View Full Version : Email and all Uploading of Media and more than 20 lines of text blocked
Hi I am starting this new thread as advised by Tashi on http://forums.spybot.info/showthread.php?t=288
I am unable to post even here more than about 20 lines at a time, something is blocking my Internet Uploads when trying to upload Video, Pictures (jpg's) or even text messages as such please excuse me when I have to split my posts here into multiples.
Michelle
I have the latest version of Spybot S&D it has not found the problem, so I have downloaded HJT and waiting for Kaspersky Online Scanner to complete it has already found 30 entries of somthing but is currently only at 2% complete so when it completes I will post the main results here, my PC has multiple partitions so it may take a long time. I will wait further instructions before running HJT.
Michelle
If anyone can help me in real time I am on irc server REMOVED
Like I said I can't send email, only recieve it and I dont think my Yahoo or icq chat programs are working, they seemed to stall out so irc is my only live real time chat available.
Michelle
Hello,
Please follow the instructions I posted here:http://forums.spybot.info/showthread.php?p=183702#post183702
Please do not post private information for your own safety.
For someone to take a look at the system, please read the information in this link to produce a HiJackThis log.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Skip the rest of the procedure and start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) (copy pasting the log into your topic) and a helper will advise you as soon as available.
Start a new topic, post only the HJT log, include a link to this thread and wait on posting the results of the Kaspersky scan until it is requested.
I will wait further instructions before running HJT.
All help is offered in the forums, please do not post details of various accounts such as YouTube and IRC. :eek:
Best regards.
Added from http://forums.spybot.info/showthread.php?p=183702#post183702
I need to mention I have a total of 4 PC's on my Local Area Network
2 pc's = Windows 2000 1 = Windows XP sp2 1 = Debian but this is a Server for the flightgear project accessed remotely from Auz, by a friend I have no understanding of Debian my self Any special precautions I should know?
Usually only win2k (Serve2) / XP (Venus6) / Debian (?) machine's active in front room. (Denotes Machine ID)
You should be aware that our volunteer helpers may not be able to address this situation, this forum being set up to assist with single PCs, not servers.
Best regards.
ok so I am doing all machines at the same time running scans and checking all pc's at same time think this is safest way maybe?
It seems this PC has most infections so far:
Total number of scanned objects: 55329
Number of viruses found: 13
Number of infected objects: 71
Number of suspicious objects: 2
Duration of the scan process: 06:32:14
The other pc's seem to have far fewer so this is the main one! If this one can be cured then all others should be easy to cure as they may have same infections as this pc but less of them.
Michelle
Because some logs are too big (Other PC's) and the problems with email and uploading media is with all pc's I have chosen the smallest log files for the moment (These logs are from the PC named (Venus) < avoids confusion I hope, so I can get to the bottom of the main problem once this is solved I hope to be able to post the larger log files, from other PC's on my network.
I will have to post these smaller log files in parts also ...
Michelle
Part 1 - This is crazy I can hardly post anything irc would be so much easier !!! :sick: fingers crossed?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:38:47, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\RivaTuner v2.02\Tools\RivaTunerStatisticsServer\RivaTunerStatisticsServer.exe
C:\Program Files\RivaTuner v2.02\RivaTuner.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
F:\Program Files\ENTA2\EntaTool.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\FRAPS\FRAPS.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Documents and Settings\Julie OSG\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe
C:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe
C:\Program Files\Wheels\WheelKeys.exe
C:\Documents and Settings\Julie OSG\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nasa.gov/multimedia/nasatv/index.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RivaTunerStatisticsServer] "C:\Program Files\RivaTuner v2.02\Tools\RivaTunerStatisticsServer\RivaTunerStatisticsServer.exe" /s
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /T
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Dimension4] F:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [EntaTool] "F:\Program Files\ENTA2\EntaTool.exe" /hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Julie OSG\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Remote Control.lnk = C:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe
O4 - Startup: Shortcut to WheelKeys.lnk = C:\Program Files\Wheels\WheelKeys.exe
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Julie OSG\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187835168890
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187835138281
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5105/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3840A771-FA93-4272-B583-FE3C5376C67D}: NameServer = 192.168.1.1,192.168.1.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{3840A771-FA93-4272-B583-FE3C5376C67D}: NameServer = 192.168.1.1,192.168.1.14
O17 - HKLM\System\CS3\Services\Tcpip\..\{3840A771-FA93-4272-B583-FE3C5376C67D}: NameServer = 192.168.1.1,192.168.1.14
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
--
End of file - 11445 bytes
PART 1 OF THE KASPERSKY ONLINE SCANNER REPORT
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Saturday, April 19, 2008 1:15:33 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/04/2008
Kaspersky Anti-Virus database records: 715057
Scan Statistics
Total number of scanned objects 435960
Number of viruses found 5
Number of infected objects 10
Number of suspicious objects 0
Duration of the scan process 07:03:04
MOST STUFF IS LIKE THIS!
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12102007-055127.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
INTERESTING STUFF IS!
C:\Program Files\ESET\infected\OAGCYRCA.NQF Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Program Files\ESET\infected\RECQXVAA.NQF Infected: Trojan.Win32.Obfuscated.en skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
X:\Vdownloader\VDownloader.exe Infected: not-a-virus:Downloader.Win32.VDown.a skipped
The file does not really say anything Usefull :rolleyes:
Nothing serious seems to show up! do you think my modem / router could be to blame?
ASR-8000
Part no. SAMR-4115
Michelle
I tried a factory reset and reconfigure on my modem but this does not help, I also find I am unable to run speed tests on http://www.thinkbroadband.com/speedtest.html
So I still need help :o(
Chelley
ndmmxiaomayi
2008-04-21, 06:37
Hi,
I'm now looking over your log. It will take some time as it been split into too many posts.
Thank you for your patience. :)
My friend in Germany who is primarily an expert with Linux and Debian operating systems has found something curious, at first he could not get into my system with VNC for remote desktop access like he has in the past, so he had a hunch he changed his MTU on his pc to a lower level and then he was able to get in, before that he only got a black screen no desktop? This is all very strange nothing has changed with my system or router configuration in 2 years (I don't like changing things in case it breaks) he then told me to change my MTU in my router WELL BELOW THE SETTINGS MY ISP GAVE ME? and it worked so that he could leave his as default settings, and worked for him on VNC. Also now I can send larger emails and upload video to YouTube again! BUT ONLY on one machine? My other windows XP pc still wont work properly, so something is either not seeing the change we made (perhaps a virus) and has not had a chance to mutate or adapt, or something else is going on, I am left scratching my head over this! But for today at least I do have full functionality on at least 1 pc, the others still are misbehaving.
MTU was set in my router to 1458 as recomended by my ISP Entanet (Fails)
MTU which my friend told me to try is 1438 we also lowed the MSS to 1300 just to try and so far success, Now the question is this! Is my ISP responsible for some jiggery pokery to try and limit multimedia packet passage or is this a Virus causing this?
As I explained earlier my friend is not knowlegable on Virus or Malware he is only trying to find a temporary hardware solution for me to better communicate with you guys here. :)
Michelle
ndmmxiaomayi
2008-04-21, 09:50
Hi,
I don't have much knowledge on networking either. It seems like the greater the value for MTU, the better it is.
http://en.wikipedia.org/wiki/Maximum_transmission_unit
Disable Ad-Aware Ad-Watch temporarily
While it's good to have extra protection, Ad-Watch can interfere with the removal of malware as well. Please disable it temporarily. You can re-enable it after your computer is clean.
To disable it, please do the following:
Right click on the Ad-Watch icon in the system tray (http://www.lavasoftsupport.com/uploads/monthly_01_2008/post-4454-1199835422.gif)
Select Goto Settings.
Click on Status on the left.
On your right hand side, click once on each of the section to turn the green tick into a red cross.
Click on RegShield on the left.
On your right hand side, click once on each of the section to turn the green tick into a red cross.
Click on Settings on the left.
Click once on Load Ad-Watch at startup to turn the green tick into a red cross.
Minimize Ad-Watch.
Right click on the Ad-Watch icon again and select Close Ad-Watch.
You will be prompted if you want to shut down Ad-Watch. Click Yes.
Restart your computer for the changes to take effect.
Disable Windows Defender temporarily
Like Ad-Watch, Windows Defender can protect your computer, but it can interfere with our fixes. Please disable it temporarily as well.
To disable it, please do the following:
Go to Start > All Programs > Windows Defender.
Click on Tools at the top.
Under Settings, click on Options.
Under Automatic scanning, uncheck (untick) Automatically scan my computer (recommended) box.
Under Real-time protection options, uncheck (untick) Use real-time protection (recommended) box.
Click on the Save button at the bottom right hand corner.
Remove one antivirus
Please choose to keep either Symantec Antivirus or NOD32 Eset Antivirus. Having more than one antivirus running in real-time will cause conflicts.
Run DSS
Please download Deckard's System Scanner from Tech Support Forum (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your desktop. Note: You must be logged onto an account with administrator privileges.
Save all your work and close all opened programs.
Double click on dss.exe to run it. Follow the prompts.
When the scan is complete, two log files will be produced. The first one, main.txt, will be maximized, the second one, extra.txt, will be minimized.
Please post the contents of the 2 log files in your next reply. 1 log per reply please.
Dear ndmmxiaomayi
NAV warned of a process GetFolder process inkread.vbs I blocked the action it also wanted to access the Internet so I blocked it was this right? I do not like any processes that do things without explanation!
Michelle
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: AMD Athlon(tm) 64 Processor 4000+
Percentage of Memory in Use: 25%
Physical Memory (total/avail): 2047.23 MiB / 1525.79 MiB
Pagefile Memory (total/avail): 3294.09 MiB / 2900.93 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.43 MiB
A: is Removable (No Media)
B: is Network (No Media)
C: is Fixed (NTFS) - 14.65 GiB total, 0.49 GiB free.
D: is Fixed (FAT32) - 0.98 GiB total, 0.31 GiB free.
E: is Fixed (FAT32) - 1.95 GiB total, 0.65 GiB free.
F: is Fixed (NTFS) - 4.88 GiB total, 0.09 GiB free.
G: is Fixed (NTFS) - 25.88 GiB total, 1.43 GiB free.
H: is Fixed (NTFS) - 16.15 GiB total, 1.86 GiB free.
I: is CDROM (No Media)
J: is CDROM (No Media)
K: is CDROM (No Media)
L: is CDROM (No Media)
M: is Network (CDFS)
N: is Network (CDFS)
O: is Network (NTFS)
P: is Network (FAT)
Q: is Network (FAT)
S: is Network (FAT)
T: is Network (FAT)
W: is Network (FAT)
X: is Network (NTFS)
Y: is Network (FAT)
\\.\PHYSICALDRIVE0 - HDS728080PLAT20 - 76.69 GiB - 7 partitions
\PARTITION0 - Unknown - 1498.22 MiB
\PARTITION1 - Unknown - 11.72 GiB
\PARTITION2 (bootable) - Installable File System - 14.65 GiB - C:
\PARTITION3 - Extended w/Extended Int 13 - 48.86 GiB - E: - F: - G: - H:
\\.\PHYSICALDRIVE1 - WDC AC11000H - 1007.02 MiB - 1 partition
\PARTITION0 - Unknown - 1006 MiB - D:
-- Security Center -------------------------------------------------------------
AUOptions is disabled.
Windows Internal Firewall is disabled.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
FW: Norton Internet Worm Protection v2005 (Symantec)
FW: Kerio Personal Firewall v4.2.3 T (Kerio)
AV: Norton AntiVirus v2005 (Symantec Corporation)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Sunbelt Software\\Personal Firewall 4\\kpf4gui.exe"="C:\\Program Files\\Sunbelt Software\\Personal Firewall 4\\kpf4gui.exe:*:Disabled:Sunbelt Kerio Personal Firewall 4 - GUI"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Julie OSG\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=VENUS6
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Julie OSG
LOGONSERVER=\\VENUS6
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\GTK\2.0\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 39 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2701
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JULIEO~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\JULIEO~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=VENUS6
USERNAME=Julie OSG
USERPROFILE=C:\Documents and Settings\Julie OSG
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI
-- User Profiles ---------------------------------------------------------------
Julie (admin)
Julie OSG (admin)
Administrator (new local, admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.23 --> "C:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware SE Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
Atlas 0.3.0 --> "C:\Program Files\FlightGear\unins000.exe"
ccCommon --> MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
Cool Edit Pro 2.1 --> C:\Program Files\coolpro2\cep2unin.exe
DivX Author 1.5 --> C:\Program Files\DivX\DivX Author 1.5\DivXAuthorUninstall.exe /DIVX_AUTHOR
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Dr. DivX 2.0 OSS --> C:\Program Files\DivX\Dr. DivX 2.0 OSS\Remove.exe
DVD Shrink 3.2 --> "F:\Program Files\DVD Shrinkb\unins000.exe"
FlightGear --> "C:\Program Files\FlightGear\uninstall.exe"
Fraps (remove only) --> "C:\Fraps\uninstall.exe"
FXhome VisionLab Studio (remove only) --> "C:\Program Files\FXhome VisionLab Studio\FXhome VisionLab Studio Uninstall.exe"
GIGABYTE VGA Utility Manager --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\GigaByte\VGA Utility Manager\Uninst.isu"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Video Uploader --> "C:\Program Files\Google Video\Uninstall.exe"
GTK+ 2.10.13 runtime environment --> "C:\Program Files\Common Files\GTK\2.0\setup\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HyperMedia --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B92F966F-7888-459F-8EC7-339BBDF30BFC}\setup.exe" -l0x9 -removeonly
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
K-Lite Codec Pack 3.4.0 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KWorld Multimedia -- TV Tuner Card Utilities --> "C:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\unins000.exe"
KWorld TV713X BDA Driver --> C:\WINDOWS\p3xunist.exe
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VCSetup.exe /REMOVE
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSRedist --> MsiExec.exe /I{D1725BDB-BA2B-4503-A8CB-F5C835D743FA}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 7 --> MsiExec.exe /X{A20A58C4-6784-4B4B-86CC-94E2E3671033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NetMeter 0.9.9.9 (beta 2) --> "C:\Program Files\NetMeter\unins000.exe"
Norton AntiVirus 2005 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton CleanSweep --> MsiExec.exe /I{634B01DF-A45B-4623-80E1-E15FF82A4979}
Norton SystemWorks --> MsiExec.exe /I{9E23C48E-5483-4971-BA50-089F2FABCD66}
Norton SystemWorks 2005 Premier (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\SymSetup\{B9807C3D-B3DD-41B7-8321-53DDB3A3A888}.exe /X
Norton Utilities --> MsiExec.exe /I{6A7867BA-B7CA-4CC9-ACAB-85BA46865EE5}
Norton WMI Update --> MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
NSW_DRM_COLLECTION --> MsiExec.exe /I{900B1884-2D6F-4a70-A3C7-C3F4DA873FDB}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OpenAL --> "C:\Program Files\OpenAL\OpenALwEAX.exe" /U /S
PerformanceTest v5.0 --> "C:\Program Files\PerformanceTest\unins000.exe"
QuickTime Alternative 1.81 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
Real Alternative 1.52 --> "C:\Program Files\Real Alternative\unins000.exe"
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
RivaTuner v2.02 --> "C:\Program Files\RivaTuner v2.02\uninstall.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Sunbelt Kerio Personal Firewall --> MsiExec.exe /X{A990EAA7-8941-4621-BC27-4F16261D3180}
Symantec Script Blocking Installer --> MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
Symantec Technical Support Web Controls --> MsiExec.exe /X{DDC63227-BA06-4855-B002-BDB49E9F677E}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
The GIMP 2.2.17 --> "C:\Program Files\GIMP-2.0\unins000.exe"
TortoiseCVS 1.8.31 --> "C:\Program Files\TortoiseCVS\unins000.exe"
TuneUp Utilities 2006 --> MsiExec.exe /I{868D7896-99D4-4513-BC62-2B3AD3E24926}
ULi AGP Driver --> C:\WINDOWS\System32\UnAGP.EXE RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DD0650C-5113-4FEE-BDDA-AC0B76FD0BD1}\Setup.exe" -uninst
ULi LAN Driver --> C:\WINDOWS\System32\UnLAN.EXE RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{143BE018-D8F8-4014-8CB6-AF63F5799D21}\Setup.exe" -uninst
VGA Utility --> MsiExec.exe /I{D27BDB5D-3B4C-44F0-A648-BD00B0E79B39}
VNC Free Edition 4.1.2 --> "C:\Program Files\RealVNC\VNC4\unins000.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
YouTube Uploader --> MsiExec.exe /X{171818BA-E0AD-313D-B45A-1BC9D77ADA86}
-- Application Event Log -------------------------------------------------------
Event Record #/Type7023 / Error
Event Submitted/Written: 04/21/2008 07:50:37 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
Event Record #/Type7003 / Warning
Event Submitted/Written: 04/21/2008 07:30:46 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Event Record #/Type6981 / Warning
Event Submitted/Written: 04/21/2008 10:35:38 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Event Record #/Type6952 / Warning
Event Submitted/Written: 04/20/2008 11:08:08 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Event Record #/Type6927 / Warning
Event Submitted/Written: 04/20/2008 05:24:28 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type21650 / Error
Event Submitted/Written: 04/21/2008 07:34:24 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SAA7134 TV Card service failed to start due to the following error:
%%1058
Event Record #/Type21649 / Error
Event Submitted/Written: 04/21/2008 07:34:24 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The General Purpose USB Driver (adildr.sys) service failed to start due to the following error:
%%2
Event Record #/Type21648 / Warning
Event Submitted/Written: 04/21/2008 07:33:07 PM
Event ID/Source: 2511 / Server
Event Description:
The server service was unable to recreate the share peak because the directory D:\Asrock-Drivers\peakhardware no longer exists. Please run "net share peak /delete" to delete the share, or recreate the directory D:\Asrock-Drivers\peakhardware.
Event Record #/Type21639 / Error
Event Submitted/Written: 04/21/2008 07:16:43 PM
Event ID/Source: 8032 / BROWSER
Event Description:
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{3840A771-FA93-4272-B583-FE3C5376C67D}.
The backup browser is stopping.
Event Record #/Type21638 / Warning
Event Submitted/Written: 04/21/2008 07:15:13 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\SERVE2 on the network \Device\NetBT_Tcpip_{3840A771-FA93-4272-B583-FE3C5376C67D}.
The data is the error code.
-- End of Deckard's System Scanner: finished at 2008-04-21 19:53:20 ------------
Deckard's System Scanner v20071014.68
Run by Julie OSG on 2008-04-21 19:47:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
System Restore is disabled; attempting to re-enable...success.
-- Last 1 Restore Point(s) --
1: 2008-04-21 18:47:52 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
System Drive C: has 0.5 GiB (less than 15%) free.
-- HijackThis (run as Julie OSG.exe) -------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:48:43, on 21/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\RivaTuner v2.02\Tools\RivaTunerStatisticsServer\RivaTunerStatisticsServer.exe
C:\Program Files\RivaTuner v2.02\RivaTuner.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
F:\Program Files\ENTA2\EntaTool.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\FRAPS\FRAPS.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\Julie OSG\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe
C:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe
C:\Program Files\Wheels\WheelKeys.exe
C:\Documents and Settings\Julie OSG\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Julie OSG\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Julie OSG.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.youtube.com/my_videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nasa.gov/multimedia/nasatv/index.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RivaTunerStatisticsServer] "C:\Program Files\RivaTuner v2.02\Tools\RivaTunerStatisticsServer\RivaTunerStatisticsServer.exe" /s
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /T
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Dimension4] F:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [EntaTool] "F:\Program Files\ENTA2\EntaTool.exe" /hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Julie OSG\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Remote Control.lnk = C:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe
O4 - Startup: Shortcut to WheelKeys.lnk = C:\Program Files\Wheels\WheelKeys.exe
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Julie OSG\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187835168890
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187835138281
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5105/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3840A771-FA93-4272-B583-FE3C5376C67D}: NameServer = 192.168.1.1,192.168.1.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{3840A771-FA93-4272-B583-FE3C5376C67D}: NameServer = 192.168.1.1,192.168.1.14
O17 - HKLM\System\CS3\Services\Tcpip\..\{3840A771-FA93-4272-B583-FE3C5376C67D}: NameServer = 192.168.1.1,192.168.1.14
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
--
End of file - 11162 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 fwdrv (Firewall Driver) - c:\windows\system32\drivers\fwdrv.sys <Not Verified; Sunbelt Software; >
R1 khips (Kerio HIPS Driver) - c:\windows\system32\drivers\khips.sys <Not Verified; ; HIPS>
R3 3xHybrid (3xHybrid service) - c:\windows\system32\drivers\3xhybrid.sys <Not Verified; NXP Semiconductors Germany GmbH; NXP Semiconductors 3xHybrid>
R3 GPCIDrv - c:\windows\gpcidrv.sys
R3 GVTDrv - c:\windows\system32\drivers\gvtdrv.sys
R3 RivaTuner32 - c:\program files\rivatuner v2.02\rivatuner32.sys
S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys (file missing)
S3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys (file missing)
S3 Cap7134 (Philips Cap7134 Capture) - c:\windows\system32\drivers\cap7134.sys <Not Verified; Philips Semiconductors; Philips cap7134>
S3 PhTVTune (Philips WDM TVTuner) - c:\windows\system32\drivers\phtvtune.sys <Not Verified; Philips Semiconductors; Philips TVTuner WDM Driver>
S3 SDdriver - c:\windows\system32\drivers\sddriver.sys <Not Verified; Symantec Corporation; Norton Speed Disk>
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 TUWinStylerThemeSvc (TuneUp WinStyler Theme Service) - c:\program files\tuneup utilities 2006\winstylerthemesvc.exe <Not Verified; TuneUp Software GmbH; TuneUp Utilities>
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-04-21 19:36:03 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-04-21 00:00:00 316 --a------ C:\WINDOWS\Tasks\Symantec Drmc.job
2008-04-11 20:18:19 556 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Julie OSG.job
2008-04-11 17:15:00 390 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2008-02-25 13:26:40 300 --a------ C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
2008-02-09 08:59:25 250 --a------ C:\WINDOWS\Tasks\wizmo.exe exit.job
2007-06-05 05:54:06 526 --a------ C:\WINDOWS\Tasks\Nero ImageDrive.job
-- Files created between 2008-03-21 and 2008-04-21 -----------------------------
2008-04-19 13:38:18 0 d-------- C:\Program Files\Trend Micro
2008-04-19 05:47:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-19 05:47:22 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-17 21:56:52 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-04-17 21:56:48 0 d-------- C:\Documents and Settings\Default User\Application Data\Adobe
2008-04-17 20:44:52 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-17 20:44:12 0 d-------- C:\Program Files\Common Files\iS3
2008-04-17 20:44:12 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-04-15 02:50:05 0 d-------- C:\Program Files\Google Video
2008-04-14 03:56:57 0 d-------- C:\Documents and Settings\Julie OSG\Application Data\Talkback
2008-04-14 03:56:45 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-14 03:56:30 2818 --a------ C:\WINDOWS\mozver.dat
2008-04-14 03:56:30 0 d-------- C:\Documents and Settings\Julie OSG\Application Data\Mozilla
2008-04-08 05:57:16 0 d-------- C:\Documents and Settings\Julie OSG\Application Data\KWorld Multimedia
2008-04-08 05:56:27 0 d-------- C:\Program Files\KWorld Multimedia
2008-04-08 05:47:31 945920 --a------ C:\WINDOWS\system32\drivers\3xHybrid.sys <Not Verified; NXP Semiconductors Germany GmbH; NXP Semiconductors 3xHybrid>
2008-04-08 04:54:33 0 d-------- C:\Program Files\V-Stream Multimedia
2008-04-07 23:54:55 49152 --a------ C:\WINDOWS\p3xunist.exe <Not Verified; Kworld Computer Co., Ltd.; TV713X BDA Uninstallation Program>
2008-04-07 23:54:38 28448 -ra------ C:\WINDOWS\system32\drivers\PhTVTune.sys <Not Verified; Philips Semiconductors; Philips TVTuner WDM Driver>
2008-04-07 23:54:10 358016 -ra------ C:\WINDOWS\system32\drivers\Cap7134.sys <Not Verified; Philips Semiconductors; Philips cap7134>
2008-04-07 23:53:59 106571 -ra------ C:\WINDOWS\system32\Prop7134.dll <Not Verified; Philips Semiconductors; Philips Prop7134>
2008-04-07 23:53:58 24576 -ra------ C:\WINDOWS\system32\34pciurd.dll <Not Verified; Philips Semiconductors; Philips 34PCIurd>
2008-04-07 23:53:58 24576 -ra------ C:\WINDOWS\system32\34i2curd.dll <Not Verified; Philips Semiconductors; Philips 34I2Curd>
2008-04-07 23:53:58 36864 -ra------ C:\WINDOWS\system32\34ds.dll <Not Verified; Philips Semiconductors; 34ds>
2008-04-07 23:53:58 290816 -ra------ C:\WINDOWS\system32\34dlg2.dll <Not Verified; Philips Semiconductors; dialog3 Dynamic Link Library>
2008-04-07 23:53:57 98304 -ra------ C:\WINDOWS\system32\34dialog.dll <Not Verified; Philips Semiconductors; 34dialog>
2008-04-07 23:53:56 77824 -ra------ C:\WINDOWS\system32\34dd.dll <Not Verified; Philips Semiconductors; 34dd>
2008-04-07 23:53:56 114688 -ra------ C:\WINDOWS\system32\34com.dll <Not Verified; Philips Semiconductors; VampCOM Module>
-- Find3M Report ---------------------------------------------------------------
2008-04-21 19:35:24 5112 --a------ C:\WINDOWS\GPCIDrv.sys
2008-04-21 19:35:21 0 dr------- C:\Program Files\Common Files
2008-04-19 16:55:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-16 08:39:43 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-12 00:38:15 0 d-------- C:\Documents and Settings\Julie OSG\Application Data\flightgear.org
2008-04-11 23:27:02 0 d-------- C:\Documents and Settings\Julie OSG\Application Data\gtk-2.0
2008-04-08 07:06:06 0 d-------- C:\Program Files\FXhome VisionLab Studio
2008-02-27 06:39:11 0 d-------- C:\Program Files\Google
2008-02-25 13:26:40 0 d-------- C:\Program Files\Norton SystemWorks
2008-02-22 03:33:07 0 d-------- C:\Program Files\RealVNC
2008-02-13 01:06:07 3447 --a------ C:\WINDOWS\unins000.dat
2008-02-13 01:03:36 691545 --a------ C:\WINDOWS\unins000.exe
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [27/07/2004 17:01 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/03/2007 15:57]
"RivaTunerStatisticsServer"="C:\Program Files\RivaTuner v2.02\Tools\RivaTunerStatisticsServer\RivaTunerStatisticsServer.exe" [01/07/2007 20:20]
"RivaTuner"="C:\Program Files\RivaTuner v2.02\RivaTuner.exe" [01/07/2007 20:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [01/06/2006 17:22]
"nwiz"="nwiz.exe" [01/06/2006 17:22 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [01/06/2006 17:22 C:\WINDOWS\SYSTEM32\nvmctray.dll]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [11/08/2005 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [11/08/2005 16:30]
"VGAUtil"="C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe" [06/09/2006 14:04]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [17/01/2008 12:42]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [21/11/2007 01:59]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 20:20]
"Dimension4"="F:\Program Files\D4\D4.exe" [04/02/2004 02:26]
"EntaTool"="F:\Program Files\ENTA2\EntaTool.exe" [20/07/2007 22:06]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 08:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [16/05/2007 09:27]
"Fraps"="C:\FRAPS\FRAPS.EXE" [19/12/2006 14:02]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [10/09/2004 03:12]
"Google Update"="C:\Documents and Settings\Julie OSG\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" [18/04/2008 03:00]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
-- Hosts -----------------------------------------------------------------------
127.0.0.1 mpa.one.microsoft.com
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
8332 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2008-04-21 19:53:20 ------------
Dear ndmmxiaomayi,
I followed your instructions to the letter, and then I ran the program dss.exe and now my XP machine seems to be working again :)
However I still have another windows 2000 pc to fix and also windows 98se boot partition's on dual booting PC's the only reason I use the old win98 now is for running very old programs that will not work on the newer os's
Can I use the same dss.exe you told me to run > on all PC's and boot drives or are these files specific to XP / win2k ?
I await further instruction.
You are a Genius thanks ...
chelle
I was just doing routine windows 2000 Disk Cleanup on my other main PC and Nod popped up a warning in red here is the error!
Time Module Object Name Threat Action User Information
21/04/2008 23:03:23 AMON file C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\3\6edc3c83-34a056af Java/TrojanDownloader.OpenStream.NAC trojan deleted SERVE2\Administrator Event occurred at an attempt to access the file by the application: C:\WINNT\System32\cleanmgr.exe.
:( it seems I can't get rid of these things?
Chelle
ndmmxiaomayi
2008-04-22, 16:48
Hi,
I'm not familiar with Windows 2000 and Windows 98. I can try to interpret the logs, but there will be delay as I get help in understanding them.
Uninstall one firewall
2 firewalls are installed and this is not recommended. It can cause issues as they may block each other. Please choose to keep either Sunbelt Kerio Firewall or Symantec Firewall.
Restart your computer after that.
Show Scheduled Task program
Click on Start > Control Panel and double click on Scheduled Tasks.
Right click on wizmo.exe exit and select Properties.
Select the Task tab.
Next to Run:, there is a text box. Copy and paste the details of this text box field in your next reply.
A screenshot for you - http://xs126.xs.to/xs126/08172/task591.png
Please post back another DSS log in your next reply.
ndmmxiaomayi
2008-04-22, 17:16
Hi again,
NAV warned of a process GetFolder process inkread.vbs I blocked the action it also wanted to access the Internet so I blocked it was this right? I do not like any processes that do things without explanation!
When did this occur?
[QUOTE=ndmmxiaomayi;184807]Hi again,
(NAV warned of a process GetFolder process inkread.vbs I blocked the action it also wanted to access the Internet so I blocked it was this right? I do not like any processes that do things without explanation! )
When did this occur?
QUOTE]
This occured while running DSS.EXE
also I don't have 2 firewalls, (Do not currently have Symantec Firewall) It may be old data in my registry from when I once used another firewall
I think the virus was in the Java logs as now all my PC's are working again on the Internet I ran the DSS.exe on my other pc's saving the logs locally and after rebooting they all seem to be working normally again :o) of coarse I don't know for sure if they are simply hiding somewhere waiting to come back to life. But I have now got teatimer installed and active on all my pc's so hopefully it will block further intrusions!
I don't think Wizmo.exe is a threat I got it because in the past I have been unable to shut down my PC this tool is a custom tool that allows certain commands to be sent to windows in an un-conditional way and has helped me shut down windows safely or at a sheduled time using the windows Scheduler
http://www.grc.com/wizmo/wizmo.htm
I tried to run DSS.EXE on windows ME but it will not run so that system maybe still infected I don't know, that system is on a multiboot partition however I have a disk image for that HD stored on DVD so I could restore it from there, fortunately I rarely use win-me anyway.
Chelle
ndmmxiaomayi
2008-04-23, 20:23
I was just doing routine windows 2000 Disk Cleanup on my other main PC and Nod popped up a warning in red here is the error!
Time Module Object Name Threat Action User Information
21/04/2008 23:03:23 AMON file C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\3\6edc3c83-34a056af Java/TrojanDownloader.OpenStream.NAC trojan deleted SERVE2\Administrator Event occurred at an attempt to access the file by the application: C:\WINNT\System32\cleanmgr.exe.
:( it seems I can't get rid of these things?
Chelle
Java cache should be easy to get rid of. We will do that in a while. :)
This occured while running DSS.EXE
This belongs to DSS. It's not inkread.vbs, but lnkread.vbs (small letter L). You can try running it again and see if Symantec catches that. Small letter L and capital letter I looks the same with some fonts.
also I don't have 2 firewalls, (Do not currently have Symantec Firewall) It may be old data in my registry from when I once used another firewall
Norton Internet Security comes with a firewall as far as I'm aware and it's showing up in your logs.
So you have a Norton Firewall, as well as Sunbelt Kerio Firewall.
Since you opt to keep Norton Antivirus, Norton Firewall will be kept as well. I can't see any ways to uninstall Norton Firewall without removing Norton Antivirus as well.
The best is to remove Sunbelt Kerio Firewall.
I don't think Wizmo.exe is a threat I got it because in the past I have been unable to shut down my PC this tool is a custom tool that allows certain commands to be sent to windows in an un-conditional way and has helped me shut down windows safely or at a sheduled time using the windows Scheduler
http://www.grc.com/wizmo/wizmo.htm
Great!
I'm not sure what this scheduled task is so I needed you to double check. Now that you know, it's fine with me. :)
I tried to run DSS.EXE on windows ME but it will not run
My bad. :oops:
It can't run on machines below Windows 2000.
I will find another tool for it.
I don't have Symantec firewall those entries are redundant and associated to NAV in my Add Remove Programs their is no listing of Symantec Firewall!
I think I am clean of the virus so far since Running DSS.exe and HJT it must have being in the temp files or something ? it's strange but so far things are working ok, what we really need is a tool that can record all history of process activity I think, this might give us a clue as to what is not supposed to be there.
Chelle
I will run the file again, and see if any more warnings come up!
Chelle
Somewhere it is hiding and coming back is the following, I copied it directly from the NAV history log. This is for the Win XP machine Same as before Machine ID Venus it happened after running DSS.EXE Nav popped up another Warning the top listings you might want to copy and paste this into an unwrapped text file!
Category: Threat alerts
Date,Feature,Threat Name,Action Taken,Item Type,Target,Suspicious Action,Virus Definition Version,Product Version,User Name,Computer Name,Details
26/04/2008 04:54:34,Script Blocking,Suspicious script,Blocked,Script,N/A,FileSystem Object : GetFolder,Unknown,Unknown,Julie OSG,VENUS6,Source: C:\DOCUME~1\JULIEO~1\LOCALS~1\Temp\~tixzxio.tmp\lnkread.vbs
21/04/2008 19:52:53,Script Blocking,Suspicious script,Blocked,Script,N/A,FileSystem Object : GetFolder,Unknown,Unknown,Julie OSG,VENUS6,Source: C:\DOCUME~1\JULIEO~1\LOCALS~1\Temp\~sumhdrf.tmp\lnkread.vbs
ndmmxiaomayi
2008-04-26, 13:27
lnkread.vbs belongs to DSS as mentioned earlier, so no harm. ;)
I don't have Symantec firewall those entries are redundant and associated to NAV in my Add Remove Programs their is no listing of Symantec Firewall!
Hmm... looks like a false report. You can keep your Sunbelt Kerio Firewall.
The logs fine to me.
Step 1
Please download and install CCleaner Slim (http://www.ccleaner.com/download/builds/downloading-slim).
Once installed, double click on the desktop shortcut created.
On the Windows tab, leave the default options alone.
On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
Click on the Run Cleaner button at the bottom right hand corner.
Close CCleaner.
Step 2
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to a convenient location.
Double click on mbam-setup.exe to install it.
Before clicking the Finish button, make sure that these 2 boxes are checked (ticked): Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
Select the Scanner tab. Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items and click on Remove Selected.
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
In your next reply, please post:
Malwarebytes' Anti-Malware scan report
A new HijackThis log
Malwarebytes' Anti-Malware 1.11
Database version: 694
Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 194922
Time elapsed: 1 hour(s), 10 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Deckard's System Scanner v20071014.68
Run by Julie OSG on 2008-04-29 00:11:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------
System Drive C: has 0.51 GiB (less than 15%) free.
-- HijackThis (run as Julie OSG.exe) -------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:11:22, on 29/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\RivaTuner v2.02\Tools\RivaTunerStatisticsServer\RivaTunerStatisticsServer.exe
C:\Program Files\RivaTuner v2.02\RivaTuner.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
F:\Program Files\ENTA2\EntaTool.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\FRAPS\FRAPS.EXE
C:\Documents and Settings\Julie OSG\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe
C:\Program Files\Wheels\WheelKeys.exe
C:\Documents and Settings\Julie OSG\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
C:\Documents and Settings\Julie OSG\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JULIEO~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.youtube.com/my_videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nasa.gov/multimedia/nasatv/index.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RivaTunerStatisticsServer] "C:\Program Files\RivaTuner v2.02\Tools\RivaTunerStatisticsServer\RivaTunerStatisticsServer.exe" /s
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /T
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Dimension4] F:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [EntaTool] "F:\Program Files\ENTA2\EntaTool.exe" /hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Julie OSG\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Remote Control.lnk = C:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe
O4 - Startup: Shortcut to WheelKeys.lnk = C:\Program Files\Wheels\WheelKeys.exe
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Julie OSG\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187835168890
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187835138281
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5105/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3840A771-FA93-4272-B583-FE3C5376C67D}: NameServer = 192.168.1.1,192.168.1.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{3840A771-FA93-4272-B583-FE3C5376C67D}: NameServer = 192.168.1.1,192.168.1.14
O17 - HKLM\System\CS3\Services\Tcpip\..\{3840A771-FA93-4272-B583-FE3C5376C67D}: NameServer = 192.168.1.1,192.168.1.14
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
--
End of file - 11525 bytes
-- Files created between 2008-03-29 and 2008-04-29 -----------------------------
2008-04-28 22:41:52 0 d-------- C:\Documents and Settings\Julie OSG\Application Data\Malwarebytes
2008-04-28 22:41:28 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-28 22:41:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 22:39:14 0 dr-h----- C:\Documents and Settings\Julie OSG\Recent
2008-04-28 22:34:49 0 d-------- C:\Program Files\CCleaner
2008-04-28 20:10:17 0 d-------- C:\Program Files\FXhome CompositeLab Pro
2008-04-19 13:38:18 0 d-------- C:\Program Files\Trend Micro
2008-04-19 05:47:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-19 05:47:22 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-17 21:56:52 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-04-17 21:56:48 0 d-------- C:\Documents and Settings\Default User\Application Data\Adobe
2008-04-17 20:44:52 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-17 20:44:12 0 d-------- C:\Program Files\Common Files\iS3
2008-04-17 20:44:12 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-04-15 02:50:05 0 d-------- C:\Program Files\Google Video
2008-04-14 03:56:57 0 d-------- C:\Documents and Settings\Julie OSG\Application Data\Talkback
2008-04-14 03:56:45 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-14 03:56:30 2818 --a------ C:\WINDOWS\mozver.dat
2008-04-14 03:56:30 0 d-------- C:\Documents and Settings\Julie OSG\Application Data\Mozilla
2008-04-08 05:57:16 0 d-------- C:\Documents and Settings\Julie OSG\Application Data\KWorld Multimedia
2008-04-08 05:56:27 0 d-------- C:\Program Files\KWorld Multimedia
2008-04-08 05:47:31 945920 --a------ C:\WINDOWS\system32\drivers\3xHybrid.sys <Not Verified; NXP Semiconductors Germany GmbH; NXP Semiconductors 3xHybrid>
2008-04-08 04:54:33 0 d-------- C:\Program Files\V-Stream Multimedia
2008-04-07 23:54:55 49152 --a------ C:\WINDOWS\p3xunist.exe <Not Verified; Kworld Computer Co., Ltd.; TV713X BDA Uninstallation Program>
2008-04-07 23:54:38 28448 -ra------ C:\WINDOWS\system32\drivers\PhTVTune.sys <Not Verified; Philips Semiconductors; Philips TVTuner WDM Driver>
2008-04-07 23:54:10 358016 -ra------ C:\WINDOWS\system32\drivers\Cap7134.sys <Not Verified; Philips Semiconductors; Philips cap7134>
2008-04-07 23:53:59 106571 -ra------ C:\WINDOWS\system32\Prop7134.dll <Not Verified; Philips Semiconductors; Philips Prop7134>
2008-04-07 23:53:58 24576 -ra------ C:\WINDOWS\system32\34pciurd.dll <Not Verified; Philips Semiconductors; Philips 34PCIurd>
2008-04-07 23:53:58 24576 -ra------ C:\WINDOWS\system32\34i2curd.dll <Not Verified; Philips Semiconductors; Philips 34I2Curd>
2008-04-07 23:53:58 36864 -ra------ C:\WINDOWS\system32\34ds.dll <Not Verified; Philips Semiconductors; 34ds>
2008-04-07 23:53:58 290816 -ra------ C:\WINDOWS\system32\34dlg2.dll <Not Verified; Philips Semiconductors; dialog3 Dynamic Link Library>
2008-04-07 23:53:57 98304 -ra------ C:\WINDOWS\system32\34dialog.dll <Not Verified; Philips Semiconductors; 34dialog>
2008-04-07 23:53:56 77824 -ra------ C:\WINDOWS\system32\34dd.dll <Not Verified; Philips Semiconductors; 34dd>
2008-04-07 23:53:56 114688 -ra------ C:\WINDOWS\system32\34com.dll <Not Verified; Philips Semiconductors; VampCOM Module>
-- Find3M Report ---------------------------------------------------------------
2008-04-28 20:20:54 0 d-------- C:\Program Files\FXhome VisionLab Studio
2008-04-28 14:15:36 5112 --a------ C:\WINDOWS\GPCIDrv.sys
2008-04-28 14:15:28 0 dr------- C:\Program Files\Common Files
2008-04-25 16:55:23 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-19 16:55:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-12 00:38:15 0 d-------- C:\Documents and Settings\Julie OSG\Application Data\flightgear.org
2008-04-11 23:27:02 0 d-------- C:\Documents and Settings\Julie OSG\Application Data\gtk-2.0
2008-02-13 01:06:07 3447 --a------ C:\WINDOWS\unins000.dat
2008-02-13 01:03:36 691545 --a------ C:\WINDOWS\unins000.exe
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [27/07/2004 17:01 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/03/2007 15:57]
"RivaTunerStatisticsServer"="C:\Program Files\RivaTuner v2.02\Tools\RivaTunerStatisticsServer\RivaTunerStatisticsServer.exe" [01/07/2007 20:20]
"RivaTuner"="C:\Program Files\RivaTuner v2.02\RivaTuner.exe" [01/07/2007 20:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [01/06/2006 17:22]
"nwiz"="nwiz.exe" [01/06/2006 17:22 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [01/06/2006 17:22 C:\WINDOWS\SYSTEM32\nvmctray.dll]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [11/08/2005 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [11/08/2005 16:30]
"VGAUtil"="C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe" [06/09/2006 14:04]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [17/01/2008 12:42]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [21/11/2007 01:59]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 20:20]
"Dimension4"="F:\Program Files\D4\D4.exe" [04/02/2004 02:26]
"EntaTool"="F:\Program Files\ENTA2\EntaTool.exe" [20/07/2007 22:06]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 08:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [16/05/2007 09:27]
"Fraps"="C:\FRAPS\FRAPS.EXE" [19/12/2006 14:02]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [10/09/2004 03:12]
"Google Update"="C:\Documents and Settings\Julie OSG\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" [18/04/2008 03:00]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [25/05/2005 12:12]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 12:43]
C:\Documents and Settings\Julie OSG\Start Menu\Programs\Startup\
Remote Control.lnk - C:\Program Files\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe [08/04/2008 18:49:47]
Shortcut to WheelKeys.lnk - C:\Program Files\Wheels\WheelKeys.exe [26/05/2007 09:03:27]
YouTube Uploader.lnk - C:\Documents and Settings\Julie OSG\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [09/11/2007 13:33:08]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
-- End of Deckard's System Scanner: finished at 2008-04-29 00:14:43 ------------
Not sure if it is something we have done in the cleaning process or if it is another cause by now my Adaware SE is now failing to retrieve updates, It might just need re-installing maybe?
Anyway I am duplicating these cleaning processes on my other PC's to avoid having to go through this all over again if any of my other systems found anything significant I would post an extra log but they also show almost identical results as above and not threats found ;) which is good as my systems do seem to be running much better now, I just need to run these tools on Win98 / ME now if they will work on those ?
Or maybe you have alternate tools for win98se / me :rolleyes:
Chelle
ndmmxiaomayi
2008-04-29, 16:52
I just need to run these tools on Win98 / ME now if they will work on those ?
Or maybe you have alternate tools for win98se / me
These tools don't work on Windows 98 and ME.
I will have to ask around.
ndmmxiaomayi
2008-04-30, 15:06
Hi,
Let's try this on the Windows 98 machine first.
First, download and install Windows Management Instrumentation (WMI) (http://www.microsoft.com/downloads/details.aspx?familyid=98a4c5ba-337b-4e92-8c18-a63847760ea5&displaylang=en) for Windows 98.
After that, restart your computer.
Next...
Right click here (http://www.silentrunners.org/Silent%20Runners.vbs) and select Save Link As... (In Internet Explorer it is Save Target As...).
Save it to your desktop. Double click on Silent Runners.vbs to run it.
When prompted to Skip Supplementary Search?, click No.
When prompted to Are you sure?, click Yes.
Another dialog box will open. Just click OK.
Once done, a dialog box will pop up and tell you that it's done. Click OK. Notepad will open. Please post the contents of this Notepad file in your next reply.
Note: If Notepad doesn't open automatically, you can find the report from where you ran Silent Runners from. For example, you ran Silent Runners from your desktop. The report can be found on your desktop.
Hi, I am going to run the Win98 tools on the Bedroom PC soon, but having duplicated the process of cleaning the Windows 2000 bedroom PC and running Spybot S&D afterwards I keep getting a stop error - blue screen crash so this is diverting my attention a bit :o( I am trying to figure out why this is happening maybe something is also infecting this pc or it could be a driver issue not sure yet, I am going to try re-installing S&D first on this 2k pc before tackling w98se which is on the other Boot partition! I am trying these fixes on this machine first because it is safer to do so as a test.
Chelle
Here is part of the log, as it is very large 122kb if you want all the log let me know? Spybot said Virtumonde is a threat and hard to remove :sad: Shall I allow S&D to try and remove ?
--- Search result list ---
Virtumonde.generic: [SBI $83E7EBAA] Library (File, nothing done)
C:\WINNT\system32\dlcapi.dll
Virtumonde.generic: [SBI $83E7EBAA] Library (File, nothing done)
C:\WINNT\system32\DLLHOST.EXE
Virtumonde.generic: [SBI $83E7EBAA] Library (File, nothing done)
C:\WINNT\system32\dllhst3g.exe
Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINNT\SchedLgU.Txt
Log: Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINNT\ntbtlog.txt
Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wbemcore.log
Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wbemprox.log
Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\winmgmt.log
Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, nothing done)
C:\WINNT\System32\wbem\logs\wmiadap.log
--- Browser helper object list ---
--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)
DPF name:
CLSID name: CKAVWebScan Object
Installer: C:\WINNT\Downloaded Program Files\kavwebscan.inf
Codebase: http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\
Long name: kavwebscan.dll
Short name: KAVWEB~1.DLL
Date (created): 29/08/2007 15:49:54
Date (last access): 01/05/2008 01:41:38
Date (last write): 29/08/2007 15:49:54
Filesize: 950272
Attributes: archive
MD5: BC915C49931CE46222F9B0A7EFB56CEE
CRC32: 11048171
Version: 5.0.98.0
Chelley
ndmmxiaomayi
2008-05-04, 12:49
Hi chelley,
Can we focus one PC at a time? It's making me confused. :sad:
I will get to your Windows 2000 PC after I cleared your Windows 98 machine. In the meantime, leave the Windows 2000 PC alone first.
Please post back the Silent Runners log from the Windows 98 PC first.
Thanks.
The problem is I can't seem to boot my Venus6 PC into windows 98se on the other boot partition it has been a while since I booted into w98se on this PC and I am not sure if it is related to new hardware installed recently? I have 2GB of ram which is now in Dual Channel Memory Mode and I wonder if Win98se does not know how to handle this? I can boot into win2k on same hardware and XP but not win98se I have tried safe mode as well but it gives same error! After the Boot screen I get this error
Quote:
"Insufficient memory to initialize Windows.
Quit one or more memory-resident programs or remove unnecessary
utilities from your CONFIG.SYS and AUTOEXEC.BAT files, and restart
your computer.
Press any key to continue..."
I have looked at my Autoexec.bat and config.sys files and thier is nothing in their which is unusual or extra to default settings?
So Unless I can boot into win98se on this pc we can't clean it :sad: I am baffled by this problem their should be plenty of memory.
Chelley
ndmmxiaomayi
2008-05-05, 09:20
Hi,
Give me some time. I'll ask around.
ndmmxiaomayi
2008-05-05, 15:43
Hi,
Windows 98 can't support so much RAM, that's why you are getting an error.
There are 2 ways out, I will try the easier way out first.
How many sticks of RAM do you have? Preferably each stick is less than 512MB.
Thanks you are so kind for helping me, Each stick of ram is 1GB I had to install a matching pair for dual channel memory mode, I did have a 512mb memory stick in before which is now in my older pc.
Chelley
ndmmxiaomayi
2008-05-07, 17:49
Hi,
Can you try using 512MB of RAM instead of 2GB. After that, try starting up Windows 98. It shouldn't give that error any more.
Sorry for the delay, I have been tied up with another machine that belongs to a friend she also has a virus it was so bad we had to format, I don't want to get cross threaded so can you give me a few days before we continue with my problems? I am just trying to find Drivers for her PC atm which is proving hard work as it is a MESH PC, again sorry to be holding things up!
I am now waiting for MESH to send me the drivers... hopefully ...
I thought about starting a new thread as it was a Virus, but then it got very urgent so we just burned to DVD via the LAN her important art work and documents and re-formatted before she lost anything. Used a Demo version of Sophos to try and fix her PC with no luck!
chelley
ndmmxiaomayi
2008-05-12, 15:01
No problems. I will be around. :)
While I was trying to fix my friends computer I came across a Program called Sophos it is very good and managed to clean out most of my virus infections aswell and because they give a 30 day free trial and it comes with a firewall I have to say I am very impressed with the result. Anyone can get a free trial and if people have never tried it I suggest they give it a go it has even picked up nasty application behaviours that are not normally detected.
People need to register though it's free to register for the trial.
http://www.sophos.com/products/enterprise/free-trials/endpoint/
It has flagged up some rather interesting information it even told me an NVidia driver supplied by MSI had some suspicious behaviour and blocked it, it was just incredible how good this program is.
regards, chelley
ndmmxiaomayi
2008-05-17, 12:50
Sorry, I don't understand you. How many computers do you have?
Dear ndmmxiaomayi,
I have 3 Windows PC's each has Multi Booting partition tables with Windows 98SE / Windows 2k or XP / and 1 Debian Linux PC which is a server for flightgear 4 Pc's all networked together don't worry I think we got rid of the Virus's now as I followed your instructions, I still have to check the Windows 98 partitions though as I don't use those systems much. Because I make movies I need to be able to do multitasking quite a bit.
The oldest one I just use as a Text based word processing pc and for downloads, the second is my Multimedia PC and the third is my old back up PC I use as a spare when the others are busy with other tasks.
And was just fixing my friends PC which got a virus that is cured now as I did a fresh Install for her.
Chelle
ndmmxiaomayi
2008-05-18, 08:20
Hi,
Thank you for your confirmation. :crowned:
My Memory managment is not very good, since I installed 2 GB of DDR400 ram my PC is always paging to the swap file when their is still 1GB of ram free, this is causing many programs that are memory intensive to stutter due to memory being paged out :sad: How can I make windows XP SP2 not page to the swap file all the time, (At 50% Used Memory Level) I tried disabling my pageing file but stupid Windows starts crying and saying "Creating temporary paging file" as soon as it gets close to 50% memory used when I still have 1GB free in my system, so it drives me crazy.
Chelle
ndmmxiaomayi
2008-05-19, 08:23
I have no idea for this. A Windows expert will be able to help you on that.
It must take you ages, though to find shoe's for all your feet?
Chelley :)
ndmmxiaomayi
2008-05-22, 06:28
LOL... :laugh:
Perhaps. :p: