\Documents and Settings\Anthony\Application Data\True Sword
2008-08-16 11:36:41 0 d-------- C:\Program Files\Advanced Font Viewer
2008-08-09 09:03:16 2013 -r-h----- C:\WINDOWS\system32\drivers\hosts
2008-08-09 09:03:01 0 d-------- C:\Program Files\RogueRemover PRO
2008-08-09 09:02:43 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2008-08-09 08:17:12 0 d-------- C:\Documents and Settings\Anthony\Application Data\Malwarebytes
2008-08-09 08:17:07 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 08:17:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 03:38:20 10536 --a------ C:\WINDOWS\system32\drivers\Hmonitor.sys
2008-08-09 03:38:19 0 d-------- C:\Program Files\Hmonitor
2008-08-09 02:29:59 0 d-------- C:\Program Files\Realore
2008-08-09 02:26:13 0 d-------- C:\Program Files\AllMyMovies
2008-08-08 21:00:07 0 d-------- C:\Documents and Settings\Anthony\Application Data\Grisoft
2008-08-08 20:06:53 0 d-------- C:\Program Files\True Sword 4
2008-08-08 20:06:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-08 09:14:10 0 d-------- C:\Program Files\SystemRequirementsLab
2008-08-08 09:14:09 0 d-------- C:\Documents and Settings\Anthony\Application Data\SystemRequirementsLab
2008-08-08 09:09:03 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-08-08 09:06:51 17408 --a------ C:\WINDOWS\system32\drivers\pxark.sys <Not Verified; Prevx; Prevx CSI>
2008-08-08 09:06:49 0 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-08 04:01:33 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers Headquarters
2008-08-08 04:00:54 0 d-------- C:\Program Files\PC Drivers HeadQuarters
2008-08-08 03:46:33 164352 --a------ C:\WINDOWS\system32\unrar.dll
2008-08-08 03:46:31 217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-08-08 03:46:31 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-08-08 03:46:31 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-08-08 03:46:30 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-08-08 03:46:30 683520 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2008-08-08 03:46:29 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-08-06 19:05:14 0 d-------- C:\Program Files\CCleaner
2008-08-06 18:45:15 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-06 18:45:10 0 d-------- C:\Program Files\Security Task Manager
2008-08-05 19:36:25 0 d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-08-05 19:22:34 0 d-------- C:\Documents and Settings\Anthony\Application Data\Nero
2008-08-05 19:20:07 0 d-------- C:\Program Files\Nero
2008-08-05 19:20:07 0 d-------- C:\Program Files\Common Files\Nero
2008-08-05 19:20:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-07-31 21:01:48 0 d-------- C:\Documents and Settings\Anthony\Application Data\Windows Search
2008-07-29 14:55:26 0 d-------- C:\WINDOWS\system32\GroupPolicy
2008-07-29 14:55:26 0 d-------- C:\Program Files\Windows Desktop Search
2008-07-29 14:50:04 0 d-------- C:\Program Files\MSBuild
2008-07-29 14:48:06 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-07-29 14:47:31 0 d-------- C:\Program Files\Reference Assemblies
2008-07-28 18:32:55 53248 --a------ C:\WINDOWS\system32\ciaXPRegSvr20.DLL <Not Verified; CIA, The Company; ciaXPRegSvr20>
2008-07-28 18:32:55 40960 --a------ C:\WINDOWS\system32\ciaSubClsSvr.DLL <Not Verified; CIA, The Company; ciaSubClsSvr>
2008-07-28 18:32:55 692224 --a------ C:\WINDOWS\system32\ciaResSvr20.dll <Not Verified; CIA, The Company; ciaResSvr20>
2008-07-28 18:32:54 368912 --a------ C:\WINDOWS\system32\vbar332.dll <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2008-07-28 18:32:54 0 d-------- C:\Program Files\Smart DVD CD Burner
2008-07-28 18:28:00 0 d-------- C:\Program Files\MagicISO
2008-07-27 20:29:00 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll
2008-07-27 20:29:00 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll
2008-07-27 20:29:00 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll
2008-07-27 20:25:46 30140 --a------ C:\WINDOWS\DIIUnin.dat
2008-07-27 20:25:45 2829 --a------ C:\WINDOWS\DIIUnin.pif
2008-07-27 20:25:45 94208 --a------ C:\WINDOWS\DIIUnin.exe <Not Verified; Blizzard Entertainment; Diablo II Uninstaller>
2008-07-27 20:22:43 0 d-------- C:\Program Files\Diablo II
2008-07-26 10:51:10 0 d-------- C:\Documents and Settings\Anthony\Application Data\Opera
2008-07-26 10:50:33 0 d-------- C:\Program Files\Opera
2008-07-26 10:22:22 0 d-------- C:\WINDOWS\nvidia icons
2008-07-26 10:21:00 0 d-------- C:\NVIDIA
2008-07-26 08:10:26 0 d-------- C:\Documents and Settings\Anthony\Application Data\Help
2008-07-26 08:09:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Synthetic Reality
2008-07-25 17:54:41 0 d-------- C:\WINDOWS\Sun
2008-07-25 17:51:03 0 d-------- C:\Documents and Settings\Anthony\Application Data\Sun
2008-07-25 12:56:18 0 d-------- C:\WINDOWS\system32\LogFiles
2008-07-25 12:51:28 0 d-------- C:\Documents and Settings\Default User\Application Data\Gtek
2008-07-25 12:50:50 0 d--h----- C:\Documents and Settings\Anthony\Application Data\GTek
2008-07-25 12:50:18 0 d-------- C:\Program Files\Linksys EasyLink Advisor
2008-07-25 12:50:18 0 d-ah----- C:\Documents and Settings\All Users\Application Data\GTek
2008-07-22 02:37:02 0 d-------- C:\Documents and Settings\Anthony\Contacts
2008-07-22 02:36:24 0 d-------- C:\Program Files\MSN Messenger
2008-07-18 03:01:54 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-17 11:05:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-17 11:05:37 0 d-------- C:\Program Files\Yahoo!
2008-07-17 11:05:28 0 d-------- C:\Documents and Settings\Anthony\Application Data\Skype
2008-07-17 11:05:25 0 d-------- C:\Program Files\Common Files\Skype
2008-07-17 11:05:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-07-17 11:05:11 0 d-------- C:\Program Files\Skype
2008-07-17 07:24:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-07-17 07:24:35 0 d-------- C:\Program Files\Logitech
2008-07-17 07:24:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-07-17 07:22:39 0 d-------- C:\Program Files\Common Files\logishrd
2008-07-17 07:17:07 0 d-------- C:\WINDOWS\system32\appmgmt


-- Find3M Report ---------------------------------------------------------------

2008-08-17 08:12:23 0 d-------- C:\Documents and Settings\Anthony\Application Data\uTorrent
2008-08-16 14:48:03 0 d-------- C:\Program Files\Common Files
2008-08-16 14:13:12 0 d-------- C:\Program Files\Messenger
2008-08-15 13:15:45 0 d-------- C:\Program Files\Zoom Player
2008-08-09 03:35:41 0 d-------- C:\Program Files\Starcraft
2008-08-08 09:17:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-08 03:45:21 0 d-------- C:\Program Files\DirectVobSub
2008-08-08 03:45:18 0 d-------- C:\Program Files\OpenSource Flash Video Splitter
2008-08-08 03:45:11 0 d-------- C:\Program Files\CD Audio Reader Filter
2008-08-08 03:45:05 0 d-------- C:\Program Files\SHOUTcast Source
2008-08-08 03:45:00 0 d-------- C:\Program Files\DSP-worx
2008-07-30 18:11:13 0 d-------- C:\Documents and Settings\Anthony\Application Data\Apple Computer
2008-07-26 09:28:19 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-07-26 09:24:05 0 d-------- C:\Program Files\Emerge Bot 2.3
2008-07-16 21:29:52 0 d-------- C:\Program Files\MSN Webcam Recorder
2008-07-16 12:24:55 0 d-------- C:\Program Files\Windows Media Components
2008-07-16 12:15:35 0 d-------- C:\Documents and Settings\Anthony\Application Data\acccore
2008-07-16 12:15:26 0 d-------- C:\Program Files\AIM6
2008-07-16 12:14:16 0 d-------- C:\Program Files\Common Files\AOL
2008-07-16 10:48:02 0 d-------- C:\Program Files\iTunes
2008-07-16 10:47:49 0 d-------- C:\Program Files\iPod
2008-07-16 10:47:24 0 d-------- C:\Program Files\Bonjour
2008-07-16 10:47:14 0 d-------- C:\Program Files\QuickTime
2008-07-16 10:45:59 0 d-------- C:\Program Files\Apple Software Update
2008-07-16 10:45:25 0 d-------- C:\Program Files\Common Files\Apple
2008-07-16 03:00:36 0 d-------- C:\Program Files\MSXML 4.0
2008-07-13 00:56:25 0 d-------- C:\Program Files\Movie Maker
2008-07-13 00:54:53 0 d-------- C:\Program Files\Windows NT
2008-07-13 00:45:44 0 d-------- C:\Program Files\Winamp
2008-07-13 00:30:08 0 d-------- C:\Documents and Settings\Anthony\Application Data\Macromedia
2008-07-13 00:30:08 0 d-------- C:\Documents and Settings\Anthony\Application Data\Adobe
2008-07-13 00:02:07 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-13 00:02:04 0 d-------- C:\Documents and Settings\Anthony\Application Data\Mozilla
2008-07-12 21:18:24 0 d-------- C:\Program Files\OGPlanet
2008-07-12 20:27:32 0 d-------- C:\Program Files\Kaspersky Lab
2008-07-12 19:52:18 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-12 19:48:52 0 d-------- C:\Program Files\Realtek
2008-07-12 19:46:12 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-07-12 19:46:09 0 d-------- C:\Program Files\Common Files\InstallShield
2008-07-12 19:45:59 0 d-------- C:\Program Files\AMD
2008-07-12 19:45:55 0 d-------- C:\Documents and Settings\Anthony\Application Data\InstallShield
2008-07-12 19:44:42 0 d-------- C:\Documents and Settings\Anthony\Application Data\Identities
2008-07-12 19:40:10 0 d-------- C:\Program Files\microsoft frontpage
2008-07-12 19:39:55 0 -rahs---- C:\MSDOS.SYS
2008-07-12 19:39:55 0 -rahs---- C:\IO.SYS
2008-07-12 19:39:55 0 --a------ C:\CONFIG.SYS
2008-07-12 19:39:55 0 --a------ C:\AUTOEXEC.BAT
2008-07-12 19:38:56 0 d--h----- C:\Program Files\WindowsUpdate
2008-07-12 19:38:13 0 d-------- C:\Program Files\Common Files\MSSoap
2008-07-12 19:37:27 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-12 19:37:10 0 d-------- C:\Program Files\Online Services
2008-07-12 19:37:02 0 d-------- C:\Program Files\MSN Gaming Zone
2008-07-12 14:26:01 0 d-------- C:\Program Files\Common Files\ODBC
2008-07-12 14:25:58 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-07-12 14:25:36 62 --ahs---- C:\Documents and Settings\Anthony\Application Data\desktop.ini
2008-07-12 13:48:55 0 d-------- C:\Program Files\RegDoctor
2008-07-12 12:37:05 34807 --a------ C:\WINDOWS\scunin.dat
2008-07-12 12:37:02 967 --a------ C:\WINDOWS\ScUnin.pif
2008-07-12 12:37:02 70656 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-07-12 12:34:02 0 d-------- C:\Program Files\DAEMON Tools
2008-07-12 12:34:02 0 d-------- C:\Program Files\arniWORX
2008-07-12 12:33:39 0 d-------- C:\Program Files\[bleep] NFO Viewer
2008-07-12 12:22:04 0 d-------- C:\Program Files\IZArc
2008-07-12 12:09:12 0 d-------- C:\Program Files\DScaler5
2008-07-12 12:09:09 0 d-------- C:\Program Files\RealMedia
2008-07-12 12:08:54 0 d-------- C:\Program Files\Haali


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/02/2008 10:46 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [12/18/2007 01:43 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 12:54 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=C:\WINDOWS\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
"C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]
m‘|\ü

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Nero\Nero8\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
"C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
"C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC SpeedScan Pro]
C:\Program Files\Ascentive\PC SpeedScan Pro\PCSpeedScan.exe -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Performance Center]
C:\Program Files\Ascentive\Performance Center\ApcMain.exe -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]
"C:\Program Files\Prevx2\PXConsole.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegDoctor]
C:\Program Files\RegDoctor\RegDoctor.exe -Quick

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
C:\Program Files\Nero\Nero8\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"C:\Program Files\Unlocker\UnlockerAssistant.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"CSIScanner"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"InCDsrv"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVCOMSer"=2 (0x2)
"NeroRegInCDSrv"=2 (0x2)
"Nero BackItUp Scheduler 3"=2 (0x2)
"PREVXAgent"=2 (0x2)
"wscsvc"=2 (0x2)
"idsvc"=3 (0x3)
"LVPrcSrv"=2 (0x2)
"usnjsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

*Newly Created Service* - MBR



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8972 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-17 08:13:36 ------------
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Have you uninstalled Prevx?
Or currently running it?
Or are you currently using RegDoctor?
  • 0

#15
atearwhofellnot

atearwhofellnot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
I uninstalled Prevx 2.0, Had an issue due to the malware uninstalling Prevx CSI so I deleted it manually...

I am using RegDoctor. But not as we speak. It's not running at the moment.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP