Help!! FakeMsn8beta.. and torpig [Archive]

View Full Version : Help!! FakeMsn8beta.. and torpig

maple

2007-06-09, 16:25

Hi, i've read through your sticky topic and tried to do all the steps however i
can't seem to get an online virus scan from both of the websites given so i'll just go ahead to post my hijackthis log. .

RUnning spybot in normal mode, the results of the scan also always included fakemsn8beta, windows security antivirus override and firewall override and torpig, even after deleting the last three and them not appearing in second and later scans in safe mode.
I've also run spybot s&d in safe mode a couple of times . the torpig and security overrde stuff did not appear the second and later scans but the Fakemsn8beta kept cropping up all the time

I also can't seem to log on into certain antivirus websites. i don't know if my antivirus control is affected. I use Norman Antivirus control.

Everytime i reboot or switch on my computer, there's a warning which says it can't find the file registry system32\iyknukdrs\csrss.exe i'm guessing fakemsn8beta did that?

anyways here's my hijackthis log. hope u can help out! thanks

Logfile of HijackThis v1.99.1
Scan saved at 4:17:04 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Fujitsu\DispSwitch\DispSwitchLauncher.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Fujitsu\updnavi\updnavi.exe
C:\Program Files\Atheros\ACU.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\nvsvct1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Norman\Nvc\BIN\nvcod.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weather.news.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\iyknukdrs\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\iyknukdrs\csrss.exe
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 services.google.com
O1 - Hosts: 1.1.1.1 www.webroot.com
O1 - Hosts: 1.1.1.1 webroot.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [DispSwitchLauncher] C:\Program Files\Fujitsu\DispSwitch\DispSwitchLauncher.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SvcManager] nvsvct1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\utorrent\utorrent.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe (file missing)

P.S. also the torpig created two temp files can't delete them coz they say in memory or smtg.

thanks again in advance!

miekiemoes

2007-06-09, 17:22

Hello,

Please perform my next instructions in the right order, otherwise logs won't make sense..;

* Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). I need that log later
Back in normal mode..
* Download Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog and the log from SDFix (present in the SDFix folder)
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

maple

2007-06-09, 20:28

hi i tried to run combofix but once it opens a warning pops up saying my C:\WINDOWS\regedit.exe is missing and the program closes after that.

miekiemoes

2007-06-09, 20:47

Hi,

Do next please..

Open notepad and copy and paste next present in the quotebox in it:

dir c:\regedit.exe /a h /s > look.txt
start notepad look.txt
Save this as look.bat , choose to save as *all files and place it on your desktop.
It should look like this: http://users.telenet.be/bluepatchy/miekiemoes/images/bat.gif
Doubleclick on it and notepad should open.
Copy and paste the contents of it in your next reply.
(In case you are unsure how to create a bat file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File) with screenshots.)

maple

2007-06-09, 20:51

Volume in drive C has no label.
Volume Serial Number is 0C3A-8FA7

Directory of c:\SDFix\backups

08/04/2004 09:00 PM 146,432 regedit.exe
1 File(s) 146,432 bytes

Directory of c:\WINDOWS

08/04/2004 09:00 PM 146,432 regedit.exe
1 File(s) 146,432 bytes

Directory of c:\WINDOWS\I386

08/04/2004 09:00 PM 146,432 REGEDIT.EXE
1 File(s) 146,432 bytes

Directory of c:\WINDOWS\system32\dllcache

08/04/2004 09:00 PM 146,432 regedit.exe
1 File(s) 146,432 bytes

miekiemoes

2007-06-09, 20:58

Hi,

regedit is present though... even in your C:\Windows- folder
I even see SDFix backed it up.. not sure why..

Can you create another look.bat again - same as you did previously, but this time call it look2.bat
Copy next contents in it:

dir c:\Windows\regedit.com /a h /s > look2.txt
start notepad look2.txt

Then run the look2.bat and copy and paste the contents in your next reply.

maple

2007-06-09, 21:01

Volume in drive C has no label.
Volume Serial Number is 0C3A-8FA7

miekiemoes

2007-06-09, 21:05

Ok, do next...

* Download Deckard System Scanner (http://deckard.geekstogo.com/dss.exe) to your Desktop. Close all applications and windows.
Double-click on dds.exe to run it, and follow the prompts.
The scan may take a minute. When the scan is complete, a text file will open - main.txt
A folder (C:\Deckard\System Scanner) will also open which contains the main.txt and an extra.txt.
Copy and paste the contents of main.txt in your next reply. (Do not post the extra.txt - only post this when being asked)
Also post a new HijackThislog in your next reply.

And do next as well..;

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\Windows\regedit.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

maple

2007-06-09, 21:21

in the main.txt there is already a hijackthis log. do i still perform another scan of hjt and post the results?

miekiemoes

2007-06-09, 21:22

Oh yes, I forgot.. no need to run another HijackThis scan then.
By the way, can you also post the log from SDFix - forgot to ask that as well.

miekiemoes

2007-06-09, 21:49

Duh!
I asked you to create the look2.bat previously and was pointing to a regedit.com present in your Windows-folder. Actually it should have been a search for the presence of regedit.com present in your C:\Windows\System32-folder

Can you look if there's a regedit.com file present in your C:\Windows\system32-folder? Let me also know in your next reply.

maple

2007-06-10, 04:43

SDFix: Version 1.86

Run by Fujitsu - Sun 06/10/2007 - 1:57:50.29

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
xpdx

ImagePath:

xpdx - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll - Deleted
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll - Deleted
C:\WINDOWS\Temp\$_2341233.TMP - Deleted
C:\WINDOWS\Temp\$_2341234.TMP - Deleted
C:\WINDOWS\Temp\$b17a2e8.tmp - Deleted
C:\WINDOWS\wr.txt - Deleted
C:\WINDOWS\system32\xpdx.sys - Deleted

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\utorrent\\utorrent.exe"="C:\\Program Files\\utorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"="C:\\Program Files\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"="C:\\Program Files\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server"
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8.exe"="C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8.exe:*:Enabled:Autodesk VIZ 2007 mental ray satellite service"
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8server.exe"="C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8server.exe:*:Enabled:Autodesk VIZ 2007 mental ray network rendering"
"C:\\Program Files\\Autodesk\\VIZ2007\\3dsviz.exe"="C:\\Program Files\\Autodesk\\VIZ2007\\3dsviz.exe:*:Enabled:Autodesk VIZ 2007"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"c:\\windows\\system32\\nvsvct1.exe"="c:\\windows\\system32\\nvsvct1.exe:*:Enabled:nvsvct1"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Documents and Settings\Fujitsu\Local Settings\Application Data\Microsoft\Messenger\terrina29@hotmail.com\Sharing Folders\chinwh1987@hotmail.com\2007_06_03 (Rockingham & Mandurah Trip)\Thumbs.db
C:\Documents and Settings\Fujitsu\Local Settings\Application Data\Microsoft\Messenger\terrina29@hotmail.com\Sharing Folders\sad_guy882003@hotmail.com\Thumbs.db
C:\Documents and Settings\Fujitsu\Local Settings\Application Data\Microsoft\Messenger\terrina29@hotmail.com\Sharing Folders\sad_guy882003@hotmail.com\rockingham & mandurah\Thumbs.db
C:\Documents and Settings\Fujitsu\Local Settings\Application Data\Microsoft\Messenger\terrina29@hotmail.com\Sharing Folders\srixxon@hotmail.com\Thumbs.db
C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll
C:\WINDOWS\twain.dll
C:\WINDOWS\twain_32.dll
C:\WINDOWS\vmmreg32.dll
C:\WINDOWS\$hf_mig$\KB834707\spmsg.dll
C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\browseui.dll
C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\mshtml.dll
C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\shdocvw.dll
C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\urlmon.dll
C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB834707\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB873339\spmsg.dll
C:\WINDOWS\$hf_mig$\KB873339\SP2QFE\hypertrm.dll
C:\WINDOWS\$hf_mig$\KB873339\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB885250\spmsg.dll
C:\WINDOWS\$hf_mig$\KB885250\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB885835\spmsg.dll
C:\WINDOWS\$hf_mig$\KB885835\SP2QFE\lsasrv.dll
C:\WINDOWS\$hf_mig$\KB885835\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB885836\spmsg.dll
C:\WINDOWS\$hf_mig$\KB885836\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB888113\spmsg.dll
C:\WINDOWS\$hf_mig$\KB888113\SP2QFE\hlink.dll
C:\WINDOWS\$hf_mig$\KB888113\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB888302\spmsg.dll
C:\WINDOWS\$hf_mig$\KB888302\SP2QFE\srvsvc.dll
C:\WINDOWS\$hf_mig$\KB888302\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB890859\spmsg.dll
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\authz.dll
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\winsrv.dll
C:\WINDOWS\$hf_mig$\KB890859\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB890859\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB891781\spmsg.dll
C:\WINDOWS\$hf_mig$\KB891781\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB893066\spmsg.dll
C:\WINDOWS\$hf_mig$\KB893066\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB893066\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB893756\spmsg.dll
C:\WINDOWS\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
C:\WINDOWS\$hf_mig$\KB893756\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB893756\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB896358\spmsg.dll
C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\hhsetup.dll
C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\itircl.dll
C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\itss.dll
C:\WINDOWS\$hf_mig$\KB896358\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB896358\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB896422\spmsg.dll
C:\WINDOWS\$hf_mig$\KB896422\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB896422\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB896423\spmsg.dll
C:\WINDOWS\$hf_mig$\KB896423\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB896423\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB896688\spmsg.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\browseui.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\cdfview.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\danim.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\dxtrans.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\extmgr.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\iepeers.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\inseng.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\mshtml.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\mshtmled.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\msrating.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\mstime.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\pngfilt.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\shdocvw.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\shlwapi.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\urlmon.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB896688\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB896688\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB899587\spmsg.dll
C:\WINDOWS\$hf_mig$\KB899587\SP2QFE\kerberos.dll
C:\WINDOWS\$hf_mig$\KB899587\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB899587\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB899589\spmsg.dll
C:\WINDOWS\$hf_mig$\KB899589\SP2QFE\nwwks.dll
C:\WINDOWS\$hf_mig$\KB899589\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB899589\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB899591\spmsg.dll
C:\WINDOWS\$hf_mig$\KB899591\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB899591\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB900725\spmsg.dll
C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\shell32.dll
C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\shlwapi.dll
C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\winsrv.dll
C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\xpsp3res.dll
C:\WINDOWS\$hf_mig$\KB900725\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB900725\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB901017\spmsg.dll
C:\WINDOWS\$hf_mig$\KB901017\SP2QFE\cdosys.dll
C:\WINDOWS\$hf_mig$\KB901017\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB901017\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB901214\spmsg.dll
C:\WINDOWS\$hf_mig$\KB901214\SP2QFE\icm32.dll
C:\WINDOWS\$hf_mig$\KB901214\SP2QFE\mscms.dll
C:\WINDOWS\$hf_mig$\KB901214\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB901214\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB902400\spmsg.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\catsrv.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\catsrvut.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\colbact.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comadmin.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comrepl.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comsvcs.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comuid.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\es.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtcprx.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtctm.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtcuiu.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\mtxclu.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\mtxoci.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\ole32.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\olecli32.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\olecnv32.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\rpcss.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\txflog.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\xolehlp.dll
C:\WINDOWS\$hf_mig$\KB902400\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB902400\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB904706\spmsg.dll
C:\WINDOWS\$hf_mig$\KB904706\SP2QFE\quartz.dll
C:\WINDOWS\$hf_mig$\KB904706\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB904706\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB905414\spmsg.dll
C:\WINDOWS\$hf_mig$\KB905414\SP2QFE\netman.dll
C:\WINDOWS\$hf_mig$\KB905414\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB905414\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB905749\spmsg.dll
C:\WINDOWS\$hf_mig$\KB905749\SP2QFE\umpnpmgr.dll
C:\WINDOWS\$hf_mig$\KB905749\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB905749\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB905915\spmsg.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\browseui.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\cdfview.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\danim.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\dxtrans.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\extmgr.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\iepeers.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\inseng.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\mshtml.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\mshtmled.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\msrating.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\mstime.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\pngfilt.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\shdocvw.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\shlwapi.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\urlmon.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB905915\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB905915\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB908519\spmsg.dll
C:\WINDOWS\$hf_mig$\KB908519\SP2QFE\fontsub.dll
C:\WINDOWS\$hf_mig$\KB908519\SP2QFE\t2embed.dll
C:\WINDOWS\$hf_mig$\KB908519\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB908519\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB910437\spmsg.dll
C:\WINDOWS\$hf_mig$\KB910437\SP2QFE\esent.dll
C:\WINDOWS\$hf_mig$\KB910437\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB910437\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB911927\spmsg.dll
C:\WINDOWS\$hf_mig$\KB911927\SP2QFE\webclnt.dll
C:\WINDOWS\$hf_mig$\KB911927\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB911927\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB912919\spmsg.dll
C:\WINDOWS\$hf_mig$\KB912919\SP2QFE\gdi32.dll
C:\WINDOWS\$hf_mig$\KB912919\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB912919\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB912945\spmsg.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\browseui.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\cdfview.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\danim.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\dxtrans.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\extmgr.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\iepeers.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\inseng.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\mshtml.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\mshtmled.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\msrating.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\mstime.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\pngfilt.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\shdocvw.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\shlwapi.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\urlmon.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\xpsp3res.dll
C:\WINDOWS\$hf_mig$\KB912945\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB912945\update\updspapi.dll
C:\WINDOWS\$hf_mig$\KB913446\spmsg.dll
C:\WINDOWS\$hf_mig$\KB913446\update\spcustom.dll
C:\WINDOWS\$hf_mig$\KB913446\update\updspapi.dll
C:\WINDOWS\$NtUninstallKB834707$\browseui.dll
C:\WINDOWS\$NtUninstallKB834707$\mshtml.dll
C:\WINDOWS\$NtUninstallKB834707$\shdocvw.dll
C:\WINDOWS\$NtUninstallKB834707$\urlmon.dll
C:\WINDOWS\$NtUninstallKB834707$\wininet.dll
C:\WINDOWS\$NtUninstallKB873339$\hypertrm.dll
C:\WINDOWS\$NtUninstallKB885835$\lsasrv.dll
C:\WINDOWS\$NtUninstallKB888113$\hlink.dll
C:\WINDOWS\$NtUninstallKB888239$\msobmain.dll
C:\WINDOWS\$NtUninstallKB888302$\srvsvc.dll
C:\WINDOWS\$NtUninstallKB889673$\hal.dll
C:\WINDOWS\$NtUninstallKB890859$\authz.dll
C:\WINDOWS\$NtUninstallKB890859$\user32.dll
C:\WINDOWS\$NtUninstallKB890859$\winsrv.dll
C:\WINDOWS\$NtUninstallKB890859$\spuninst\updspapi.dll
C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe
C:\WINDOWS\agrsmdel.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\amcap.exe
C:\WINDOWS\dla.exe
C:\WINDOWS\hh.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\O2Remove.EXE
C:\WINDOWS\regedit.exe
C:\WINDOWS\TASKMAN.EXE
C:\WINDOWS\twunk_16.exe
C:\WINDOWS\twunk_32.exe
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\$hf_mig$\KB834707\spuninst.exe
C:\WINDOWS\$hf_mig$\KB834707\update\update.exe
C:\WINDOWS\$hf_mig$\KB873339\spuninst.exe
C:\WINDOWS\$hf_mig$\KB873339\update\update.exe
C:\WINDOWS\$hf_mig$\KB885250\spuninst.exe
C:\WINDOWS\$hf_mig$\KB885250\update\update.exe
C:\WINDOWS\$hf_mig$\KB885835\spuninst.exe
C:\WINDOWS\$hf_mig$\KB885835\update\update.exe
C:\WINDOWS\$hf_mig$\KB885836\spuninst.exe
C:\WINDOWS\$hf_mig$\KB885836\update\update.exe
C:\WINDOWS\$hf_mig$\KB888113\spuninst.exe
C:\WINDOWS\$hf_mig$\KB888113\update\update.exe
C:\WINDOWS\$hf_mig$\KB888302\spuninst.exe
C:\WINDOWS\$hf_mig$\KB888302\update\update.exe
C:\WINDOWS\$hf_mig$\KB890859\spuninst.exe
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlmp.exe
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrpamp.exe
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
C:\WINDOWS\$hf_mig$\KB890859\update\update.exe
C:\WINDOWS\$hf_mig$\KB891781\spuninst.exe
C:\WINDOWS\$hf_mig$\KB891781\update\update.exe
C:\WINDOWS\$hf_mig$\KB893066\spuninst.exe
C:\WINDOWS\$hf_mig$\KB893066\update\update.exe
C:\WINDOWS\$hf_mig$\KB893756\spuninst.exe
C:\WINDOWS\$hf_mig$\KB893756\update\arpidfix.exe
C:\WINDOWS\$hf_mig$\KB893756\update\update.exe
C:\WINDOWS\$hf_mig$\KB896358\spuninst.exe
C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\hh.exe
C:\WINDOWS\$hf_mig$\KB896358\update\update.exe
C:\WINDOWS\$hf_mig$\KB896422\spuninst.exe
C:\WINDOWS\$hf_mig$\KB896422\update\update.exe
C:\WINDOWS\$hf_mig$\KB896423\spuninst.exe
C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
C:\WINDOWS\$hf_mig$\KB896423\update\arpidfix.exe
C:\WINDOWS\$hf_mig$\KB896423\update\update.exe
C:\WINDOWS\$hf_mig$\KB896688\spuninst.exe
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\iedw.exe
C:\WINDOWS\$hf_mig$\KB896688\update\arpidfix.exe
C:\WINDOWS\$hf_mig$\KB896688\update\update.exe
C:\WINDOWS\$hf_mig$\KB899587\spuninst.exe
C:\WINDOWS\$hf_mig$\KB899587\update\arpidfix.exe
C:\WINDOWS\$hf_mig$\KB899587\update\update.exe
C:\WINDOWS\$hf_mig$\KB899589\spuninst.exe
C:\WINDOWS\$hf_mig$\KB899589\update\arpidfix.exe
C:\WINDOWS\$hf_mig$\KB899589\update\update.exe
C:\WINDOWS\$hf_mig$\KB899591\spuninst.exe
C:\WINDOWS\$hf_mig$\KB899591\update\arpidfix.exe
C:\WINDOWS\$hf_mig$\KB899591\update\update.exe
C:\WINDOWS\$hf_mig$\KB900725\spuninst.exe
C:\WINDOWS\$hf_mig$\KB900725\update\arpidfix.exe
C:\WINDOWS\$hf_mig$\KB900725\update\update.exe
C:\WINDOWS\$hf_mig$\KB901017\spuninst.exe
C:\WINDOWS\$hf_mig$\KB901017\update\arpidfix.exe
C:\WINDOWS\$hf_mig$\KB901017\update\update.exe
C:\WINDOWS\$hf_mig$\KB901214\spuninst.exe
C:\WINDOWS\$hf_mig$\KB901214\update\update.exe
C:\WINDOWS\$hf_mig$\KB902400\spuninst.exe
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\migregdb.exe
C:\WINDOWS\$hf_mig$\KB902400\update\arpidfix.exe
C:\WINDOWS\$hf_mig$\KB902400\update\update.exe
C:\WINDOWS\$hf_mig$\KB904706\spuninst.exe
C:\WINDOWS\$hf_mig$\KB904706\update\update.exe
C:\WINDOWS\$hf_mig$\KB905414\spuninst.exe
C:\WINDOWS\$hf_mig$\KB905414\update\arpidfix.exe
C:\WINDOWS\$hf_mig$\KB905414\update\update.exe
C:\WINDOWS\$hf_mig$\KB905749\spuninst.exe
C:\WINDOWS\$hf_mig$\KB905749\update\arpidfix.exe
C:\WINDOWS\$hf_mig$\KB905749\update\update.exe
C:\WINDOWS\$hf_mig$\KB905915\spuninst.exe
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\iedw.exe
C:\WINDOWS\$hf_mig$\KB905915\update\update.exe
C:\WINDOWS\$hf_mig$\KB908519\spuninst.exe
C:\WINDOWS\$hf_mig$\KB908519\update\update.exe
C:\WINDOWS\$hf_mig$\KB910437\spuninst.exe
C:\WINDOWS\$hf_mig$\KB910437\update\update.exe
C:\WINDOWS\$hf_mig$\KB911927\spuninst.exe
C:\WINDOWS\$hf_mig$\KB911927\update\update.exe
C:\WINDOWS\$hf_mig$\KB912919\spuninst.exe
C:\WINDOWS\$hf_mig$\KB912919\update\update.exe
C:\WINDOWS\$hf_mig$\KB912945\spuninst.exe
C:\WINDOWS\$hf_mig$\KB912945\SP2QFE\iedw.exe
C:\WINDOWS\$hf_mig$\KB912945\update\update.exe
C:\WINDOWS\$hf_mig$\KB913446\spuninst.exe
C:\WINDOWS\$hf_mig$\KB913446\update\update.exe
C:\WINDOWS\$NtUninstallKB834707$\spuninst\spuninst.exe
C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
C:\WINDOWS\$NtUninstallKB888239$\spuninst\spuninst.exe
C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
C:\WINDOWS\$NtUninstallKB889673$\spuninst\spuninst.exe
C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe

maple

2007-06-10, 04:44

C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe
C:\WINDOWS\system32\iyknukdrs\csrss.exe~
C:\WINDOWS\_default.pif
C:\WINDOWS\$hf_mig$\KB885250\SP2QFE\mrxsmb.sys
C:\WINDOWS\$hf_mig$\KB885835\SP2QFE\mrxsmb.sys
C:\WINDOWS\$hf_mig$\KB885835\SP2QFE\rdbss.sys
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\win32k.sys
C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
C:\WINDOWS\$hf_mig$\KB896422\SP2QFE\srv.sys
C:\WINDOWS\$hf_mig$\KB899591\SP2QFE\rdpwd.sys
C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
C:\WINDOWS\$NtUninstallKB885250$\mrxsmb.sys
C:\WINDOWS\$NtUninstallKB885835$\mrxsmb.sys
C:\WINDOWS\$NtUninstallKB885835$\rdbss.sys
C:\WINDOWS\$NtUninstallKB890859$\win32k.sys

Listing User Accounts:

User accounts for \\YOUR-6D5DB64932

Administrator ASPNET Fujitsu
Guest HelpAssistant SUPPORT_388945a0

Finished

maple

2007-06-10, 04:52

Deckard's System Scanner v20070603.47
Run by Fujitsu on 2007-06-10 at 03:03:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2007-06-09 19:03:12 UTC - RP1 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Fujitsu.exe) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:04:44 AM, on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Fujitsu\DispSwitch\DispSwitchLauncher.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Fujitsu\updnavi\updnavi.exe
C:\Program Files\Atheros\ACU.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Fujitsu\Desktop\dss.exe
C:\HIJACK~1\Fujitsu.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weather.news.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [DispSwitchLauncher] C:\Program Files\Fujitsu\DispSwitch\DispSwitchLauncher.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\utorrent\utorrent.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe (file missing)

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\notepad.exe" "%1"

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 FJGPNV - c:\windows\system32\drivers\fjgpnv.sys <Not Verified; FUJITSU LIMITED; FJGPNV>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 BtnHnd - c:\program files\fujitsu\btnhnd\btnhnd.sys <Not Verified; FUJITSU LIMITED; Button handler>
R2 FlashDrv - c:\program files\fujitsu\flashaid\flashdrv.sys <Not Verified; FUJITSU LIMITED; FlashAid>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 SNP2STD (USB2.0 PC Camera (SNP2STD)) - c:\windows\system32\drivers\snp2sxp.sys <Not Verified; ; USB2.0 PC Camera driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Autodesk Licensing Service - "c:\program files\common files\autodesk shared\service\adskscsrv.exe" <Not Verified; Autodesk; Autodesk Licensing Service>

S2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe (file missing)
S2 O2Flash (O2Micro Flash Memory) - c:\windows\system32\o2flash.exe (file missing)
S2 RaySat_3dsmax8Server (RaySat_3dsmax8 Server) - c:\program files\autodesk\viz2007\mentalray\satellite\raysat_3dsmax8server.exe (file missing)

-- Scheduled Tasks -------------------------------------------------------------

2007-06-07 22:28:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-05-10 and 2007-06-10 -----------------------------

2007-06-09 20:27:10 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-06-09 19:44:37 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-06-09 19:44:37 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-06-09 19:44:37 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-06-09 19:44:37 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-06-09 19:44:37 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-06-09 19:44:37 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-06-09 19:44:37 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-06-09 19:44:37 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-06-09 19:44:37 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-06-09 19:44:37 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-06-09 19:44:37 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-06-09 19:44:37 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-06-09 19:44:37 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-06-09 19:44:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-06-09 19:44:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2007-06-09 19:44:35 1835008 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-06-09 16:14:41 0 d-------- C:\Hijackthis
2007-06-09 00:37:08 43567 --a------ C:\WINDOWS\system32\nvsvct1.exe
2007-06-09 00:36:17 109022 --a------ C:\WINDOWS\wr.exe
2007-06-09 00:36:16 106465 --a------ C:\WINDOWS\fd.exe
2007-06-07 14:11:09 0 d-------- C:\Documents and Settings\Fujitsu\Application Data\Talkback
2007-06-07 14:11:03 0 d-------- C:\Documents and Settings\Fujitsu\Application Data\Mozilla
2007-06-07 14:10:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Mozilla
2007-06-04 21:30:34 0 d--hs---- C:\WINDOWS\system32\iyknukdrs
2007-06-01 00:52:23 0 d-------- C:\Program Files\iPod
2007-05-31 14:44:55 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-31 14:44:54 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-05-31 14:44:54 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-31 14:44:54 740442 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-22 23:09:07 0 d-------- C:\Program Files\Skype
2007-05-22 23:09:06 0 d-------- C:\Program Files\Common Files\Skype

-- Find3M Report ---------------------------------------------------------------

2007-06-10 02:49:32 0 d-------- C:\Documents and Settings\Fujitsu\Application Data\Skype
2007-06-09 16:36:52 0 d-------- C:\Program Files\Common Files\Scanner
2007-06-09 16:36:45 0 d-------- C:\Program Files\Yahoo!
2007-06-09 14:28:09 0 d-------- C:\Program Files\DC++
2007-06-09 11:44:05 0 d-------- C:\Documents and Settings\Fujitsu\Application Data\U3
2007-06-09 00:36:17 0 d-------- C:\Documents and Settings\Fujitsu\Application Data\uTorrent
2007-06-07 19:24:21 0 d-------- C:\Program Files\DivX
2007-06-02 17:50:46 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-06-01 00:52:37 0 d-------- C:\Program Files\iTunes
2007-05-28 16:38:42 0 d-------- C:\Program Files\Hewlett-Packard
2007-05-11 00:52:30 0 d-------- C:\Program Files\QuickTime
2007-05-09 13:25:00 0 d-------- C:\Documents and Settings\Fujitsu\Application Data\LimeWire
2007-05-07 13:08:06 0 d-------- C:\Documents and Settings\Fujitsu\Application Data\Yahoo!
2007-04-23 08:15:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 08:02:34 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-04-23 08:02:34 73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-04-23 08:01:47 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-15 14:34:26 0 d-------- C:\Program Files\Autodesk
2007-04-14 12:09:08 0 d-------- C:\Program Files\Java
2007-04-12 21:29:43 0 d-------- C:\Documents and Settings\Fujitsu\Application Data\Hamachi

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DispSwitchLauncher"="C:\\Program Files\\Fujitsu\\DispSwitch\\DispSwitchLauncher.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"LoadFUJ02E3"="C:\\Program Files\\Fujitsu\\FUJ02E3\\FUJ02E3.exe"
"IndicatorUtility"="C:\\Program Files\\Fujitsu\\Fujitsu Hotkey Utility\\IndicatorUty.exe"
"LoadFujitsuQuickTouch"="C:\\Program Files\\Fujitsu\\Application Panel\\QuickTouch.exe"
"LoadBtnHnd"="C:\\Program Files\\Fujitsu\\BtnHnd\\BtnHnd.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"FJUPDNV_Chitose"="C:\\Program Files\\Fujitsu\\updnavi\\updnavi.exe"
"ACU"="\"C:\\Program Files\\Atheros\\ACU.exe\" -nogui"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"Norman ZANDA"="C:\\Norman\\Npm\\bin\\ZLH.EXE /LOAD /SPLASH"
"tsnp2std"="C:\\WINDOWS\\tsnp2std.exe"
"snp2std"="C:\\WINDOWS\\vsnp2std.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

maple

2007-06-10, 04:55

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"µTorrent"="\"C:\\Program Files\\utorrent\\utorrent.exe\""
"YSearchProtection"="C:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoAdminPage"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
NtmlSvc

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
Shell\AutoRun\command G:\LaunchU3.exe -a

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{19f9f840-085f-11dc-815f-0017420bc2dd}]
Shell\AutoRun\command LaunchU3.exe -a

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ebae4d8-bcfb-11db-80e9-0017420bc2dd}]
Shell\Auto\command infrom.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{62b364e3-0617-11db-bfba-0017420bc2dd}]
Shell\AutoRun\command New Document.exe

-- End of Deckard's System Scanner: finished at 2007-06-10 at 03:05:31 ---------

Complete scanning result of "regedit.exe", received in VirusTotal at 06.09.2007, 21:25:16 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.9.0 06.08.2007 no virus found
AntiVir 7.4.0.32 06.09.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.09.2007 no virus found
AVG 7.5.0.467 06.09.2007 no virus found
BitDefender 7.2 06.09.2007 no virus found
CAT-QuickHeal 9.00 06.09.2007 no virus found
ClamAV devel-20070416 06.09.2007 no virus found
DrWeb 4.33 06.09.2007 no virus found
eSafe 7.0.15.0 06.06.2007 no virus found
eTrust-Vet 30.7.3707 06.09.2007 no virus found
Ewido 4.0 06.09.2007 no virus found
FileAdvisor 1 06.09.2007 No threat detected
Fortinet 2.85.0.0 06.09.2007 no virus found
F-Prot 4.3.2.48 06.08.2007 no virus found
F-Secure 6.70.13030.0 06.08.2007 no virus found
Ikarus T3.1.1.8 06.09.2007 no virus found
Kaspersky 4.0.2.24 06.09.2007 no virus found
McAfee 5049 06.08.2007 no virus found
Microsoft 1.2503 06.09.2007 no virus found
NOD32v2 2320 06.09.2007 no virus found
Norman 5.80.02 06.08.2007 no virus found
Panda 9.0.0.4 06.09.2007 no virus found
Prevx1 V2 06.09.2007 no virus found
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.09.2007 no virus found
Symantec 10 06.09.2007 no virus found
TheHacker 6.1.6.131 06.08.2007 no virus found
VBA32 3.12.0 06.07.2007 no virus found
VirusBuster 4.3.23:9 06.09.2007 no virus found
Webwasher-Gateway 6.0.1 06.09.2007 no virus found

Aditional Information
File size: 146432 bytes
MD5: 783afc80383c176b22dbf8333343992d
SHA1: 8829b5a655b9d480d0d4a8ab4faf219c89368ac1
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=783afc80383c176b22dbf8333343992d

maple

2007-06-10, 04:58

hi i searched for regedit.com including hidden files and folders in c drive, windows, then system32 folder (pretty desperate :p:) but turned up no results...

miekiemoes

2007-06-10, 08:58

Hi,

You are having some nasty infections there... More than I thought..
Good SDFix was able to fix a lot already.

regedit.exe is ok.. It also has the correct MD5.

Let's deal with the rest now..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - Startup: csrss.lnk = ?

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

I also see you were dealing with a flashdrive infection previously, so let's use the removal tool for it anyway. This one will also create a dummy folder to prevent further flashdrive infections..

* Download next removal tool to your desktop:
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
If you have any flashdrives being used previously, since this is a flashdrive infection, insert your flashdrive as well, because above tool will disinfect it as well.
Then doubleclick the Flash_Disinfector.exe to run the tool.
Your desktop and icons will disappear afterwards. This is normal.
When the tool has finished, reboot your computer.

Then,

* Download next tool to your desktop:
http://download.bleepingcomputer.com/sUBs/SvcQuery.exe

Doubleclick to run the tool ....
When prompted to enter a service name, enter ....> NtmlSvc
When done, it shall present a log depicting the entries of netsvcs before/after. Not really needed to post it.

Then...

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ebae4d8-bcfb-11db-80e9-0017420bc2dd}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{62b364e3-0617-11db-bfba-0017420bc2dd}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"c:\\windows\\system32\\nvsvct1.exe"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)

* Please download the OTMoveIt by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe).
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Where it says: "Paste List of Files/Folders to be Moved", copy and paste next bold part into that Window:

C:\Documents and Settings\Fujitsu\Start Menu\Programs\Startup\csrss.lnk
C:\WINDOWS\system32\iyknukdrs
C:\WINDOWS\system32\nvsvct1.exe
C:\WINDOWS\wr.exe
C:\WINDOWS\fd.exe

Then click the red Moveit! button below.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.. Then it will reboot your computer.
Even though OTMoveIT didn't ask to reboot your computer - reboot anyway, this since moved files may still be in use.

Then, after reboot, go to next folder: C:\_OTMoveIt\MovedFiles and search for the log: ********_******.log (the * stands for date and time) and post the contents of it in your next reply together with a new HijackThislog.

miekiemoes

2007-06-10, 09:07

By the way, your regedit should work though.. I can see why combofix gave that error. Your regedit.exe and also notepad.exe were set with hidden attributes.

To resolve this, go to start > run and type: cmd

This should open a command prompt enter next commands:
at the command prompt, type: cd C:\Windows hit enter

attrib -h -s -r regedit.exe hit enter

attrib -h -s -r notepad.exe hit enter

close the command prompt.

maple

2007-06-10, 12:26

i ran hijackthis all files could be fixed/deleted except for O4 - startup: csrss.lnk , this comes up:

"Unexpected error occurred!
Error #52 (Bad file name or number) in Sub GetLongPath(?.exe).

Please send a report to merijn@spywareinfo.com, mentioning what you were doing, and what version of Windows you have.

This message has been copied to your clipboard."

and also

it says that this csrss thingy could be in use asking me to use task manager to close it and try hjt again. but going to taskmanager i don't see anything about it...

miekiemoes

2007-06-10, 13:07

Hi,

Yes, that's common with this infection. Just proceed with the next steps, that should cover that entry as well...

maple

2007-06-10, 13:07

C:\Documents and Settings\Fujitsu\Start Menu\Programs\Startup\csrss.lnk moved successfully.
C:\WINDOWS\system32\iyknukdrs moved successfully.
C:\WINDOWS\system32\nvsvct1.exe moved successfully.
C:\WINDOWS\wr.exe moved successfully.
C:\WINDOWS\fd.exe moved successfully.

Created on 06/10/2007 18:51:09

Logfile of HijackThis v1.99.1
Scan saved at 6:58:00 PM, on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Fujitsu\DispSwitch\DispSwitchLauncher.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Fujitsu\updnavi\updnavi.exe
C:\Program Files\Atheros\ACU.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weather.news.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [DispSwitchLauncher] C:\Program Files\Fujitsu\DispSwitch\DispSwitchLauncher.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\utorrent\utorrent.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe (file missing)

miekiemoes

2007-06-10, 13:18

That worked :)

Your HijackThislog looks clean again.
Just some final cleanup now..

* Open OTMoveIt and click the CleanUp! button on top.
In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup + backup folders that were created with the bad files present. They are not needed anymore, so OtMoveIt will delete them.
Do not edit anything in that Window!
Don't worry if it displays some tools you didn't download/use.
Click Yes when it asks to Begin cleanup process.
Then reboot your computer.

Let me know in your next reply how things are now.

maple

2007-06-10, 15:22

:eek: it's fixed!! or so it seems...:rolleyes:

i ran a couple of scans with spybot, no immediate threats were found. after reboot, the missing csrss thingy doesn't appear anymore, my msn is working back to normal it's all great!!

Thanks so much for the speedy help! even my friend said this is the first time he's seen someone get rid of trojans so fast! all credits to u :)

miekiemoes

2007-06-10, 15:26

even my friend said this is the first time he's seen someone get rid of trojans so fast! all credits to uLOL!
Now make sure this won't happen again, so read my Prevention page (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html).

Happy Surfing again!