View Full Version : Ravmon.exe - USB hub!
peppermint
2008-05-30, 14:40
Avast keeps on telling me that 'RavmonE.exe' has been blocked! But it says it is from a removable disk (a usb hub - it is new so i don't understand! :spider:)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:32:22, on 30/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\Imgtask.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\BT Auto Backup\VaultClientTray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Alwil Software\Avast4\ashLogV.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.samsungcomputer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?
LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06
\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common
Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261
\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ImgTask] C:\Windows\Imgtask.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK
SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth
Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth
Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06
\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program
Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program
Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUplden-gb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F1BA17E-E569-47C9-9D21-88B5439DF980}: NameServer =
208.67.222.222,208.67.220.220
O20 - AppInit_DLLs:
O20 - Winlogon Notify: avgwlntf - C:\Windows\
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32
\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil
Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program
Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update
Plus\SLUBackgroundService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot
- Search & Destroy\SDWinSec.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto
Backup\VaultClientSRV.exe
O23 - Service: BT Auto Backup Upgrade Service (VaultClientUpgrade) - BT - C:\Program Files\BT Auto
Backup\VaultClientUpgrade.exe
--
End of file - 7818 bytes
ndmmxiaomayi
2008-05-31, 10:47
Hi,
Your log is very hard to read because Word Wrap is turned on.
The RavmonE.exe infection doesn't always show up in the HijackThis log, so I would need to see other logs.
This would also turn Word Wrap off so that when the logs are posted, it's easier to read. :)
Please download Deckard's System Scanner from Tech Support Forum (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your desktop. Note: You must be logged onto an account with administrator privileges.
Save all your work and close all opened programs.
Right click on dss.exe and select Run As Administrator to run it. Follow the prompts.
When the scan is complete, two log files will be produced. The first one, main.txt, will be maximized, the second one, extra.txt, will be minimized.
Please post the contents of the 2 log files in your next reply. 1 log per reply please.
peppermint
2008-05-31, 17:13
hi,
Sorry about the word-wrap! :clown:
here is the main.txt:
Deckard's System Scanner v20071014.68
Run by Little Haze Barn on 2008-05-31 16:04:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- Last 3 Restore Point(s) --
3: 2008-05-30 09:23:05 UTC - RP226 - Windows Update
2: 2008-05-28 10:24:10 UTC - RP225 - Windows Update
1: 2008-05-27 11:39:34 UTC - RP224 - Installed Windows Live SkyDrive Upload Tool
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Little Haze Barn.exe) ------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:07:07, on 31/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\Imgtask.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Users\Little Haze Barn\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HJT\Little Haze Barn.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.samsungcomputer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ImgTask] C:\Windows\Imgtask.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUplden-gb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F1BA17E-E569-47C9-9D21-88B5439DF980}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs:
O20 - Winlogon Notify: avgwlntf - C:\Windows\
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: BT Auto Backup Upgrade Service (VaultClientUpgrade) - BT - C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
--
End of file - 7609 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
S1 Tosrfcom (Bluetooth RFCOMM) - c:\windows\system32\drivers\tosrfcom.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFCOMM Driver>
S3 tosporte (Bluetooth COM Port) - c:\windows\system32\drivers\tosporte.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth Port Emulation Driver>
S3 tosrfbd (Bluetooth RFBUS) - c:\windows\system32\drivers\tosrfbd.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth BUS Driver(WindowsXP,Windows2000)>
S3 tosrfbnp (Bluetooth RFBNEP) - c:\windows\system32\drivers\tosrfbnp.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFBNEP Driver from TOSHIBA>
S3 Tosrfhid (Bluetooth RFHID) - c:\windows\system32\drivers\tosrfhid.sys <Not Verified; TOSHIBA Corporation.; Bluetooth HID Driver from TOSHIBA>
S3 tosrfnds (Bluetooth Personal Area Network) - c:\windows\system32\drivers\tosrfnds.sys <Not Verified; TOSHIBA Corporation.; Bluetooth BNEP Driver from TOSHIBA>
S3 TosRfSnd (Bluetooth Audio) - c:\windows\system32\drivers\tosrfsnd.sys <Not Verified; TOSHIBA Corporation; Bluetooth Audio Driver>
S3 Tosrfusb (Bluetooth USB Controller) - c:\windows\system32\drivers\tosrfusb.sys <Not Verified; TOSHIBA CORPORATION; Microsoft(R) Windows NT(R) Operating System>
S3 USBIO (USBIO Driver (usbio.sys)) - c:\windows\system32\drivers\usbio.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
S2 Ati External Event Utility - c:\windows\system32\ati2evxx.exe <Not Verified; ATI Technologies Inc.; ATI External Event Utility for Windows>
S2 Samsung Update Plus - "c:\program files\samsung\samsung update plus\slubackgroundservice.exe"
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Files created between 2008-04-30 and 2008-05-31 -----------------------------
2008-05-28 09:28:22 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-27 12:40:01 0 d-------- C:\Program Files\Windows Live SkyDrive
2008-05-26 16:51:41 0 d-------- C:\Users\All Users\Malwarebytes
2008-05-26 16:51:40 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-21 23:00:47 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 14:48:38 0 d-------- C:\temp_phw
2008-05-10 22:23:04 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-05 11:30:54 0 d-------- C:\Users\All Users\FLEXnet
2008-05-05 02:22:00 0 d-------- C:\Program Files\Vstplugins
2008-05-05 02:21:47 0 d-------- C:\Users\All Users\Sony
2008-05-05 02:17:37 0 d-------- C:\Program Files\Sony Setup
2008-05-05 01:10:29 0 d-------- C:\Users\All Users\r2 Studios
2008-05-05 01:10:26 0 d-------- C:\Program Files\r2 Studios
2008-05-03 01:18:04 0 d-------- C:\Program Files\uTorrent
-- Find3M Report ---------------------------------------------------------------
2008-05-31 14:37:09 12 --a------ C:\Windows\bthservsdp.dat
2008-05-30 23:12:16 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\SiteAdvisor
2008-05-29 21:30:46 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\OpenOffice.org2
2008-05-28 15:58:12 0 d-------- C:\Program Files\BT Auto Backup
2008-05-28 15:16:40 0 d-------- C:\Program Files\CCleaner
2008-05-27 16:08:31 0 d-------- C:\Program Files\SpywareBlaster
2008-05-27 15:44:34 0 d-------- C:\Program Files\JKDefrag
2008-05-26 16:51:51 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Malwarebytes
2008-05-24 21:15:39 0 d-------- C:\Program Files\SiteAdvisor
2008-05-21 23:01:40 0 d-------- C:\Program Files\TechSmith
2008-05-21 23:00:47 0 d-------- C:\Program Files\Common Files
2008-05-18 21:49:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-17 01:15:34 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\fltk.org
2008-05-17 01:14:45 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\flightgear.org
2008-05-13 22:45:34 0 d-------- C:\Program Files\FrostWire
2008-05-13 19:29:45 0 d-------- C:\Program Files\Windows Mail
2008-05-10 21:51:29 0 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-10 21:51:21 0 d-------- C:\Program Files\DVDVideoSoft
2008-05-08 21:11:20 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Audacity
2008-05-05 18:39:34 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-05 17:27:30 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Sony
2008-05-05 16:16:42 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Publish Providers
2008-05-05 11:31:41 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Adobe
2008-05-05 03:40:09 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Download Manager
2008-05-05 02:21:07 0 d-------- C:\Program Files\Sony
2008-05-05 01:10:29 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\r2 Studios
2008-05-03 21:11:36 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\uTorrent
2008-05-02 19:37:20 0 d-------- C:\Program Files\Paint.NET
2008-04-30 21:13:32 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\KompoZer
2008-04-30 21:12:50 0 d-------- C:\Program Files\Java
2008-04-27 21:36:42 0 d-------- C:\Program Files\Common Files\TechSmith Shared
2008-04-27 16:54:55 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\FrostWire
2008-04-26 12:59:48 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-04-25 20:30:16 0 d-------- C:\Program Files\Alwil Software
2008-04-23 22:27:45 0 d-------- C:\Program Files\MusicBrainz Picard
2008-04-22 21:02:49 0 d-------- C:\Program Files\Mp3tag
2008-04-19 23:25:55 0 d-------- C:\Program Files\DivX
2008-04-19 19:59:04 0 d-------- C:\Program Files\Samsung
2008-04-19 18:22:43 0 d-------- C:\Program Files\Realtek
2008-04-19 11:55:16 174 --ahs---- C:\Program Files\desktop.ini
2008-04-19 11:47:22 0 d-------- C:\Program Files\Windows Sidebar
2008-04-19 11:47:22 0 d-------- C:\Program Files\Windows Calendar
2008-04-19 11:47:21 0 d-------- C:\Program Files\Movie Maker
2008-04-19 11:47:18 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-19 11:47:10 0 d-------- C:\Program Files\Windows Defender
2008-04-16 23:05:04 0 d-------- C:\Program Files\Apple Software Update
2008-04-16 21:39:06 0 d-------- C:\Program Files\Picasa2
2008-04-16 21:03:19 0 d-------- C:\Program Files\Google
2008-04-13 21:45:32 9910 --a------ C:\Windows\mozver.dat
2008-04-13 21:43:36 118784 --a------ C:\Windows\SeaMonkeyUninstall.exe
2008-04-13 21:43:22 118784 --a------ C:\Windows\GREUninstall.exe
2008-04-12 13:30:40 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Nikon
2008-04-12 13:25:01 0 d-------- C:\Program Files\Common Files\muvee Technologies
2008-04-12 13:24:58 0 d-------- C:\Program Files\Common Files\Nikon
2008-04-12 13:24:45 0 d-------- C:\Program Files\Nikon
2008-04-12 13:24:15 268 -rah----- C:\Users\Little Haze Barn\AppData\Roaming\Image Manipulation
2008-04-11 19:40:15 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\AVG7
2008-04-11 16:29:10 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-04-11 16:23:40 0 d-------- C:\Program Files\iTunes
2008-04-11 16:23:29 0 d-------- C:\Program Files\iPod
2008-04-11 16:22:22 0 d-------- C:\Program Files\QuickTime
2008-03-31 22:25:48 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 22:25:48 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 22:25:46 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 22:25:46 831488 --a------ C:\Windows\system32\divx_xx0a.dll
2008-03-31 22:25:46 682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-21 21:30:08 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-03-21 21:28:54 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 21:28:54 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 21:28:20 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2008-03-21 03:01:32 335 --a------ C:\Windows\nsreg.dat
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"ImgTask"="C:\Windows\Imgtask.exe" [13/12/2006 04:26]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [11/04/2007 15:32 C:\Windows\KHALMNPR.Exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16/05/2008 00:19]
"RtHDVCpl"="RtHDVCpl.exe" []
"StartupDelayer"="C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe" [14/12/2007 10:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [04/12/2007 22:03]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [11/04/2007 15:32 C:\Windows\KHALMNPR.Exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [19/01/2008 08:33]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAddPrinter"=1 (0x1)
"StartMenuLogOff"=1 (0x1)
"NoSearchInternetInStartMenu"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
C:\Windows\ehome\ehTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{394dad11-dc1a-11dc-bff7-00137763d39e}]
AutoRun\command- F:\Imageviewer.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf807fc6-d1ca-11dc-8f94-00137763d39e}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- Hosts -----------------------------------------------------------------------
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
8674 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2008-05-31 16:09:43 ------------
peppermint
2008-05-31, 17:14
and here is extra.txt:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft® Windows Vista™ Home Premium (build 6001) SP 1.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) Dual CPU T2330 @ 1.60GHz
Percentage of Memory in Use: 33%
Physical Memory (total/avail): 1789.45 MiB / 1188.8 MiB
Pagefile Memory (total/avail): 5925.9 MiB / 5272.9 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1902.23 MiB
C: is Fixed (NTFS) - 69 GiB total, 30.03 GiB free.
D: is Fixed (NTFS) - 70.05 GiB total, 67.92 GiB free.
E: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - Hitachi HTS542516K9A300 ATA Device - 149.05 GiB - 3 partitions
\PARTITION0 - Unknown - 10 GiB
\PARTITION1 (bootable) - Installable File System - 69 GiB - C:
\PARTITION2 - Installable File System - 70.05 GiB - D:
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
AV: avast! antivirus 4.8.1201 [VPS 080531-0] v4.8.1201 (ALWIL Software) Disabled
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.) Disabled
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: avast! antivirus 4.8.1201 [VPS 080531-0] v4.8.1201 (ALWIL Software) Disabled
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Little Haze Barn\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_04\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SAMSUNG-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Little Haze Barn
LOCALAPPDATA=C:\Users\Little Haze Barn\AppData\Local
LOGONSERVER=\\SAMSUNG-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\LITTLE~1\AppData\Local\Temp
TMP=C:\Users\LITTLE~1\AppData\Local\Temp
USERDOMAIN=Samsung-PC
USERNAME=Little Haze Barn
USERPROFILE=C:\Users\Little Haze Barn
windir=C:\Windows
-- User Profiles ---------------------------------------------------------------
Little Haze Barn (admin)
-- Add/Remove Programs ---------------------------------------------------------
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
Action Replay Code Manager --> "C:\Program Files\Datel\Action Replay Code Manager\unins000.exe"
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player 11 --> C:\Windows\system32\adobe\SHOCKW~1\UNWISE.EXE C:\Windows\system32\Adobe\SHOCKW~1\Install.log
Agere Systems HDA Modem --> agrsmdel
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Atheros WLAN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{04983D37-2202-4295-94A2-8B547C66133F}\setup.exe" -l0x9
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
BT Auto Backup --> "C:\Program Files\BT Auto Backup\uninstall.exe"
BT Home Hub --> C:\Program Files\BT Home Hub\Uninstall.exe
Camtasia Studio 5 --> MsiExec.exe /I{7BB40A22-8D98-43F9-A08A-E7EFF5AB1324}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Continuum 0.40 --> "C:\Program Files\Continuum\unins000.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Easy Battery Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6F730513-8688-4C3C-90A3-6B9792CE2EF3}\setup.exe" -l0x9 Remove
Easy Display Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17283B95-21A8-4996-97DA-547A48DB266F}\setup.exe" -l0x9 -removeonly
Free YouTube Download 2.2 --> "C:\Program Files\DVDVideoSoft\Free YouTube Download\unins000.exe"
Free YouTube to Mp3 Converter version 3.1 --> "C:\Program Files\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe"
FrostWire 4.13.5 --> C:\Program Files\FrostWire\Uninstall.exe
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HJT\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java(TM) 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Jing --> MsiExec.exe /I{2BE9075D-2CB6-4510-94A3-28E72290FC60}
LADSPA_plugins-win-0.4.15 --> "C:\Program Files\Audacity\Plug-Ins\unins000.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SiteAdvisor --> C:\Program Files\SiteAdvisor\6261\uninstall.exe
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SOAP Toolkit 2.0 SP2 --> MsiExec.exe /I{36BEAD11-8577-49AD-9250-E06A50AE87B0}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mp3tag v2.41 --> C:\Program Files\Mp3tag\Mp3tagUninstall.EXE
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 Parser and SDK --> MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MusicBrainz Picard 0.9.0 --> C:\Program Files\MusicBrainz Picard\uninst.exe
Nikon Transfer --> MsiExec.exe /X{E9757890-7EC5-46C8-99AB-B00F07B6525C}
OpenOffice.org 2.4 --> MsiExec.exe /I{F87A8E11-02A4-4875-A3A5-5961081B0E4E}
Paint.NET v3.31 --> MsiExec.exe /X{51AFB69C-1C54-4C77-A888-2860F8CD3E7D}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Samsung Magic Doctor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32D6A58F-9659-446C-BBFC-E6F2B41F24DC}\Setup.exe" -l0x9 Remove
Samsung Recovery Solution II --> C:\Program Files\InstallShield Installation Information\{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}\setup.exe -runfromtemp -l0x0009 -removeonly
Samsung Update Plus --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{685707A4-911C-468D-BFC4-64A50E5E3A0C} /l1033
SeaMonkey (1.1.9) --> C:\Windows\SeaMonkeyUninstall.exe /ua "1.1.9 (en)"
Sony Player Plug-in for Windows Media Player --> C:\PROGRA~1\Sony\PLAYER~1\UNINST.EXE
Sony Vegas Pro 8.0 --> MsiExec.exe /X{7C9AD221-994C-45B2-B46D-26F5735158CF}
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Startup Delayer v2.3 (build 130) --> C:\Program Files\r2 Studios\Startup Delayer\Uninstall.exe
SUPER © Version 2008.bld.25 (Feb 5, 2008) --> C:\PROGRA~1\ERIGHT~1\SUPER\Setup.exe /remove /q0
Uninstall 1.0.0.0 --> "C:\Program Files\Common Files\DVDVideoSoft\unins000.exe"
VideoLAN VLC media player 0.8.6f --> C:\Program Files\VideoLAN\VLC\uninstall.exe
WIDCOMM Bluetooth Software 6.0.1.5000 --> MsiExec.exe /X{03D1988F-469F-4843-8E6E-E5FE9D17889D}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{0ED47137-C071-46CC-A243-E5E33271E10E}
Windows Live SkyDrive Upload Tool --> MsiExec.exe /I{2FD177C0-A752-11DC-8314-0800200C9A66}
-- Application Event Log -------------------------------------------------------
Event Record #/Type11605 / Success
Event Submitted/Written: 05/31/2008 03:59:52 PM
Event ID/Source: 5617 / WinMgmt
Event Description:
Event Record #/Type11604 / Success
Event Submitted/Written: 05/31/2008 03:59:49 PM
Event ID/Source: 5615 / WinMgmt
Event Description:
Event Record #/Type11601 / Success
Event Submitted/Written: 05/31/2008 03:59:38 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.
Event Record #/Type11592 / Warning
Event Submitted/Written: 05/31/2008 02:37:03 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2467137060-3377746744-1616600092-1003_Classes:
Process 904 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2467137060-3377746744-1616600092-1003_CLASSES
Event Record #/Type11591 / Warning
Event Submitted/Written: 05/31/2008 02:37:01 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2467137060-3377746744-1616600092-1003:
Process 904 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2467137060-3377746744-1616600092-1003
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type46691 / Warning
Event Submitted/Written: 05/31/2008 04:07:25 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Samsung-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Samsung-PC27 can't undo changes that you allow.
For more information please see the following:
%Samsung-PC275
Scan ID: {B5642E3F-2098-4C94-8D06-D8F90579E42F}
User: Samsung-PC\Little Haze Barn
Name: %Samsung-PC271
ID: %Samsung-PC272
Severity ID: %Samsung-PC273
Category ID: %Samsung-PC274
Path Found: %Samsung-PC276
Alert Type: %Samsung-PC278
Detection Type: 1.1.1600.02
Event Record #/Type46690 / Warning
Event Submitted/Written: 05/31/2008 04:07:24 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Samsung-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Samsung-PC27 can't undo changes that you allow.
For more information please see the following:
%Samsung-PC275
Scan ID: {7BE9AA7F-76FA-40F3-AE49-E936080C15CA}
User: Samsung-PC\Little Haze Barn
Name: %Samsung-PC271
ID: %Samsung-PC272
Severity ID: %Samsung-PC273
Category ID: %Samsung-PC274
Path Found: %Samsung-PC276
Alert Type: %Samsung-PC278
Detection Type: 1.1.1600.02
Event Record #/Type46689 / Warning
Event Submitted/Written: 05/31/2008 04:07:24 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Samsung-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Samsung-PC27 can't undo changes that you allow.
For more information please see the following:
%Samsung-PC275
Scan ID: {44B83C26-B85D-4022-BDD2-9D9507562721}
User: Samsung-PC\Little Haze Barn
Name: %Samsung-PC271
ID: %Samsung-PC272
Severity ID: %Samsung-PC273
Category ID: %Samsung-PC274
Path Found: %Samsung-PC276
Alert Type: %Samsung-PC278
Detection Type: 1.1.1600.02
Event Record #/Type46688 / Warning
Event Submitted/Written: 05/31/2008 04:07:22 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Samsung-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Samsung-PC27 can't undo changes that you allow.
For more information please see the following:
%Samsung-PC275
Scan ID: {C7D4E8BB-899A-40C5-A4E7-12B519C516CB}
User: Samsung-PC\Little Haze Barn
Name: %Samsung-PC271
ID: %Samsung-PC272
Severity ID: %Samsung-PC273
Category ID: %Samsung-PC274
Path Found: %Samsung-PC276
Alert Type: %Samsung-PC278
Detection Type: 1.1.1600.02
Event Record #/Type46687 / Warning
Event Submitted/Written: 05/31/2008 04:07:22 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Samsung-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Samsung-PC27 can't undo changes that you allow.
For more information please see the following:
%Samsung-PC275
Scan ID: {6E30CDE6-0852-4B8F-B63B-078B292B8E32}
User: Samsung-PC\Little Haze Barn
Name: %Samsung-PC271
ID: %Samsung-PC272
Severity ID: %Samsung-PC273
Category ID: %Samsung-PC274
Path Found: %Samsung-PC276
Alert Type: %Samsung-PC278
Detection Type: 1.1.1600.02
-- End of Deckard's System Scanner: finished at 2008-05-31 16:09:43 ------------
ndmmxiaomayi
2008-06-01, 00:59
Hi,
uTorrent and Frostwire are installed on your computer. While both are clean P2P programs, there's no guarantee that the files downloaded are. Please refrain from using it /them while cleaning your computer to prevent getting more infections.
A list of clean and infected P2P programs can be found at Malware Removal (http://p2p.malwareremoval.com/) and Spyware Info (http://www.spywareinfo.com/articles/p2p/).
The risks of using a P2P program are stated in this Sourceforge website (http://aresgalaxy.sourceforge.net/p2prisks.htm) and Information Week article (http://www.informationweek.com/security/showArticle.jhtml?articleID=53200209&pgno=2&queryText=).
Please also read this sticky (http://forums.spybot.info/showthread.php?t=282).
____________________
Run Flash_Disinfector
Please download Flash_Disinfector (http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe) and save it to your desktop.
Right click on Flash_Disinfector.exe and select Run As Administrator to run it. If you receive a prompt, please allow it.
You will be prompted to plug in your flash drive. Plug it in.
Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.
Backup Registry
Please perform this before moving on to other steps. If you can't perform this step, please let me know. Do not continue.
Download erunt.zip (http://www.derfisch.de/lars/erunt.zip) and save it to your desktop.
Right click on erunt.zip and select Extract All....
Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
Click on the Browse button. Click on Desktop. Then click OK.
Uncheck (untick) the Show extracted files box and click Finish.
Open Notepad and copy and paste the following in the Code box into Notepad:
"%userprofile%\Desktop\erunt\erunt.exe" %windir%\regbackup sysreg curuser otherusers
pause
Click on File > Save As....
In the File Name field, copy and paste in regbackup.bat
In the Save As Type field, select All Files from the drop-down list.
Click Save.
Right click on regbackup.bat and select Run As Administrator. If you receive a prompt, please allow it.
Command Prompt will open.
After that, you should see this dialog box:
http://www.larshederer.homepage.t-online.de/erunt/erunt.jpg
When it's done, the dialog box will close automatically.
Press any key to close Command Prompt.
Run registry fix
Please open Notepad and copy and paste the following in the Code box into Notepad:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf807fc6-d1ca-11dc-8f94-00137763d39e}]
Click on File > Save As....
In the File Name box, copy and paste in fix.reg
In the Save As Type box, select All Files from the drop-down list.
Click Save.
Double click on fix.reg to run it. Windows will prompt you to merge the file with the registry. Click Yes. You will also receive Windows UAC prompt. Please allow it.
Run DSS
Save all your work and close all opened programs.
Right click on dss.exe and select Run As Administrator to run it. Follow the prompts.
When the scan is complete, Notepad will open. Please post the contents of this log in your next reply.
peppermint
2008-06-01, 12:38
I did all that was said, but I use 7zip as my file compressor/decompresser - First time I extracted all the files of erunt.zip to the desktop - regbackup.bat didn't work - so I looked at the designated file path, I deleted all the single files of erunt.zip off the desktop and re-extracted to a folder called erunt (on the desktop) - That time it worked fine
When I ran the flashdisinfector, it was really quick - Is that normal?
Anyway, dss.exe only produced one log - main.txt:
Deckard's System Scanner v20071014.68
Run by Little Haze Barn on 2008-06-01 11:30:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Little Haze Barn.exe) ------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:58, on 01/06/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Windows\Imgtask.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Little Haze Barn\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HJT\LITTLE~1.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.samsungcomputer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ImgTask] C:\Windows\Imgtask.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUplden-gb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F1BA17E-E569-47C9-9D21-88B5439DF980}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: avgwlntf - C:\Windows\
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: BT Auto Backup Upgrade Service (VaultClientUpgrade) - BT - C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
--
End of file - 7774 bytes
-- Files created between 2008-05-01 and 2008-06-01 -----------------------------
2008-06-01 11:29:09 0 d-------- C:\Windows\regbackup
2008-06-01 11:23:33 0 drahs---- C:\autorun.inf
2008-05-28 09:28:22 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-27 12:40:01 0 d-------- C:\Program Files\Windows Live SkyDrive
2008-05-26 16:51:41 0 d-------- C:\Users\All Users\Malwarebytes
2008-05-26 16:51:40 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-21 23:00:47 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 14:48:38 0 d-------- C:\temp_phw
2008-05-10 22:23:04 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-05 11:30:54 0 d-------- C:\Users\All Users\FLEXnet
2008-05-05 02:22:00 0 d-------- C:\Program Files\Vstplugins
2008-05-05 02:21:47 0 d-------- C:\Users\All Users\Sony
2008-05-05 02:17:37 0 d-------- C:\Program Files\Sony Setup
2008-05-05 01:10:26 0 d-------- C:\Program Files\r2 Studios
2008-05-03 01:18:04 0 d-------- C:\Program Files\uTorrent
-- Find3M Report ---------------------------------------------------------------
2008-05-31 23:22:27 12 --a------ C:\Windows\bthservsdp.dat
2008-05-30 23:12:16 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\SiteAdvisor
2008-05-29 21:30:46 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\OpenOffice.org2
2008-05-28 15:58:12 0 d-------- C:\Program Files\BT Auto Backup
2008-05-28 15:16:40 0 d-------- C:\Program Files\CCleaner
2008-05-27 16:08:31 0 d-------- C:\Program Files\SpywareBlaster
2008-05-27 15:44:34 0 d-------- C:\Program Files\JKDefrag
2008-05-26 16:51:51 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Malwarebytes
2008-05-24 21:15:39 0 d-------- C:\Program Files\SiteAdvisor
2008-05-21 23:01:40 0 d-------- C:\Program Files\TechSmith
2008-05-21 23:00:47 0 d-------- C:\Program Files\Common Files
2008-05-18 21:49:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-17 01:15:34 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\fltk.org
2008-05-17 01:14:45 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\flightgear.org
2008-05-13 22:45:34 0 d-------- C:\Program Files\FrostWire
2008-05-13 19:29:45 0 d-------- C:\Program Files\Windows Mail
2008-05-10 21:51:29 0 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-10 21:51:21 0 d-------- C:\Program Files\DVDVideoSoft
2008-05-08 21:11:20 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Audacity
2008-05-05 18:39:34 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-05 17:27:30 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Sony
2008-05-05 16:16:42 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Publish Providers
2008-05-05 11:31:41 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Adobe
2008-05-05 03:40:09 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Download Manager
2008-05-05 02:21:07 0 d-------- C:\Program Files\Sony
2008-05-03 21:11:36 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\uTorrent
2008-05-02 19:37:20 0 d-------- C:\Program Files\Paint.NET
2008-04-30 21:13:32 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\KompoZer
2008-04-30 21:12:50 0 d-------- C:\Program Files\Java
2008-04-27 21:36:42 0 d-------- C:\Program Files\Common Files\TechSmith Shared
2008-04-27 16:54:55 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\FrostWire
2008-04-26 12:59:48 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-04-25 20:30:16 0 d-------- C:\Program Files\Alwil Software
2008-04-23 22:27:45 0 d-------- C:\Program Files\MusicBrainz Picard
2008-04-22 21:02:49 0 d-------- C:\Program Files\Mp3tag
2008-04-19 23:25:55 0 d-------- C:\Program Files\DivX
2008-04-19 19:59:04 0 d-------- C:\Program Files\Samsung
2008-04-19 18:22:43 0 d-------- C:\Program Files\Realtek
2008-04-19 11:55:16 174 --ahs---- C:\Program Files\desktop.ini
2008-04-19 11:47:22 0 d-------- C:\Program Files\Windows Sidebar
2008-04-19 11:47:22 0 d-------- C:\Program Files\Windows Calendar
2008-04-19 11:47:21 0 d-------- C:\Program Files\Movie Maker
2008-04-19 11:47:18 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-19 11:47:10 0 d-------- C:\Program Files\Windows Defender
2008-04-16 23:05:04 0 d-------- C:\Program Files\Apple Software Update
2008-04-16 21:39:06 0 d-------- C:\Program Files\Picasa2
2008-04-16 21:03:19 0 d-------- C:\Program Files\Google
2008-04-13 21:45:32 9910 --a------ C:\Windows\mozver.dat
2008-04-13 21:43:36 118784 --a------ C:\Windows\SeaMonkeyUninstall.exe
2008-04-13 21:43:22 118784 --a------ C:\Windows\GREUninstall.exe
2008-04-12 13:30:40 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Nikon
2008-04-12 13:25:01 0 d-------- C:\Program Files\Common Files\muvee Technologies
2008-04-12 13:24:58 0 d-------- C:\Program Files\Common Files\Nikon
2008-04-12 13:24:45 0 d-------- C:\Program Files\Nikon
2008-04-12 13:24:15 268 -rah----- C:\Users\Little Haze Barn\AppData\Roaming\Image Manipulation
2008-04-11 19:40:15 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\AVG7
2008-04-11 16:29:10 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-04-11 16:23:40 0 d-------- C:\Program Files\iTunes
2008-04-11 16:23:29 0 d-------- C:\Program Files\iPod
2008-04-11 16:22:22 0 d-------- C:\Program Files\QuickTime
2008-03-31 22:25:48 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 22:25:48 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 22:25:46 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 22:25:46 831488 --a------ C:\Windows\system32\divx_xx0a.dll
2008-03-31 22:25:46 682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-21 21:30:08 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-03-21 21:28:54 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 21:28:54 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 21:28:20 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2008-03-21 03:01:32 335 --a------ C:\Windows\nsreg.dat
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16/05/2008 00:19]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [08/01/2007 14:26]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28]
"ImgTask"="C:\Windows\Imgtask.exe" [13/12/2006 04:26]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [11/04/2007 15:32 C:\Windows\KHALMNPR.Exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [04/12/2007 22:03]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [11/04/2007 15:32 C:\Windows\KHALMNPR.Exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [19/01/2008 08:33]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [4/24/2007 10:50:32 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAddPrinter"=1 (0x1)
"StartMenuLogOff"=1 (0x1)
"NoSearchInternetInStartMenu"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
C:\Windows\ehome\ehTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{394dad11-dc1a-11dc-bff7-00137763d39e}]
AutoRun\command- F:\Imageviewer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- End of Deckard's System Scanner: finished at 2008-06-01 11:31:50 ------------
ndmmxiaomayi
2008-06-01, 18:16
Hi,
When I ran the flashdisinfector, it was really quick - Is that normal?
Yes.
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F1BA17E-E569-47C9-9D21-88B5439DF980}: NameServer = 208.67.222.222,208.67.220.220
Do you use OpenDNS servers for your DNS servers settings?
New log looks good. :)
Run ATF Cleaner
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) and save it to your desktop.
Right click on ATF-Cleaner.exe and select Run As Administrator to run it.
Click on Main at the top.
Tick all the boxes except the Cookies box.
Click on Empty Selected button.
If you use Firefox
Click on Firefox at the top.
Tick all the boxes except Firefox Cookies and Firefox Saved Passwords.
Click on Empty Selected button.
If you use Opera
Click on Opera at the top.
Tick all the boxes except Opera Cookies and Opera Saved Passwords.
Click on Empty Selected button.
Close ATF Cleaner when you are done.
Run Malwarebytes' Anti-Malware
Open Malwarebytes' Anti-Malware.
Select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
Select the Scanner tab. Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items and click on Remove Selected.
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.
In your next reply, please post:
A new HijackThis log
Malwarebytes' Anti-Malware scan report
If you use OpenDNS servers for your DNS servers setting
peppermint
2008-06-01, 21:20
Thanks for all your help so far! :laugh:
I ran the cleaner, worked fine
Malwarebytes' didn't find anything
Here is the Malwarebytes' log:
Malwarebytes' Anti-Malware 1.14
Database version: 812
19:46:59 01/06/2008
mbam-log-6-1-2008 (19-46-59).txt
Scan type: Full Scan (C:\|)
Objects scanned: 133771
Time elapsed: 40 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
peppermint
2008-06-01, 21:22
Oh yeah forgot to mention that, yes, I do use OpenDNS :)
Here's the hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:20:17, on 01/06/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Windows\Imgtask.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.samsungcomputer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ImgTask] C:\Windows\Imgtask.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUplden-gb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F1BA17E-E569-47C9-9D21-88B5439DF980}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: avgwlntf - C:\Windows\
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: BT Auto Backup Upgrade Service (VaultClientUpgrade) - BT - C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
--
End of file - 8002 bytes
ndmmxiaomayi
2008-06-02, 05:59
Hi,
Thanks for the confirmation. :)
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan. Please use Internet Explorer as it uses ActiveX.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an ActiveX from Kaspersky. Click Yes.
When the downloads have finished, click on Next button.
Click on Scan Settings button.
Select extended under Scan using the following antivirus database:
Check (tick) these boxes under Scan options: Scan Archives
Scan Mail Bases Click OK
Click on My Computer under Please select a target to scan:
Once the scan is complete it will display if your system has been infected. Click on Save as text button and save it to your desktop.
Copy and paste this log in your next reply.
In your next reply, please post:
Kaspersky Antivirus scan report
A new HijackThis log
peppermint
2008-06-03, 20:07
Hi,
Ive got some problems. The laptop for some reason has a really slow internet connection. We are using broadband and it is fine on this pc which is on the same network (it got so bad I'm using this pc to write)
Yeah so I can't scan with kasperky because the internet is unusually slow - I mean, taking 7 minutes to load google.com! :spider: Somethings amiss here :sad:
Also, but this may be completely non related, but just at the same time of this, I cannot open itunes - it says it 'encountered a problem and has to close'
peppermint
2008-06-03, 20:08
oh yeah, when I say laptop - I mean the laptop that was infected with ravmonE
sorry, I couldn't find an edit button! :oops:
ndmmxiaomayi
2008-06-03, 20:48
Hi,
Please run Deckard's System Scanner again and post back the log.
peppermint
2008-06-04, 21:01
That's really strange, suddenly my internet is back up again (although a little bit slower) and guess what - Itunes works again :)
errrm I did a scan with dss.exe again:
Deckard's System Scanner v20071014.68
Run by Little Haze Barn on 2008-06-04 20:00:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Little Haze Barn.exe) ------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:00:45, on 04/06/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Windows\Imgtask.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Little Haze Barn\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HJT\LITTLE~1.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.samsungcomputer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ImgTask] C:\Windows\Imgtask.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUplden-gb.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: BT Auto Backup Upgrade Service (VaultClientUpgrade) - BT - C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
--
End of file - 7929 bytes
-- Files created between 2008-05-04 and 2008-06-04 -----------------------------
2008-06-03 22:33:56 0 d-------- C:\summaries
2008-06-01 11:29:09 0 d-------- C:\Windows\regbackup
2008-06-01 11:23:33 0 drahs---- C:\autorun.inf
2008-05-28 09:28:22 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-27 12:40:01 0 d-------- C:\Program Files\Windows Live SkyDrive
2008-05-26 16:51:41 0 d-------- C:\Users\All Users\Malwarebytes
2008-05-26 16:51:40 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-21 23:00:47 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 14:48:38 0 d-------- C:\temp_phw
2008-05-10 22:23:04 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-05 11:30:54 0 d-------- C:\Users\All Users\FLEXnet
2008-05-05 02:22:00 0 d-------- C:\Program Files\Vstplugins
2008-05-05 02:21:47 0 d-------- C:\Users\All Users\Sony
2008-05-05 02:17:37 0 d-------- C:\Program Files\Sony Setup
2008-05-05 01:10:26 0 d-------- C:\Program Files\r2 Studios
-- Find3M Report ---------------------------------------------------------------
2008-06-03 22:33:34 12 --a------ C:\Windows\bthservsdp.dat
2008-06-01 20:30:00 0 d-------- C:\Program Files\JKDefrag
2008-05-30 23:12:16 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\SiteAdvisor
2008-05-29 21:30:46 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\OpenOffice.org2
2008-05-28 15:58:12 0 d-------- C:\Program Files\BT Auto Backup
2008-05-28 15:16:40 0 d-------- C:\Program Files\CCleaner
2008-05-27 16:08:31 0 d-------- C:\Program Files\SpywareBlaster
2008-05-26 16:51:51 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Malwarebytes
2008-05-24 21:15:39 0 d-------- C:\Program Files\SiteAdvisor
2008-05-21 23:01:40 0 d-------- C:\Program Files\TechSmith
2008-05-21 23:00:47 0 d-------- C:\Program Files\Common Files
2008-05-18 21:49:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-17 01:15:34 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\fltk.org
2008-05-17 01:14:45 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\flightgear.org
2008-05-13 22:45:34 0 d-------- C:\Program Files\FrostWire
2008-05-13 19:29:45 0 d-------- C:\Program Files\Windows Mail
2008-05-10 21:51:29 0 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-10 21:51:21 0 d-------- C:\Program Files\DVDVideoSoft
2008-05-08 21:11:20 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Audacity
2008-05-05 18:39:34 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-05 17:27:30 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Sony
2008-05-05 16:16:42 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Publish Providers
2008-05-05 11:31:41 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Adobe
2008-05-05 03:40:09 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Download Manager
2008-05-05 02:21:07 0 d-------- C:\Program Files\Sony
2008-05-03 21:11:36 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\uTorrent
2008-05-03 01:18:04 0 d-------- C:\Program Files\uTorrent
2008-05-02 19:37:20 0 d-------- C:\Program Files\Paint.NET
2008-04-30 21:13:32 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\KompoZer
2008-04-30 21:12:50 0 d-------- C:\Program Files\Java
2008-04-27 21:36:42 0 d-------- C:\Program Files\Common Files\TechSmith Shared
2008-04-27 16:54:55 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\FrostWire
2008-04-26 12:59:48 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-04-25 20:30:16 0 d-------- C:\Program Files\Alwil Software
2008-04-23 22:27:45 0 d-------- C:\Program Files\MusicBrainz Picard
2008-04-22 21:02:49 0 d-------- C:\Program Files\Mp3tag
2008-04-19 23:25:55 0 d-------- C:\Program Files\DivX
2008-04-19 19:59:04 0 d-------- C:\Program Files\Samsung
2008-04-19 18:22:43 0 d-------- C:\Program Files\Realtek
2008-04-19 11:55:16 174 --ahs---- C:\Program Files\desktop.ini
2008-04-19 11:47:22 0 d-------- C:\Program Files\Windows Sidebar
2008-04-19 11:47:22 0 d-------- C:\Program Files\Windows Calendar
2008-04-19 11:47:21 0 d-------- C:\Program Files\Movie Maker
2008-04-19 11:47:18 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-19 11:47:10 0 d-------- C:\Program Files\Windows Defender
2008-04-16 23:05:04 0 d-------- C:\Program Files\Apple Software Update
2008-04-16 21:39:06 0 d-------- C:\Program Files\Picasa2
2008-04-16 21:03:19 0 d-------- C:\Program Files\Google
2008-04-13 21:45:32 9910 --a------ C:\Windows\mozver.dat
2008-04-13 21:43:36 118784 --a------ C:\Windows\SeaMonkeyUninstall.exe
2008-04-13 21:43:22 118784 --a------ C:\Windows\GREUninstall.exe
2008-04-12 13:30:40 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\Nikon
2008-04-12 13:25:01 0 d-------- C:\Program Files\Common Files\muvee Technologies
2008-04-12 13:24:58 0 d-------- C:\Program Files\Common Files\Nikon
2008-04-12 13:24:45 0 d-------- C:\Program Files\Nikon
2008-04-12 13:24:15 268 -rah----- C:\Users\Little Haze Barn\AppData\Roaming\Image Manipulation
2008-04-11 19:40:15 0 d-------- C:\Users\Little Haze Barn\AppData\Roaming\AVG7
2008-04-11 16:29:10 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-04-11 16:23:40 0 d-------- C:\Program Files\iTunes
2008-04-11 16:23:29 0 d-------- C:\Program Files\iPod
2008-04-11 16:22:22 0 d-------- C:\Program Files\QuickTime
2008-03-31 22:25:48 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 22:25:48 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 22:25:46 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 22:25:46 831488 --a------ C:\Windows\system32\divx_xx0a.dll
2008-03-31 22:25:46 682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-21 21:30:08 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-03-21 21:28:54 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 21:28:54 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 21:28:20 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2008-03-21 03:01:32 335 --a------ C:\Windows\nsreg.dat
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16/05/2008 00:19]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [08/01/2007 14:26]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28]
"ImgTask"="C:\Windows\Imgtask.exe" [13/12/2006 04:26]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [11/04/2007 15:32 C:\Windows\KHALMNPR.Exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [04/12/2007 22:03]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [11/04/2007 15:32 C:\Windows\KHALMNPR.Exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [19/01/2008 08:33]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [4/24/2007 10:50:32 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAddPrinter"=1 (0x1)
"StartMenuLogOff"=1 (0x1)
"NoSearchInternetInStartMenu"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
C:\Windows\ehome\ehTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{394dad11-dc1a-11dc-bff7-00137763d39e}]
AutoRun\command- F:\Imageviewer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- End of Deckard's System Scanner: finished at 2008-06-04 20:01:08 ------------
ndmmxiaomayi
2008-06-04, 21:15
Hi,
Please try running the Kaspersky scan. :)
peppermint
2008-06-04, 22:57
Hi,
I ran kaspersky, it says im all clean :laugh:
Here's the log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 04, 2008 9:54:47 PM
Operating System: Microsoft Windows Vista Home Edition, Service Pack 1 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/06/2008
Kaspersky Anti-Virus database records: 829085
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
G:\
Scan Statistics:
Total number of scanned objects: 91211
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:57:55
Infected Object Name / Virus Name / Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\selfdef.log Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\13dd4a9bcab428995deae8cdcd4807bc_08cb5b97-c65a-4d4d-909c-e33d951bbd9f Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.93.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.93.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010019.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001B.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001C.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001F.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010022.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010023.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010024.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010028.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001002A.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy380.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\NtfD548.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\NtfD549.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-11022006-050241.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008060420080605\index.dat Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Microsoft\Windows\UsrClass.dat{d6ffdd0c-d1b7-11dc-9d95-00137763d39e}.TM.blf Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Microsoft\Windows\UsrClass.dat{d6ffdd0c-d1b7-11dc-9d95-00137763d39e}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Microsoft\Windows\UsrClass.dat{d6ffdd0c-d1b7-11dc-9d95-00137763d39e}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Microsoft\Windows Defender\FileTracker\{7072BEC2-BA5E-4F68-86F7-15687B6A1701} Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Microsoft\Windows Live Contacts\alexholland12@hotmail.com\real\members.stg Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Microsoft\Windows Live Contacts\alexholland12@hotmail.com\shadow\members.stg Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Mozilla\Firefox\Profiles\7xhmcsmx.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Mozilla\Firefox\Profiles\7xhmcsmx.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Mozilla\Firefox\Profiles\7xhmcsmx.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Mozilla\Firefox\Profiles\7xhmcsmx.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Mozilla\Firefox\Profiles\7xhmcsmx.default\urlclassifier3.sqlite Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Temp\~DF25B2.tmp Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Temp\~DF2988.tmp Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Temp\~DF29F7.tmp Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Temp\~DF46EB.tmp Object is locked skipped
C:\Users\Little Haze Barn\AppData\Local\Temp\~DFD5FB.tmp Object is locked skipped
C:\Users\Little Haze Barn\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Little Haze Barn\AppData\Roaming\Mozilla\Firefox\Profiles\7xhmcsmx.default\cert8.db Object is locked skipped
C:\Users\Little Haze Barn\AppData\Roaming\Mozilla\Firefox\Profiles\7xhmcsmx.default\content-prefs.sqlite Object is locked skipped
C:\Users\Little Haze Barn\AppData\Roaming\Mozilla\Firefox\Profiles\7xhmcsmx.default\cookies.sqlite Object is locked skipped
C:\Users\Little Haze Barn\AppData\Roaming\Mozilla\Firefox\Profiles\7xhmcsmx.default\downloads.sqlite Object is locked skipped
C:\Users\Little Haze Barn\AppData\Roaming\Mozilla\Firefox\Profiles\7xhmcsmx.default\formhistory.sqlite Object is locked skipped
C:\Users\Little Haze Barn\AppData\Roaming\Mozilla\Firefox\Profiles\7xhmcsmx.default\key3.db Object is locked skipped
C:\Users\Little Haze Barn\AppData\Roaming\Mozilla\Firefox\Profiles\7xhmcsmx.default\parent.lock Object is locked skipped
C:\Users\Little Haze Barn\AppData\Roaming\Mozilla\Firefox\Profiles\7xhmcsmx.default\permissions.sqlite Object is locked skipped
C:\Users\Little Haze Barn\AppData\Roaming\Mozilla\Firefox\Profiles\7xhmcsmx.default\places.sqlite Object is locked skipped
C:\Users\Little Haze Barn\AppData\Roaming\Mozilla\Firefox\Profiles\7xhmcsmx.default\places.sqlite-journal Object is locked skipped
C:\Users\Little Haze Barn\AppData\Roaming\Mozilla\Firefox\Profiles\7xhmcsmx.default\search.sqlite Object is locked skipped
C:\Users\Little Haze Barn\Documents\Music\iTunes\iTunes Library.itl Object is locked skipped
C:\Users\Little Haze Barn\NTUSER.DAT Object is locked skipped
C:\Users\Little Haze Barn\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Little Haze Barn\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Little Haze Barn\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Users\Little Haze Barn\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Little Haze Barn\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\bthservsdp.dat Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\EventCache\{7D6934F2-D65F-4722-9D93-01710770E7AE}.bin Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.001 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\ACEEventLog.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Antivirus.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
Scan process completed.
ndmmxiaomayi
2008-06-07, 23:22
I missed your reply. I didn't get the notification. :sad:
Your Kaspersky log looks good. Any issues?
peppermint
2008-06-08, 10:26
Nope, I can't see any problems, :laugh:
Thanks for all your help!
ndmmxiaomayi
2008-06-08, 20:57
Great! :)
Delete tools used
Since we are done with the cleaning up, the tools are no longer. Please remove them.
Please delete these files and folder.
C:\Users\Little Haze Barn\Desktop\dss.exe
C:\Deckard
Flash_Disinfector.exe
fix.reg
regbackup.bat
Hide system files
Click on Start > Control Panel.
Double click on Folder Options.
Select the View tab.
Under Hidden files and folders, select Do not show hidden files and folders.
Check (tick) these two boxes: Hide extensions for known file types
Hide protected operating system files (Recommended) Click Yes when Windows prompts.
Click OK to apply the settings.
Create a new, clean System Restore point
Click on Start > Control Panel.
Double click on System.
On the left, click on the System Protection link.
At the bottom right hand corner, click on the Create... button.
Give this System Restore point a descriptive name and click on Create.
You should receive a prompt that a System Restore point is created successfully. Click OK to confirm.
Click OK again to close the System Protection window. Then close Control Panel.
Warning: Do not clear infected System Restore points before creating a new System Restore point first!
Please read the above to create a new System Restore point first, then clear out the infected System Restore points.
Clear infected System Restore points
Click on Start > All Programs > Accessories > System Tools.
Right click on Disk Cleanup and select Run As Administrator to run it. UAC will prompt. Allow it.
Select your C drive and click OK.
Select the More Options tab.
Under System Restore and Shadow Copies, click on the Clean up... button.
You will receive a prompt. Click on Delete to delete the old System Restore points.
When done, click OK. You will receive another prompt. Click Delete Files to confirm.
When done, Disk Cleanup will automatically close.
Here are some prevention tips. There's no need to install all programs recommended.
Keep your system updated
Update Windows
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.
Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.
To update Windows, click on Start > Windows Update (or Start > All Programs > Windows Update if you are using the new Vista Start Menu). If the Windows Update is not found there, go to this link - http://update.microsoft.com/ .
Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.
Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.
Be careful when opening attachments and downloading files.
Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge (http://sourceforge.net/) or Pricelessware (http://www.pricelesswarehome.org/).
Surf safely
Many of the exploits are directed to users of Internet Explorer and Firefox.
Using Firefox (http://www.mozilla.com/en-US/firefox/) with NoScript add-on (https://addons.mozilla.org/en-US/firefox/addon/722) helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.
If you prefer to use Internet Explorer, here are some settings to change to improve the security of Internet Explorer.
For Internet Explorer 7
Please read this article (http://surfthenetsafely.com/ieseczone8.htm) to configure Internet Explorer 7 properly.
Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it. Follow this article (http://articles.techrepublic.com.com/5100-10877_11-6179067.html) to learn how to backup. To restore them, see this article (http://articles.techrepublic.com.com/5100-10877_11-6180819.html).
If you are using Vista Business, Vista Ultimate or Vista Enterprise, you might want to back up your whole computer instead. See here (http://www.bleepingcomputer.com/tutorials/tutorial145.html) on how to do it.
To restore, see this tutorial (http://www.bleepingcomputer.com/tutorials/tutorial144.html).
Avoid P2P
P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs (http://p2p.malwareremoval.com/) if you need to use one.
Prevent a re-infection
Winpatrol
Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here (http://www.winpatrol.com/features.html).
You can get a free copy (http://www.winpatrol.com/wpsetup.exe) of Winpatrol or use the Plus version (http://winpatrol.stores.yahoo.net/winplusmemre.html) for more features.
You can read Winpatrol's FAQ (http://www.winpatrol.com/faq.html) if you run into problems.
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware program. It scans and removes malware for free, but if you want real-time protection, you can pay a small one-time fee.
Remember to update and scan with it regularly. A tutorial for using Malwarebytes' Anti-Malware can be found on BFC Computer Help (http://bfccomputers.com/index.php?showtopic=1645).
Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs (http://www.spywarewarrior.com/rogue_anti-spyware.htm) and Malwarebytes RogueNET (http://www.malwarebytes.org/roguenet.php). This will save you from a lot of trouble. If in doubt, don't ever download it.
SiteHound Toolbar
SiteHound (http://www.firetrust.com/en/products/sitehound) is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.
Use an alternative email client
If you are using Outlook Express as your default email client, try using Thunderbird (http://www.mozilla.com/en-US/thunderbird/) or Pegasus Mail (http://www.pmail.com/) instead.
Here are some more things to read about:
List of clean and infected download managers (http://www.safer-networking.org/en/articles/download-managers.html)
Configuring Skype (http://www.tcd.ie/iss/internet/skype.php)
Greater email safety (http://surfthenetsafely.com/surfsafely4.htm)
Phishing - what is it? (http://surfthenetsafely.com/phishing.htm)
Configuring Outlook Express (http://surfthenetsafely.com/slides/oeconfigureslide1.htm)
The Unofficial Cookie FAQ (http://www.cookiecentral.com/faq)
Securing your home wireless network (http://www.windowsecurity.com/articles/Wireless-Network-Security-Home.html)
80 Super Security Tips (http://www.pcmag.com/article2/0,1895,1838690,00.asp)
The different classes of security softwares (http://wiki.castlecops.com/Different_classes_of_security_software)