View Full Version : Rootkit: srosa.sys, hldrrr.exe, rkhdrv40.sys
leifhassell
2008-01-04, 02:08
I think I've got all the right reports... here are the logs.
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:03:19 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKCU\..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe -checktasks
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187354856624
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187355034171
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)
--
End of file - 7392 bytes
Kaspersky log to follow.
leifhassell
2008-01-04, 02:09
Here is the Kaspersky log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 03, 2008 6:01:41 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/01/2008
Kaspersky Anti-Virus database records: 502102
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 285607
Number of viruses found: 2
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 05:34:11
Infected Object Name / Virus Name / Last Action
C:\!KillBox\hldrrr.exe( 1) Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\!KillBox\hldrrr.exe( 2) Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\!KillBox\hldrrr.exe( 3) Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\cert8.db Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\history.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\key3.db Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\parent.lock Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\simplemail\simplemail.sqlite Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Leif Hassell\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Leif Hassell\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ScanSoft\PaperPort\PPWEBCAP.EXE Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0103NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0448NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP189\A0081206.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP191\A0081789.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP191\A0082789.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP191\A0082807.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP191\A0082837.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP191\A0083840.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP191\A0083850.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP191\A0083864.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP191\A0083899.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP191\A0084899.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
C:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP191\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\kb828741.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\kb835732.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\browser.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ329048$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ329390$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ329834$\reg00001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Installer\{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}\PQBoot.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
E:\Old Program Files\Bluetack\Blocklist Manager\Tools\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
E:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP191\change.log Object is locked skipped
F:\Incoming\On2Share for Winamp 3.0.3.zip/On2Share for Winamp 3.0.3.exe Infected: Trojan-Downloader.Win32.Bagle.hi skipped
F:\Incoming\On2Share for Winamp 3.0.3.zip ZIP: infected - 1 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP191\change.log Object is locked skipped
Scan process completed.
Rorschach112
2008-01-05, 02:24
Hello
Please download and unzip Icesword (http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip)to its own folder
If you get a lot of "red entries" in an IceSword log, don't panic.
Step 1: Run IceSword. Click the "Processes" tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Note the filenames of processes in red color. Also, make a note of the folders.
Step 2: Click the "Win32 Services" tab and look out for red colored entry in the services list. This red colored service entry indicates that it’s rooted. Note the name of this service.
Step 3: Now, click "SSDT" tab and check for red colored entries. If there are any, note the file and folder names.
Now post all of the data collected under the headings
Processes
Win32 Services
SSDT
leifhassell
2008-01-07, 01:28
Process Log (Dumped from Icesword)
Process:
System Idle Process
System
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Documents and Settings\Leif Hassell\Desktop\IceSword122en\IceSword.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
Services Log (Dumped from Icesword)
Note: No red entries in this log.
Started Service:
Service Name:AudioSrv Display Name:Windows Audio
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:FLEXnet Licensing Service Display Name:FLEXnet Licensing Service
Service Name:helpsvc Display Name:Help and Support
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:MSIServer Display Name:Windows Installer
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
SSDT Log (Manual Transcription- Red entries only)
Index | Current Address |KModule | Original Address | Name
0x1F 0x89C3B260 Unknown 0x805986E6 NtConnectPort
0x25 0xB5F3D760 \??\C:\WINDOWS\system32\drivers\srosa.sys 0x8056D3CA NtCreateFile
0x47 0xB5F3DAA4 \??\C:\WINDOWS\system32\drivers\srosa.sys 0x806196C6 NtEnumerateKey
0x49 0xB5F3D7F0 \??\C:\WINDOWS\system32\drivers\srosa.sys 0x80619930 NtEnumerateValueKey
0x91 0xB5F3DD44 \??\C:\WINDOWS\system32\drivers\srosa.sys 0x8056E1C2 NtQueryDirectoryFile
0xA0 0xB5F3E112 \??\C:\WINDOWS\system32\drivers\srosa.sys 0x8061A540 NtQueryKey
0xAD 0xB5F3DEEA \??\C:\WINDOWS\system32\drivers\srosa.sys 0x806065E4 NtQuerySystemInformation
Rorschach112
2008-01-07, 19:09
Hello
Run IceSword.exe
Step 1: Now, we will remove the rootkit! Click the "Processes" tab and right-click on the following red colored processes one by one, and choose "Terminate Process". This will kill the rooted processes.
C:\WINDOWS\system32\drivers\hldrrr.exe
Step 2: Now, we have to delete the rooted files. Click "File" tab in IceSword. This will display the Windows Explorer type interface. Navigate to the following and delete the files in bold
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\Windows\System32\drivers\srosa.sys
Reboot your PC and run IceSword again and post the log, taking note of any entries in red.
Then do this
Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
leifhassell
2008-01-07, 20:08
Thanks for all your help so far.
Note: I don't have AV software running at the moment, as the rootkit in question has deleted every AV and spybot file I have.
Now, as to the logs:
Icesword Prosesses list: (after deleting the process, files, then rebooting)
This time, not only did the hldrrr.exe process return, it returned twice.
Process:
System Idle Process
System
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrodist.exe
C:\Documents and Settings\Leif Hassell\Desktop\IceSword122en\IceSword.exe
Icesword SSDT log: (again, post reboot)
Index | Current Address |KModule | Original Address | Name
0x1F 0x89C3B260 Unknown 0x805986E6 NtConnectPort
0x25 0xB5F3D760 \??\C:\WINDOWS\system32\drivers\srosa.sys 0x8056D3CA NtCreateFile
0x47 0xB5F3DAA4 \??\C:\WINDOWS\system32\drivers\srosa.sys 0x806196C6 NtEnumerateKey
0x49 0xB5F3D7F0 \??\C:\WINDOWS\system32\drivers\srosa.sys 0x80619930 NtEnumerateValueKey
0x91 0xB5F3DD44 \??\C:\WINDOWS\system32\drivers\srosa.sys 0x8056E1C2 NtQueryDirectoryFile
0xA0 0xB5F3E112 \??\C:\WINDOWS\system32\drivers\srosa.sys 0x8061A540 NtQueryKey
0xAD 0xB5F3DEEA \??\C:\WINDOWS\system32\drivers\srosa.sys 0x806065E4 NtQuerySystemInformation
I'll put the DSS logs in the next post.
leifhassell
2008-01-07, 20:13
Now for the DSS logs.
Main.txt (1st half)
Deckard's System Scanner v20071014.68
Run by Leif Hassell on 2008-01-07 11:56:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
94: 2008-01-07 17:57:03 UTC - RP192 - Deckard's System Scanner Restore Point
93: 2008-01-02 23:45:21 UTC - RP191 - Removed Logitech Gaming Software 5.01.
92: 2008-01-02 23:41:58 UTC - RP190 - Removed GB-PVR
91: 2008-01-02 18:36:53 UTC - RP189 - System Checkpoint
90: 2008-01-01 09:00:36 UTC - RP188 - Software Distribution Service 3.0
-- First Restore Point --
1: 2007-10-04 22:08:22 UTC - RP99 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Leif Hassell.exe) ----------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:17 AM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\Leif Hassell\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Leif Hassell.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKCU\..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe -checktasks
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187354856624
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187355034171
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)
--
End of file - 7338 bytes
-- File Associations -----------------------------------------------------------
.js - unable to read key
.js - unable to read key
.txt - unable to read key
.txt - unable to read key
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R1 srosa (Megadrv3) - c:\windows\system32\drivers\srosa.sys
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R2 ppsio2 (PPDevice) - c:\windows\system32\drivers\ppsio2.sys <Not Verified; ; Flatbed DevDriver/NT4>
S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 MSICPL - d:\install4\msicpl.sys (file missing)
S3 NTACCESS - d:\ntaccess.sys (file missing)
S3 SetupNTGLM7X - d:\ntglm7x.sys (file missing)
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S2 Symantec AntiVirus - "c:\program files\symantec antivirus\rtvscan.exe" (file missing)
S4 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
S4 ccEvtMgr (Symantec Event Manager) - "c:\program files\common files\symantec shared\ccevtmgr.exe" (file missing)
S4 ccSetMgr (Symantec Settings Manager) - "c:\program files\common files\symantec shared\ccsetmgr.exe" (file missing)
S4 DefWatch (Symantec AntiVirus Definition Watcher) - "c:\program files\symantec antivirus\defwatch.exe" (file missing)
S4 SNDSrvc (Symantec Network Drivers Service) - "c:\program files\common files\symantec shared\sndsrvc.exe" (file missing)
S4 SPBBCSvc (Symantec SPBBCSvc) - c:\program files\common files\symantec shared\spbbc\spbbcsvc.exe (file missing)
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Files created between 2007-12-07 and 2008-01-07 -----------------------------
2008-01-03 12:11:29 0 d-------- C:\Program Files\Trend Micro
2008-01-03 12:08:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-03 12:08:34 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-03 11:14:17 0 d--h----- C:\WINDOWS\PIF
2008-01-02 18:09:59 0 d-------- C:\!KillBox
2008-01-02 15:53:14 0 d-------- C:\Program Files\DemoForge
2008-01-01 18:36:00 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Thunderbird
2008-01-01 18:35:41 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-12-31 20:33:46 724992 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-12-31 20:32:08 0 d-------- C:\WINDOWS\system32\URTTEMP
2007-12-31 18:31:32 0 d-------- C:\WINDOWS\system32\drivers\down
2007-12-31 16:59:58 4 --a------ C:\WINDOWS\system32\0229AC
2007-12-31 16:59:35 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
2007-12-31 16:59:35 0 d-------- C:\Program Files\Common Files\Real
2007-12-31 16:59:11 0 d-------- C:\Program Files\Real
2007-12-31 16:57:51 0 d-------- C:\Program Files\Comcast Rhapsody
2007-12-31 16:57:37 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Real
2007-12-30 12:00:59 0 d-------- C:\Documents and Settings\Leif Hassell\browser - logitech
2007-12-30 12:00:33 0 d-------- C:\Documents and Settings\Leif Hassell\logitech
2007-12-30 11:58:25 0 d-------- C:\Program Files\Common Files\Remote Control Software Common
2007-12-30 11:57:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-12-30 11:57:45 0 d-------- C:\Program Files\Common Files\Remote Control USB Driver
2007-12-30 11:56:57 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\InstallShield
2007-12-29 12:14:32 0 d-------- C:\Program Files\Xpadder
2007-12-29 11:12:34 0 d-------- C:\Program Files\Common Files\Logitech
2007-12-29 11:12:13 0 d-------- C:\Program Files\Logitech
2007-12-28 16:27:16 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\I-O DATA DEVICE,INC
2007-12-28 16:23:13 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1>
2007-12-28 16:23:13 0 d-------- C:\Program Files\I-O DATA DEVICE,INC
2007-12-27 18:50:20 0 d-------- C:\Program Files\devnz
2007-12-23 11:36:39 0 d-------- C:\Program Files\wizdxp
2007-12-16 16:05:54 0 d-------- C:\Program Files\Flagship Studios
2007-12-08 10:58:17 0 d-------- C:\Program Files\Codemasters
2nd half in next post.
leifhassell
2008-01-07, 20:14
Main.txt: (2nd half)
-- Find3M Report ---------------------------------------------------------------
2008-01-07 11:49:39 0 d-------- C:\Program Files\DynDNS Updater
2008-01-07 11:48:59 0 d-------- C:\Program Files\Symantec AntiVirus
2008-01-03 13:33:12 0 d-------- C:\Program Files\Mgtweak
2008-01-02 17:48:58 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-01 19:14:25 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Ahead
2007-12-31 20:40:28 0 d-------- C:\Program Files\Winamp
2007-12-31 16:59:35 0 d-------- C:\Program Files\Common Files
2007-12-30 11:58:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-26 16:38:36 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\OpenOffice.org2
2007-11-29 20:39:05 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Magic Set Editor
2007-11-29 20:33:01 0 d-------- C:\Program Files\Magic Set Editor 2
2007-11-29 17:17:56 0 d-------- C:\Program Files\Mozilla Sunbird
2007-11-28 16:40:47 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Adobe
2007-11-20 20:31:16 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\U3
2007-11-16 16:09:56 0 d-------- C:\Program Files\AutoIt3
2007-11-15 16:49:03 0 d-------- C:\Program Files\MusicBrainz Picard
2007-11-14 16:38:31 0 d-------- C:\Program Files\Common Files\Control Panels
2007-11-14 16:37:52 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-14 15:17:19 0 d-------- C:\Program Files\Bonjour
2007-11-14 15:03:16 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-11 19:48:06 0 d-------- C:\Program Files\Atari
2007-11-09 16:26:59 2041 --a------ C:\WINDOWS\mozver.dat
2007-11-08 19:50:11 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Help
2007-11-08 17:26:08 0 d-------- C:\Program Files\Aezay Productions
2007-11-07 20:39:25 0 d-------- C:\Program Files\Windows Installer Clean Up
2007-11-07 20:39:02 0 d-------- C:\Program Files\MSECACHE
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
10/04/2007 02:06 PM 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [10/04/2007 02:06 PM 1135968]
[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" []
"SoundMan"="SOUNDMAN.EXE" [11/16/2006 03:42 PM C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/28/2007 11:43 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [05/14/2003 01:01 AM]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [09/10/2001 07:08 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/28/2007 11:43 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 09:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [05/10/2007 10:46 PM]
"@"="" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DynDNS Updater"="C:\Program Files\DynDNS Updater\DynDNS.exe" [09/17/2006 09:32 AM]
"PPWebCap"="C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe" [05/17/2006 06:03 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"PMCRemote"="C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [09/18/2007 01:00 PM]
"PMCLoader"="C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe" [10/10/2007 11:02 AM]
"drvsyskit"="C:\WINDOWS\system32\drivers\hldrrr.exe" [05/17/2006 06:03 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=01000000
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\setup.exe -q
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b2ce72c-7e8f-11dc-99e1-0019dbacad3f}]
AutoRun\command- G:\autolauncher4u3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b51f2db-8af1-11dc-99f3-0019dbacad3f}]
AutoRun\command- G:\.\spm.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e328ae98-4eba-11dc-99c9-0019dbacad3f}]
AutoRun\command- G:\autolauncher4u3.exe -a
-- End of Deckard's System Scanner: finished at 2008-01-07 11:59:55 ------------
leifhassell
2008-01-07, 20:16
Extra.txt: (1st half)
Extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: AMD Athlon(tm) 64 Processor 3000+
Percentage of Memory in Use: 18%
Physical Memory (total/avail): 2046.48 MiB / 1662.79 MiB
Pagefile Memory (total/avail): 3429.44 MiB / 3233.86 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.9 MiB
C: is Fixed (NTFS) - 298.09 GiB total, 217.84 GiB free.
D: is CDROM (CDFS)
E: is Fixed (NTFS) - 58.59 GiB total, 14.82 GiB free.
F: is Fixed (NTFS) - 53.19 GiB total, 11.08 GiB free.
\\.\PHYSICALDRIVE0 - MAXTOR STM3320620AS - 298.09 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 298.09 GiB - C:
\\.\PHYSICALDRIVE1 - ST3120026A - 111.79 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 58.59 GiB - E:
\PARTITION1 - Extended w/Extended Int 13 - 53.19 GiB - F:
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.
FirewallOverride is set.
AV: Symantec AntiVirus Corporate Edition v10.0.0.359 (Symantec Corporation)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Sony\\Media Manager for PSP 2.0\\MediaManager.exe"="C:\\Program Files\\Sony\\Media Manager for PSP 2.0\\MediaManager.exe:*:Enabled:Media Manager for PSP 2.0"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"="C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe:*:Enabled:Hellgate: London"
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Leif Hassell\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DOISSETEP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HellgateEnv=C:\Program Files\Flagship Studios\Hellgate London\
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Leif Hassell
LOGONSERVER=\\DOISSETEP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 79 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\LEIFHA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\LEIFHA~1\LOCALS~1\Temp
USERDOMAIN=DOISSETEP
USERNAME=Leif Hassell
USERPROFILE=C:\Documents and Settings\Leif Hassell
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
Leif Hassell (admin)
Video Editing (admin)
Administrator (new local, admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D5DFD1A-5B25-48B7-B4D5-E04778BDC676}\Setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Abander TagControl --> C:\Program Files\Abander TagControl\uninstall.exe
AccuChef --> C:\PROGRA~1\ACCUCH~1\UNWISE.EXE C:\PROGRA~1\ACCUCH~1\INSTALL.LOG
Add or Remove Adobe Creative Suite 3 Master Collection --> C:\Program Files\Common Files\Adobe\Installers\5ac697db6c6103f6f8b5198d25f73f7\Setup.exe
Adobe After Effects CS3 --> MsiExec.exe /I{EB0202F7-016A-410C-ADE4-40F848CCC661}
Adobe After Effects CS3 Presets --> MsiExec.exe /I{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe BridgeTalk Plugin CS3 --> MsiExec.exe /I{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Creative Suite 3 Master Collection --> MsiExec.exe /I{0CEC06EF-5052-4CE8-8256-74AE363A4238}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Encore CS3 --> MsiExec.exe /I{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}
Adobe Encore CS3 Codecs --> MsiExec.exe /I{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Extension Manager CS3 --> MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Flash CS3 --> MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}
Adobe Flash Player 9 Plugin --> MsiExec.exe /X{88D422DB-E9C7-4E16-9D80-2999F4FD6AD9}
Adobe Flash Video Encoder --> MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{7ACFB90E-8FD0-4397-AD3A-5195412623A3}
Adobe Illustrator CS3 --> MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe InDesign CS3 --> MsiExec.exe /I{CB3F8375-B600-4B9F-83C9-238ED1E583FD}
Adobe InDesign CS3 Icon Handler --> MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe MotionPicture Color Files --> MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Premiere Pro CS3 --> MsiExec.exe /I{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}
Adobe Premiere Pro CS3 Functional Content --> MsiExec.exe /I{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}
Adobe Premiere Pro CS3 Third Party Content --> MsiExec.exe /I{485ACF57-F364-440A-8496-E1E81C8FA1AA}
Adobe Setup --> MsiExec.exe /I{1DDB76B6-9B33-47DE-8577-78EBFD3E2FF3}
Adobe SING CS3 --> MsiExec.exe /I{B671CBFD-4109-4D35-9252-3062D3CCB7B2}
Adobe Soundbooth CS3 --> MsiExec.exe /I{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}
Adobe Soundbooth CS3 Codecs --> MsiExec.exe /I{0327FA9D-975C-448C-A086-577D57BB25B8}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe Video Profiles --> MsiExec.exe /I{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}
Adobe WAS CS3 --> MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP DVA Panels CS3 --> MsiExec.exe /I{0224CACC-994D-45F8-B973-D65056EA9C2F}
Adobe XMP Panels CS3 --> MsiExec.exe /I{D5A31AB1-345D-47C7-A87B-036A669F6DF1}
AHV content for Acrobat and Flash --> MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
Atmosphere Deluxe v6.0 --> "C:\Program Files\Atmosphere Deluxe\unins000.exe"
AutoIt v3.2.8.1 --> C:\Program Files\AutoIt3\Uninstall.exe
Autumn City --> C:\Deluxescen\Autumncity\unins000.exe
AVeL Link Advanced Server --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C244A7B5-8F6D-49DF-9066-B3651D3410CC}\setup.exe" -l0x9
AVeL Link Server version 1.9b --> "C:\Program Files\I-O DATA DEVICE,INC\AVeL Link Server\unins000.exe"
BLM 2.7.7 --> "C:\Program Files\Bluetack\Blocklist Manager\unins000.exe"
Canopus ProCoder 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6A70D9E8-C51B-4196-BD1F-137E6EF6AEBB}\setup.exe" -l0x9
Chicago Scenario --> C:\Deluxescen\Chicago\unins000.exe
CIF USB Camera (2110A) --> C:\WINDOWS\CleanDev.exe C:\WINDOWS\DC2110a.ini
Collectorz.com Movie Collector --> C:\PROGRA~1\COLLEC~1.COM\MOVIEC~1\UNWISE.EXE C:\PROGRA~1\COLLEC~1.COM\MOVIEC~1\install.log
Comcast Rhapsody --> C:\PROGRA~1\COMCAS~1\Unwise32.exe /A C:\PROGRA~1\COMCAS~1\install.log
DiRT --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57B89E30-0BBA-4F20-9F2C-8E8CDE1CEDB6}\setup.exe" -l0x9 -removeonly
DivX Player --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\DivX Player\uninstal.log
Docks Scenario --> C:\Deluxescen\Docks\unins000.exe
Driving On A Rainy Day Scenario --> C:\Deluxescen\Carrainyday\unins000.exe
DynDNS Updater 3.1 --> "C:\Program Files\DynDNS Updater\unins000.exe"
eMule --> "C:\Program Files\eMule\Uninstall.exe"
Galleon Scenario --> C:\Deluxescen\galleon\unins000.exe
Halloween Scenario --> C:\Deluxescen\Halloween\unins000.exe
Hellgate: London --> MsiExec.exe /X{A2B4455D-1046-4732-BFBC-0821BEFC07BC}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp deskjet 3320 series (Remove only) --> C:\Program Files\hp deskjet 3320 series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=USB001 -vproduct=3320 -huninstall
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Log Cabin Scenario --> "C:\Deluxescen\Log Cabin\unins000.exe"
Logitech Harmony Remote Software 7 --> C:\Program Files\InstallShield Installation Information\{5C6F884D-680C-448B-B4C9-22296EE1B206}\setup.exe -runfromtemp -l0x0009 -removeonly
Magic Set Editor 2 - 0.3.5b beta --> "C:\Program Files\Magic Set Editor 2\unins000.exe"
MagicTweak Version 3.10 --> "C:\Program Files\Mgtweak\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mirage Driver 1.1 --> "C:\Program Files\DemoForge\Mirage Driver\uninst\unins000.exe"
MONOPOLY HERE & NOW EDITION --> "C:\Program Files\RealArcade\Installer\bin\gameinstaller.exe" "C:\Program Files\RealArcade\Installer\installerMain.clf" "C:\Program Files\RealArcade\Installer\uninstall\MONOPOLY HERE & NOW EDITION.rguninst"
Morrocco Market Scenario --> C:\Deluxescen\Morrocco\unins000.exe
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Sunbird (0.5) --> C:\Program Files\Mozilla Sunbird\uninstall\uninst.exe
Mozilla Thunderbird (2.0.0.9) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MusicBrainz Picard 0.7.2 --> C:\Program Files\MusicBrainz Picard\uninst.exe
Nero 7 Demo --> MsiExec.exe /I{C93369CB-B4E9-E095-9289-E6B5AE941033}
Neverwinter Nights 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F20C1251-1D0A-4944-B2AE-678581B33B19}\SETUP.exe" -l0x9 -removeonly
Nite Pond Scenario --> C:\Deluxescen\Nitepond\unins000.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Ocean Dining - Scenario --> C:\Deluxescen\Oceandining\unins000.exe
OneTouch Version 3.0 --> C:\PROGRA~1\VISION~1\UNWISE.EXE C:\PROGRA~1\VISION~1\INSTALL.LOG
OpenOffice.org 2.3 --> MsiExec.exe /I{83C03FBE-4492-4133-BBAB-421CD88ADA32}
Pandora's GUI --> MsiExec.exe /X{B63FAB20-EA87-4C20-AA28-32DC973D5751}
PaperPort 7.02 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ScanSoft\PaperPort\Config\DeIsL1.isu" -y -c"C:\Program Files\ScanSoft\PaperPort\UnInstl2.dll"
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PiMPStreamer --> MsiExec.exe /I{9B40A0CC-AB90-4375-8D35-668393564B57}
Pinnacle TVCenter Pro --> "C:\Program Files\InstallShield Installation Information\{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}\Setup.exe"UNINSTALL /l0x0409 -removeonly
PowerQuest PartitionMagic 8.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealArcade --> "c:\Program Files\RealArcade\Installer\bin\gameinstaller.exe" "c:\Program Files\RealArcade\Installer\installerMain.clf" "c:\Program Files\RealArcade\Installer\uninstall\RealArcade.rguninst"
Realtek AC'97 Audio --> Alcrmv.exe -r -m
Registry Commander v1.03 --> "C:\Program Files\Aezay Productions\Registry Commander\unins000.exe"
Remote Control USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8471021C-F529-43DE-84DF-3612E10F58C4}\setup.exe" -l0x9 -removeonly
Remove DivX Pro Codec --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\DivX Pro Codec\UninstalDivXProCodec.log
Restaurant Scenario --> C:\Deluxescen\Restaurant\unins000.exe
Restaurant Scenario --> C:\Deluxescen\Station\unins000.exe
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Scenario - City Park --> C:\Deluxescen\Citypark\unins000.exe
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Sleep Sounds Scenario --> C:\Deluxescen\Sleep\unins000.exe
Snow Walk Scenario --> C:\Deluxescen\Snowwalk\unins000.exe
Sony Media Manager for PSP 2.0 --> MsiExec.exe /X{F4D1A29C-F42A-40FF-9411-3FA122FD5691}
Suburbs Scenario --> C:\Deluxescen\Suburbs\unins000.exe
Symantec AntiVirus --> MsiExec.exe /I{5A633ED0-E5D7-4D65-AB8D-53ED43510284}
TightVNC 1.3.9 --> "C:\Program Files\TightVNC\unins000.exe"
Train Ride Scenario --> C:\Deluxescen\Train\unins000.exe
Tropical Day Scenario --> C:\Deluxescen\Tropicalday\unins000.exe
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Winamp Toolbar --> "C:\Program Files\Winamp Toolbar\uninstall.exe"
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinISO 5.3 --> "C:\Program Files\WinISO\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Wolves Scenario --> C:\Deluxescen\wolves\unins000.exe
XML Paper Specification Shared Components Pack 1.0 -->
XviD MPEG-4 Video Codec --> C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_XviD 132 C:\WINDOWS\inf\xvid.inf
XviD4PSP --> C:\Program Files\Winnydows\XviD4PSP\Uninstall.exe
2nd half in next post.
leifhassell
2008-01-07, 20:16
Extra.txt: (2nd half)
-- Application Event Log -------------------------------------------------------
Event Record #/Type1947 / Warning
Event Submitted/Written: 01/06/2008 05:08:45 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{5A633ED0-E5D7-4D65-AB8D-53ED43510284}', feature 'SAVUI' failed during request for component '{0ABF6425-272D-4795-9BD8-F2428110EC95}'
Event Record #/Type1946 / Warning
Event Submitted/Written: 01/06/2008 05:08:45 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{5A633ED0-E5D7-4D65-AB8D-53ED43510284}', feature 'SAVMain', component '{12ED2D07-8DEF-43FF-8C44-4F3AD17001A1}' failed. The resource 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' does not exist.
Event Record #/Type1944 / Warning
Event Submitted/Written: 01/06/2008 05:02:52 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{5A633ED0-E5D7-4D65-AB8D-53ED43510284}', feature 'SAVUI' failed during request for component '{0ABF6425-272D-4795-9BD8-F2428110EC95}'
Event Record #/Type1943 / Warning
Event Submitted/Written: 01/06/2008 05:02:52 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{5A633ED0-E5D7-4D65-AB8D-53ED43510284}', feature 'SAVMain', component '{12ED2D07-8DEF-43FF-8C44-4F3AD17001A1}' failed. The resource 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' does not exist.
Event Record #/Type1941 / Warning
Event Submitted/Written: 01/06/2008 05:02:50 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{5A633ED0-E5D7-4D65-AB8D-53ED43510284}', feature 'SAVUI' failed during request for component '{0ABF6425-272D-4795-9BD8-F2428110EC95}'
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type5513 / Error
Event Submitted/Written: 01/07/2008 11:58:42 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460
Event Record #/Type5489 / Error
Event Submitted/Written: 01/07/2008 11:54:52 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Wireless Zero Configuration service depends on the NDIS Usermode I/O Protocol service which failed to start because of the following error:
%%1058
Event Record #/Type5463 / Error
Event Submitted/Written: 01/07/2008 11:49:56 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Wireless Zero Configuration service depends on the NDIS Usermode I/O Protocol service which failed to start because of the following error:
%%1058
Event Record #/Type5456 / Error
Event Submitted/Written: 01/06/2008 05:05:40 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460
Event Record #/Type5433 / Error
Event Submitted/Written: 01/06/2008 05:01:36 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Wireless Zero Configuration service depends on the NDIS Usermode I/O Protocol service which failed to start because of the following error:
%%1058
-- End of Deckard's System Scanner: finished at 2008-01-07 11:59:55 ------------
Rorschach112
2008-01-07, 20:25
I'm always up for a challenge :)
No need to put the reports in quote boxes as it makes them harder to read
Run IceSword.exe
Step 1: Now, we will remove the rootkit! Click the "Processes" tab and right-click on the following red colored processes one by one, and choose "Terminate Process". This will kill the rooted processes.
C:\WINDOWS\system32\drivers\hldrrr.exe
Step 2: Now, we have to delete the rooted files. Click "File" tab in IceSword. This will display the Windows Explorer type interface. Navigate to the following and delete the files in bold(if any are not there just continue on).
C:\Windows\System32\Drivers\rkhdrv40.sys
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Please download OTMoveIt by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe).
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Program Files\ScanSoft\PaperPort\PPWEBCAP.EXE
F:\Incoming\On2Share for Winamp 3.0.3.zip
C:\Windows\System32\Drivers\rkhdrv40.sys
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
D:\setup.exe
H:\LaunchU3.exe
G:\autolauncher4u3.exe
G:\autolauncher4u3.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")
Click "Exit" to close OTMoveIt.
Backup Your Registry with ERUNT
Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.
Note: to restore your registry, go to the folder and start ERDNT.exe
Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b2ce72c-7e8f-11dc-99e1-0019dbacad3f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e328ae98-4eba-11dc-99c9-0019dbacad3f}]
[-HKEY_CLASSES_ROOT\CLSID\{0b2ce72c-7e8f-11dc-99e1-0019dbacad3f}]
[-HKEY_CLASSES_ROOT\CLSID\{e328ae98-4eba-11dc-99c9-0019dbacad3f}]
Then double click on the fix.reg file, when it prompts to merge click "Yes".
Reboot and post a new DSS log and a new IceSword log and tell me how that went
leifhassell
2008-01-08, 00:39
Thank you!
It seems to have worked, as I can now install my AV and spybot and they stay. There is still one red process (noted below.) What is this? At least it doesn't seem to be causing trouble.
Here are the logs.
Icesword Process Log:
Process:
System Idle Process
System
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
J:\SPM.EXE
J:\AV Tools\IceSword122en\IceSword.exe
Icesword SSDT (Transcribed from program... just the one red entry)
Index | Current Addr. | KModule | Original Addr. | Name
0x1F | 0x89D8B500 | Unknown | 0x805986E6 | NtConnectPort
DSS Logs to follow.
leifhassell
2008-01-08, 00:40
DSS Main Log: (Part 1)
Deckard's System Scanner v20071014.68
Run by Leif Hassell on 2008-01-07 16:34:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Leif Hassell.exe) ----------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:54 PM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
J:\spm.exe
C:\WINDOWS\system32\notepad.exe
J:\AV Tools\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\LEIFHA~1.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKCU\..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe -checktasks
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187354856624
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187355034171
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8725 bytes
-- Files created between 2007-12-07 and 2008-01-07 -----------------------------
2008-01-03 12:11:29 0 d-------- C:\Program Files\Trend Micro
2008-01-03 12:08:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-03 12:08:34 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-03 11:14:17 0 d--h----- C:\WINDOWS\PIF
2008-01-02 18:09:59 0 d-------- C:\!KillBox
2008-01-02 15:53:14 0 d-------- C:\Program Files\DemoForge
2008-01-01 18:36:00 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Thunderbird
2008-01-01 18:35:41 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-12-31 20:33:46 724992 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-12-31 20:32:08 0 d-------- C:\WINDOWS\system32\URTTEMP
2007-12-31 18:31:32 0 d-------- C:\WINDOWS\system32\drivers\down
2007-12-31 16:59:58 4 --a------ C:\WINDOWS\system32\0229AC
2007-12-31 16:59:35 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
2007-12-31 16:59:35 0 d-------- C:\Program Files\Common Files\Real
2007-12-31 16:59:11 0 d-------- C:\Program Files\Real
2007-12-31 16:57:51 0 d-------- C:\Program Files\Comcast Rhapsody
2007-12-31 16:57:37 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Real
2007-12-30 12:00:59 0 d-------- C:\Documents and Settings\Leif Hassell\browser - logitech
2007-12-30 12:00:33 0 d-------- C:\Documents and Settings\Leif Hassell\logitech
2007-12-30 11:58:25 0 d-------- C:\Program Files\Common Files\Remote Control Software Common
2007-12-30 11:57:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-12-30 11:57:45 0 d-------- C:\Program Files\Common Files\Remote Control USB Driver
2007-12-30 11:56:57 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\InstallShield
2007-12-29 12:14:32 0 d-------- C:\Program Files\Xpadder
2007-12-29 11:12:34 0 d-------- C:\Program Files\Common Files\Logitech
2007-12-29 11:12:13 0 d-------- C:\Program Files\Logitech
2007-12-28 16:27:16 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\I-O DATA DEVICE,INC
2007-12-28 16:23:13 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1>
2007-12-28 16:23:13 0 d-------- C:\Program Files\I-O DATA DEVICE,INC
2007-12-27 18:50:20 0 d-------- C:\Program Files\devnz
2007-12-23 11:36:39 0 d-------- C:\Program Files\wizdxp
2007-12-16 16:05:54 0 d-------- C:\Program Files\Flagship Studios
2007-12-08 10:58:17 0 d-------- C:\Program Files\Codemasters
leifhassell
2008-01-08, 00:42
DSS Main Log: (Part 2)
-- Find3M Report ---------------------------------------------------------------
2008-01-07 16:24:09 0 d-------- C:\Program Files\Symantec AntiVirus
2008-01-07 16:15:20 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-07 11:49:39 0 d-------- C:\Program Files\DynDNS Updater
2008-01-03 13:33:12 0 d-------- C:\Program Files\Mgtweak
2008-01-01 19:14:25 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Ahead
2007-12-31 20:40:28 0 d-------- C:\Program Files\Winamp
2007-12-31 16:59:35 0 d-------- C:\Program Files\Common Files
2007-12-30 11:58:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-26 16:38:36 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\OpenOffice.org2
2007-11-29 20:39:05 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Magic Set Editor
2007-11-29 20:33:01 0 d-------- C:\Program Files\Magic Set Editor 2
2007-11-29 17:17:56 0 d-------- C:\Program Files\Mozilla Sunbird
2007-11-28 16:40:47 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Adobe
2007-11-20 20:31:16 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\U3
2007-11-16 16:09:56 0 d-------- C:\Program Files\AutoIt3
2007-11-15 16:49:03 0 d-------- C:\Program Files\MusicBrainz Picard
2007-11-14 16:38:31 0 d-------- C:\Program Files\Common Files\Control Panels
2007-11-14 16:37:52 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-14 15:17:19 0 d-------- C:\Program Files\Bonjour
2007-11-14 15:03:16 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-11 19:48:06 0 d-------- C:\Program Files\Atari
2007-11-09 16:26:59 2041 --a------ C:\WINDOWS\mozver.dat
2007-11-08 19:50:11 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Help
2007-11-08 17:26:08 0 d-------- C:\Program Files\Aezay Productions
2007-11-07 20:39:25 0 d-------- C:\Program Files\Windows Installer Clean Up
2007-11-07 20:39:02 0 d-------- C:\Program Files\MSECACHE
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
10/04/2007 02:06 PM 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [10/04/2007 02:06 PM 1135968]
[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 03:52 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [04/17/2005 12:30 PM]
"SoundMan"="SOUNDMAN.EXE" [11/16/2006 03:42 PM C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/28/2007 11:43 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [05/14/2003 01:01 AM]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [09/10/2001 07:08 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/28/2007 11:43 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 09:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [05/10/2007 10:46 PM]
"@"="" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DynDNS Updater"="C:\Program Files\DynDNS Updater\DynDNS.exe" [09/17/2006 09:32 AM]
"PPWebCap"="C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"PMCRemote"="C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [09/18/2007 01:00 PM]
"PMCLoader"="C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe" [10/10/2007 11:02 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=01000000
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\setup.exe -q
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b2ce72c-7e8f-11dc-99e1-0019dbacad3f}]
AutoRun\command- G:\autolauncher4u3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b51f2db-8af1-11dc-99f3-0019dbacad3f}]
AutoRun\command- G:\.\spm.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e328ae98-4eba-11dc-99c9-0019dbacad3f}]
AutoRun\command- G:\autolauncher4u3.exe -a
-- End of Deckard's System Scanner: finished at 2008-01-07 16:35:17 ------------
Rorschach112
2008-01-08, 00:50
Which entry was red from the IceSword log ?
Seems we are making some progress.
Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.
Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b2ce72c-7e8f-11dc-99e1-0019dbacad3f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e328ae98-4eba-11dc-99c9-0019dbacad3f}]
[-HKEY_CLASSES_ROOT\CLSID\{0b2ce72c-7e8f-11dc-99e1-0019dbacad3f}]
[-HKEY_CLASSES_ROOT\CLSID\{e328ae98-4eba-11dc-99c9-0019dbacad3f}]
Then double click on the fix.reg file, when it prompts to merge click "Yes".
Download avz4.zip from here (http://z-oleg.com/avz4.zip)
Unzip it to your desktop to a folder named avz4
Double click on AVZ.exe to run it.
Run an update by clicking the Auto Update button on the Right of the Log window: http://rathat.geekstogo.com/images/AVZupdate.jpg
Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again
After the update, from the "File" menu, choose "System Recovery"
Check the box beside 10. Restore SafeBoot registry keys
Click Execute selected scripts and let it run
Accept and prompts and reboot your PC
Post a new DSS log and the OTMoveIt results from the previous post.
leifhassell
2008-01-09, 00:37
Ok...
1. This was the red entry:
Icesword SSDT (Transcribed from program... just the one red entry)
Index | Current Addr. | KModule | Original Addr. | Name
0x1F | 0x89D8B500 | Unknown | 0x805986E6 | NtConnectPort
2. Performed registry fix.
3. Performed actions with AVZ.
Here is the OTMoveIt Log: (Sorry I forgot it last time.)
C:\Program Files\ScanSoft\PaperPort\PPWEBCAP.EXE moved successfully.
F:\Incoming\On2Share for Winamp 3.0.3.zip moved successfully.
File/Folder C:\Windows\System32\Drivers\rkhdrv40.sys not found.
File/Folder C:\WINDOWS\system32\drivers\hldrrr.exe not found.
File/Folder C:\WINDOWS\system32\drivers\srosa.sys not found.
File move failed. D:\setup.exe scheduled to be moved on reboot.
File/Folder H:\LaunchU3.exe not found.
File/Folder G:\autolauncher4u3.exe not found.
File/Folder G:\autolauncher4u3.exe not found.
Created on 01/07/2008 16:06:29
Here is the DSS log:
Deckard's System Scanner v20071014.68
Run by Leif Hassell on 2008-01-08 16:34:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Leif Hassell.exe) ----------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:15 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
J:\spm.exe
J:\AV Tools\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\LEIFHA~1.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKCU\..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe -checktasks
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187354856624
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187355034171
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8725 bytes
-- Files created between 2007-12-08 and 2008-01-08 -----------------------------
2008-01-03 12:11:29 0 d-------- C:\Program Files\Trend Micro
2008-01-03 12:08:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-03 12:08:34 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-03 11:14:17 0 d--h----- C:\WINDOWS\PIF
2008-01-02 15:53:14 0 d-------- C:\Program Files\DemoForge
2008-01-01 18:36:00 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Thunderbird
2008-01-01 18:35:41 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-12-31 20:33:46 724992 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-12-31 20:32:08 0 d-------- C:\WINDOWS\system32\URTTEMP
2007-12-31 18:31:32 0 d-------- C:\WINDOWS\system32\drivers\down
2007-12-31 16:59:58 4 --a------ C:\WINDOWS\system32\0229AC
2007-12-31 16:59:35 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
2007-12-31 16:59:35 0 d-------- C:\Program Files\Common Files\Real
2007-12-31 16:59:11 0 d-------- C:\Program Files\Real
2007-12-31 16:57:51 0 d-------- C:\Program Files\Comcast Rhapsody
2007-12-31 16:57:37 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Real
2007-12-30 12:00:59 0 d-------- C:\Documents and Settings\Leif Hassell\browser - logitech
2007-12-30 12:00:33 0 d-------- C:\Documents and Settings\Leif Hassell\logitech
2007-12-30 11:58:25 0 d-------- C:\Program Files\Common Files\Remote Control Software Common
2007-12-30 11:57:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-12-30 11:57:45 0 d-------- C:\Program Files\Common Files\Remote Control USB Driver
2007-12-30 11:56:57 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\InstallShield
2007-12-29 12:14:32 0 d-------- C:\Program Files\Xpadder
2007-12-29 11:12:34 0 d-------- C:\Program Files\Common Files\Logitech
2007-12-29 11:12:13 0 d-------- C:\Program Files\Logitech
2007-12-28 16:27:16 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\I-O DATA DEVICE,INC
2007-12-28 16:23:13 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1>
2007-12-28 16:23:13 0 d-------- C:\Program Files\I-O DATA DEVICE,INC
2007-12-27 18:50:20 0 d-------- C:\Program Files\devnz
2007-12-23 11:36:39 0 d-------- C:\Program Files\wizdxp
2007-12-16 16:05:54 0 d-------- C:\Program Files\Flagship Studios
2007-12-08 10:58:17 0 d-------- C:\Program Files\Codemasters
-- Find3M Report ---------------------------------------------------------------
2008-01-08 00:01:52 0 d-------- C:\Program Files\DynDNS Updater
2008-01-07 16:24:09 0 d-------- C:\Program Files\Symantec AntiVirus
2008-01-07 16:15:20 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-03 13:33:12 0 d-------- C:\Program Files\Mgtweak
2008-01-01 19:14:25 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Ahead
2007-12-31 20:40:28 0 d-------- C:\Program Files\Winamp
2007-12-31 16:59:35 0 d-------- C:\Program Files\Common Files
2007-12-30 11:58:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-26 16:38:36 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\OpenOffice.org2
2007-11-29 20:39:05 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Magic Set Editor
2007-11-29 20:33:01 0 d-------- C:\Program Files\Magic Set Editor 2
2007-11-29 17:17:56 0 d-------- C:\Program Files\Mozilla Sunbird
2007-11-28 16:40:47 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Adobe
2007-11-20 20:31:16 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\U3
2007-11-16 16:09:56 0 d-------- C:\Program Files\AutoIt3
2007-11-15 16:49:03 0 d-------- C:\Program Files\MusicBrainz Picard
2007-11-14 16:38:31 0 d-------- C:\Program Files\Common Files\Control Panels
2007-11-14 16:37:52 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-14 15:17:19 0 d-------- C:\Program Files\Bonjour
2007-11-14 15:03:16 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-11 19:48:06 0 d-------- C:\Program Files\Atari
2007-11-09 16:26:59 2041 --a------ C:\WINDOWS\mozver.dat
2007-11-08 19:50:11 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Help
2007-11-08 17:26:08 0 d-------- C:\Program Files\Aezay Productions
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
10/04/2007 02:06 PM 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [10/04/2007 02:06 PM 1135968]
[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 03:52 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [04/17/2005 12:30 PM]
"SoundMan"="SOUNDMAN.EXE" [11/16/2006 03:42 PM C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/28/2007 11:43 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [05/14/2003 01:01 AM]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [09/10/2001 07:08 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/28/2007 11:43 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 09:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [05/10/2007 10:46 PM]
"@"="" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DynDNS Updater"="C:\Program Files\DynDNS Updater\DynDNS.exe" [09/17/2006 09:32 AM]
"PPWebCap"="C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"PMCRemote"="C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [09/18/2007 01:00 PM]
"PMCLoader"="C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe" [10/10/2007 11:02 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=01000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b51f2db-8af1-11dc-99f3-0019dbacad3f}]
AutoRun\command- G:\.\spm.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e328ae98-4eba-11dc-99c9-0019dbacad3f}]
AutoRun\command- G:\autolauncher4u3.exe -a
-- End of Deckard's System Scanner: finished at 2008-01-08 16:34:53 ------------
Rorschach112
2008-01-09, 03:10
Just to satisfy my curiosity, were all three of these files found with IceSword in your previous post ?
C:\Windows\System32\Drivers\rkhdrv40.sys
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
Click on Kaspersky Online Scanner and click Accept
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Also tell me how your PC is running
leifhassell
2008-01-09, 19:57
Just to satisfy my curiosity, were all three of these files found with IceSword in your previous post ?
C:\Windows\System32\Drivers\rkhdrv40.sys
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
None of these were found... all were eradicated.
Now, as to the rest:
Kaspersky Log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 09, 2008 6:55:44 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/01/2008
Kaspersky Anti-Virus database records: 504550
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
Y:\
Z:\
Scan Statistics:
Total number of scanned objects: 320016
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 06:10:11
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\cert8.db Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\history.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\key3.db Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\parent.lock Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\simplemail\simplemail.sqlite Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Leif Hassell\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\History\History.IE5\MSHist012008010820080109\index.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Leif Hassell\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0355NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0970NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP200\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\kb828741.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\kb835732.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\browser.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ329048$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ329390$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ329834$\reg00001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
E:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP200\change.log Object is locked skipped
F:\Incoming\temp\001.part Object is locked skipped
F:\Incoming\temp\003.part Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP200\change.log Object is locked skipped
Y:\backup\mythconverg.sql.gz.5 Object is locked skipped
Y:\backup\savedfiles.tar.gz.5 Object is locked skipped
Y:\backup\savedfiles.tar.gz.6 Object is locked skipped
Y:\backup\mythconverg.sql.gz.4 Object is locked skipped
Y:\backup\mythconverg.sql.gz.6 Object is locked skipped
Y:\backup\savedfiles.tar.gz.4 Object is locked skipped
Y:\backup\savedfiles.tar.gz.7 Object is locked skipped
Y:\backup\mythconverg.sql.gz.3 Object is locked skipped
Y:\backup\mythconverg.sql.gz.7 Object is locked skipped
Y:\backup\savedfiles.tar.gz.3 Object is locked skipped
Y:\backup\savedfiles.tar.gz.8 Object is locked skipped
Y:\backup\mythconverg.sql.gz.2 Object is locked skipped
Y:\backup\mythconverg.sql.gz.8 Object is locked skipped
Y:\backup\savedfiles.tar.gz.2 Object is locked skipped
Y:\backup\savedfiles.tar.gz.9 Object is locked skipped
Y:\backup\mythconverg.sql.gz.1 Object is locked skipped
Y:\backup\savedfiles.tar.gz.1 Object is locked skipped
Y:\backup\mythconverg.sql.gz Object is locked skipped
Y:\backup\mythconverg.sql.gz.9 Object is locked skipped
Y:\backup\savedfiles.tar.gz Object is locked skipped
Scan process completed.
And my computer seems to be running well. Thanks again for your help.
Rorschach112
2008-01-09, 19:59
Can you post me a new DSS log, nearly done now
leifhassell
2008-01-10, 19:29
Here you go:
Deckard's System Scanner v20071014.68
Run by Leif Hassell on 2008-01-10 11:27:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Leif Hassell.exe) ----------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:30 AM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
J:\spm.exe
J:\AV Tools\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\LEIFHA~1.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKCU\..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe -checktasks
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187354856624
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187355034171
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 9705 bytes
-- Files created between 2007-12-10 and 2008-01-10 -----------------------------
2008-01-09 16:16:46 0 d-------- C:\Program Files\Microsoft Works
2008-01-09 16:05:26 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-09 16:03:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-09 15:59:46 0 dr-h----- C:\MSOCache
2008-01-03 12:11:29 0 d-------- C:\Program Files\Trend Micro
2008-01-03 12:08:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-03 12:08:34 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-03 11:14:17 0 d--h----- C:\WINDOWS\PIF
2008-01-02 15:53:14 0 d-------- C:\Program Files\DemoForge
2008-01-01 18:36:00 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Thunderbird
2008-01-01 18:35:41 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-12-31 20:33:46 724992 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-12-31 20:32:08 0 d-------- C:\WINDOWS\system32\URTTEMP
2007-12-31 18:31:32 0 d-------- C:\WINDOWS\system32\drivers\down
2007-12-31 16:59:58 4 --a------ C:\WINDOWS\system32\0229AC
2007-12-31 16:59:35 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
2007-12-31 16:59:35 0 d-------- C:\Program Files\Common Files\Real
2007-12-31 16:59:11 0 d-------- C:\Program Files\Real
2007-12-31 16:57:51 0 d-------- C:\Program Files\Comcast Rhapsody
2007-12-31 16:57:37 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Real
2007-12-30 12:00:59 0 d-------- C:\Documents and Settings\Leif Hassell\browser - logitech
2007-12-30 12:00:33 0 d-------- C:\Documents and Settings\Leif Hassell\logitech
2007-12-30 11:58:25 0 d-------- C:\Program Files\Common Files\Remote Control Software Common
2007-12-30 11:57:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-12-30 11:57:45 0 d-------- C:\Program Files\Common Files\Remote Control USB Driver
2007-12-30 11:56:57 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\InstallShield
2007-12-29 12:14:32 0 d-------- C:\Program Files\Xpadder
2007-12-29 11:12:34 0 d-------- C:\Program Files\Common Files\Logitech
2007-12-29 11:12:13 0 d-------- C:\Program Files\Logitech
2007-12-28 16:27:16 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\I-O DATA DEVICE,INC
2007-12-28 16:23:13 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1>
2007-12-28 16:23:13 0 d-------- C:\Program Files\I-O DATA DEVICE,INC
2007-12-27 18:50:20 0 d-------- C:\Program Files\devnz
2007-12-23 11:36:39 0 d-------- C:\Program Files\wizdxp
2007-12-16 16:05:54 0 d-------- C:\Program Files\Flagship Studios
-- Find3M Report ---------------------------------------------------------------
2008-01-09 17:13:57 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\OpenOffice.org2
2008-01-09 16:16:06 0 d-------- C:\Program Files\MSBuild
2008-01-09 16:14:19 0 d-------- C:\Program Files\Common Files
2008-01-09 16:11:35 0 d-------- C:\Program Files\Microsoft.NET
2008-01-09 00:01:21 0 d-------- C:\Program Files\DynDNS Updater
2008-01-08 20:22:14 0 d-------- C:\Program Files\Mozilla Sunbird
2008-01-08 20:16:17 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-08 20:05:58 0 d-------- C:\Program Files\Symantec AntiVirus
2008-01-08 20:05:05 0 d-------- C:\Program Files\Symantec
2008-01-08 18:03:22 0 d-------- C:\Program Files\OpenOffice.org 2.3
2008-01-03 13:33:12 0 d-------- C:\Program Files\Mgtweak
2008-01-01 19:14:25 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Ahead
2007-12-31 20:40:28 0 d-------- C:\Program Files\Winamp
2007-12-30 11:58:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-08 10:58:17 0 d-------- C:\Program Files\Codemasters
2007-11-29 20:39:05 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Magic Set Editor
2007-11-29 20:33:01 0 d-------- C:\Program Files\Magic Set Editor 2
2007-11-28 16:40:47 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Adobe
2007-11-20 20:31:16 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\U3
2007-11-16 16:09:56 0 d-------- C:\Program Files\AutoIt3
2007-11-15 16:49:03 0 d-------- C:\Program Files\MusicBrainz Picard
2007-11-14 16:38:31 0 d-------- C:\Program Files\Common Files\Control Panels
2007-11-14 16:37:52 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-14 15:17:19 0 d-------- C:\Program Files\Bonjour
2007-11-14 15:03:16 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-11 19:48:06 0 d-------- C:\Program Files\Atari
2007-11-09 16:26:59 2041 --a------ C:\WINDOWS\mozver.dat
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
10/04/2007 02:06 PM 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [10/04/2007 02:06 PM 1135968]
[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 03:52 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [04/17/2005 12:30 PM]
"SoundMan"="SOUNDMAN.EXE" [11/16/2006 03:42 PM C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/28/2007 11:43 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [05/14/2003 01:01 AM]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [09/10/2001 07:08 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/28/2007 11:43 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 09:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [05/10/2007 10:46 PM]
"@"="" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DynDNS Updater"="C:\Program Files\DynDNS Updater\DynDNS.exe" [09/17/2006 09:32 AM]
"PPWebCap"="C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"PMCRemote"="C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [09/18/2007 01:00 PM]
"PMCLoader"="C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe" [10/10/2007 11:02 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=01000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b2ce72c-7e8f-11dc-99e1-0019dbacad3f}]
AutoRun\command- G:\autolauncher4u3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b51f2db-8af1-11dc-99f3-0019dbacad3f}]
AutoRun\command- H:\.\spm.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e328ae98-4eba-11dc-99c9-0019dbacad3f}]
AutoRun\command- G:\autolauncher4u3.exe -a
*Newly Created Service* - CCEVTMGR
*Newly Created Service* - DEFWATCH
*Newly Created Service* - ERASERUTILDRVI4
*Newly Created Service* - LIVEUPDATE
*Newly Created Service* - SYMANTEC_ANTIVIRUS
-- End of Deckard's System Scanner: finished at 2008-01-10 11:27:53 ------------
Rorschach112
2008-01-10, 20:13
Hello
Please download OTMoveIt by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe).
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\drivers\down
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")
Click "Exit" to close OTMoveIt.
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
Click on Kaspersky Online Scanner and click Accept
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Then reboot and post a new DSS log and tell me how your PC is running
leifhassell
2008-01-12, 01:06
OTMoveIt Log:
C:\WINDOWS\system32\drivers\down moved successfully.
Created on 01/10/2008 22:06:58
Kaspersky Log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, January 11, 2008 6:59:59 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/01/2008
Kaspersky Anti-Virus database records: 507245
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
J:\
Y:\
Z:\
Scan Statistics:
Total number of scanned objects: 295458
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 06:26:32
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\cert8.db Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\history.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\key3.db Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\parent.lock Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\simplemail\simplemail.sqlite Object is locked skipped
C:\Documents and Settings\Leif Hassell\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Leif Hassell\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Application Data\Mozilla\Firefox\Profiles\5z4o0isa.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\History\History.IE5\MSHist012008011020080111\index.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Leif Hassell\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Leif Hassell\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0355NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0970NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP205\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\kb828741.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741_RTM$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\kb835732.cat Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\browser.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732_RTM$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ329048$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ329390$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ329834$\reg00001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
E:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP205\change.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{16AE3587-496B-453B-B798-C1A607D8D4A7}\RP205\change.log Object is locked skipped
Y:\backup\mythconverg.sql.gz.5 Object is locked skipped
Y:\backup\savedfiles.tar.gz.5 Object is locked skipped
Y:\backup\savedfiles.tar.gz.6 Object is locked skipped
Y:\backup\mythconverg.sql.gz.4 Object is locked skipped
Y:\backup\mythconverg.sql.gz.6 Object is locked skipped
Y:\backup\savedfiles.tar.gz.4 Object is locked skipped
Y:\backup\savedfiles.tar.gz.7 Object is locked skipped
Y:\backup\mythconverg.sql.gz.3 Object is locked skipped
Y:\backup\mythconverg.sql.gz.7 Object is locked skipped
Y:\backup\savedfiles.tar.gz.3 Object is locked skipped
Y:\backup\savedfiles.tar.gz.8 Object is locked skipped
Y:\backup\mythconverg.sql.gz.2 Object is locked skipped
Y:\backup\mythconverg.sql.gz.8 Object is locked skipped
Y:\backup\savedfiles.tar.gz.2 Object is locked skipped
Y:\backup\savedfiles.tar.gz.9 Object is locked skipped
Y:\backup\mythconverg.sql.gz.1 Object is locked skipped
Y:\backup\savedfiles.tar.gz.1 Object is locked skipped
Y:\backup\mythconverg.sql.gz Object is locked skipped
Y:\backup\mythconverg.sql.gz.9 Object is locked skipped
Y:\backup\savedfiles.tar.gz Object is locked skipped
Scan process completed.
More in next post.
leifhassell
2008-01-12, 01:06
DSS Log:
Deckard's System Scanner v20071014.68
Run by Leif Hassell on 2008-01-11 16:59:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Leif Hassell.exe) ----------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:43 PM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
J:\spm.exe
J:\AV Tools\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\LEIFHA~1.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKCU\..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe -checktasks
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187354856624
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187355034171
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 9764 bytes
-- Files created between 2007-12-11 and 2008-01-11 -----------------------------
2008-01-09 16:16:46 0 d-------- C:\Program Files\Microsoft Works
2008-01-09 16:05:26 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-09 16:03:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-09 15:59:46 0 dr-h----- C:\MSOCache
2008-01-03 12:11:29 0 d-------- C:\Program Files\Trend Micro
2008-01-03 12:08:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-03 12:08:34 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-03 11:14:17 0 d--h----- C:\WINDOWS\PIF
2008-01-02 15:53:14 0 d-------- C:\Program Files\DemoForge
2008-01-01 18:36:00 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Thunderbird
2008-01-01 18:35:41 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-12-31 20:33:46 724992 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-12-31 20:32:08 0 d-------- C:\WINDOWS\system32\URTTEMP
2007-12-31 16:59:58 4 --a------ C:\WINDOWS\system32\0229AC
2007-12-31 16:59:35 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
2007-12-31 16:59:35 0 d-------- C:\Program Files\Common Files\Real
2007-12-31 16:59:11 0 d-------- C:\Program Files\Real
2007-12-31 16:57:51 0 d-------- C:\Program Files\Comcast Rhapsody
2007-12-31 16:57:37 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Real
2007-12-30 12:00:59 0 d-------- C:\Documents and Settings\Leif Hassell\browser - logitech
2007-12-30 12:00:33 0 d-------- C:\Documents and Settings\Leif Hassell\logitech
2007-12-30 11:58:25 0 d-------- C:\Program Files\Common Files\Remote Control Software Common
2007-12-30 11:57:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-12-30 11:57:45 0 d-------- C:\Program Files\Common Files\Remote Control USB Driver
2007-12-30 11:56:57 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\InstallShield
2007-12-29 12:14:32 0 d-------- C:\Program Files\Xpadder
2007-12-29 11:12:34 0 d-------- C:\Program Files\Common Files\Logitech
2007-12-29 11:12:13 0 d-------- C:\Program Files\Logitech
2007-12-28 16:27:16 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\I-O DATA DEVICE,INC
2007-12-28 16:23:13 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1>
2007-12-28 16:23:13 0 d-------- C:\Program Files\I-O DATA DEVICE,INC
2007-12-27 18:50:20 0 d-------- C:\Program Files\devnz
2007-12-23 11:36:39 0 d-------- C:\Program Files\wizdxp
2007-12-16 16:05:54 0 d-------- C:\Program Files\Flagship Studios
-- Find3M Report ---------------------------------------------------------------
2008-01-11 16:57:00 0 d-------- C:\Program Files\Symantec AntiVirus
2008-01-11 16:56:42 0 d-------- C:\Program Files\DynDNS Updater
2008-01-10 17:42:32 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\OpenOffice.org2
2008-01-09 16:16:06 0 d-------- C:\Program Files\MSBuild
2008-01-09 16:14:19 0 d-------- C:\Program Files\Common Files
2008-01-09 16:11:35 0 d-------- C:\Program Files\Microsoft.NET
2008-01-08 20:22:14 0 d-------- C:\Program Files\Mozilla Sunbird
2008-01-08 20:16:17 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-08 20:05:05 0 d-------- C:\Program Files\Symantec
2008-01-08 18:03:22 0 d-------- C:\Program Files\OpenOffice.org 2.3
2008-01-03 13:33:12 0 d-------- C:\Program Files\Mgtweak
2008-01-01 19:14:25 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Ahead
2007-12-31 20:40:28 0 d-------- C:\Program Files\Winamp
2007-12-30 11:58:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-08 10:58:17 0 d-------- C:\Program Files\Codemasters
2007-11-29 20:39:05 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Magic Set Editor
2007-11-29 20:33:01 0 d-------- C:\Program Files\Magic Set Editor 2
2007-11-28 16:40:47 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\Adobe
2007-11-20 20:31:16 0 d-------- C:\Documents and Settings\Leif Hassell\Application Data\U3
2007-11-16 16:09:56 0 d-------- C:\Program Files\AutoIt3
2007-11-15 16:49:03 0 d-------- C:\Program Files\MusicBrainz Picard
2007-11-14 16:38:31 0 d-------- C:\Program Files\Common Files\Control Panels
2007-11-14 16:37:52 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-14 15:17:19 0 d-------- C:\Program Files\Bonjour
2007-11-14 15:03:16 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-11 19:48:06 0 d-------- C:\Program Files\Atari
2007-11-09 16:26:59 2041 --a------ C:\WINDOWS\mozver.dat
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
10/04/2007 02:06 PM 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [10/04/2007 02:06 PM 1135968]
[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 03:52 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [04/17/2005 12:30 PM]
"SoundMan"="SOUNDMAN.EXE" [11/16/2006 03:42 PM C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/28/2007 11:43 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [05/14/2003 01:01 AM]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [09/10/2001 07:08 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/28/2007 11:43 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 09:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [05/10/2007 10:46 PM]
"@"="" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DynDNS Updater"="C:\Program Files\DynDNS Updater\DynDNS.exe" [09/17/2006 09:32 AM]
"PPWebCap"="C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"PMCRemote"="C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [09/18/2007 01:00 PM]
"PMCLoader"="C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe" [10/10/2007 11:02 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=01000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b2ce72c-7e8f-11dc-99e1-0019dbacad3f}]
AutoRun\command- G:\autolauncher4u3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b51f2db-8af1-11dc-99f3-0019dbacad3f}]
AutoRun\command- H:\.\spm.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e328ae98-4eba-11dc-99c9-0019dbacad3f}]
AutoRun\command- G:\autolauncher4u3.exe -a
-- End of Deckard's System Scanner: finished at 2008-01-11 17:00:05 ------------
System operates well, but I still have one unknown hook in my SSDT. It reports as "Unknown" in the file listing; I have yet to figure out what it is.
Thanks.
Rorschach112
2008-01-12, 01:24
Your logs are clean ! We need to do a few things
Some clean up :
Please double-click OTMoveIt.exe to run it.
Click the Clean up button
Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
Click Yes to the reboot
Now we need to create a new System Restore point.
Click Start Menu > Run > type (or copy and paste)
%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.
Next goto Start Menu > Run > type
cleanmgr
Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.
To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.
Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)
* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)
Thank you for your patience, and performing all of the procedures requested.