View Full Version : Virtumonde Adware Problem
I tried cleaning this out myself and I think I got it as I stopped getting popups and everything feels normal, but I'd like to be sure... Here's my HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:37 PM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A871CE06-1CC1-4E47-BC04-A9BC9BC800CE} - (no file)
O2 - BHO: (no name) - {E77A877E-BE26-4C95-BB62-138097A69241} - C:\WINDOWS\system32\opnolMEU.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: UltraMon.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207217332156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207217950968
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe
--
End of file - 7872 bytes
Hi Wallboy
There are at least some leftovers:
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
Just main.txt popped up:
Deckard's System Scanner v20071014.68
Run by Wallboy on 2008-08-01 17:48:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Wallboy.exe) -------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:27 PM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Wallboy\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADAMWA~1.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A871CE06-1CC1-4E47-BC04-A9BC9BC800CE} - (no file)
O2 - BHO: (no name) - {E77A877E-BE26-4C95-BB62-138097A69241} - C:\WINDOWS\system32\opnolMEU.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: UltraMon.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207217332156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207217950968
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe
--
End of file - 8245 bytes
-- Files created between 2008-07-01 and 2008-08-01 -----------------------------
2008-07-31 00:20:54 0 d-------- C:\Sandbox
2008-07-31 00:20:13 0 d-------- C:\Program Files\Sandboxie
2008-07-30 03:45:58 0 d-------- C:\Documents and Settings\Wallboy\Application Data\Malwarebytes
2008-07-30 03:45:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 03:45:53 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-30 03:34:04 89088 --a------ C:\WINDOWS\system32\qylgemem.dll
2008-07-30 03:00:53 0 d-------- C:\VundoFix Backups
2008-07-30 02:50:16 1774 --ahs---- C:\WINDOWS\system32\hPrrAyay.ini2
2008-07-29 01:13:51 0 d-------- C:\Program Files\The Longest Journey
2008-07-28 17:30:01 0 d-------- C:\Documents and Settings\All Users\CyberLink
2008-07-28 17:25:25 0 d-------- C:\Documents and Settings\Wallboy\Application Data\CyberLink
2008-07-28 17:22:51 0 d-------- C:\Program Files\SmartSound Software
2008-07-28 17:22:51 0 d-------- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-07-28 17:02:04 0 d-------- C:\Program Files\CyberLink
2008-07-28 16:45:56 0 d-------- C:\Program Files\Shareaza
2008-07-28 16:45:56 0 d-------- C:\Documents and Settings\Wallboy\Application Data\Shareaza
2008-07-28 04:46:50 0 d-------- C:\Program Files\Common Files\Bcgsoft
2008-07-28 04:46:42 0 d-------- C:\Documents and Settings\Wallboy\Application Data\ECSoftware
2008-07-28 04:46:41 0 d-------- C:\Program Files\HexEdit
2008-07-23 19:28:11 0 d-------- C:\WMSDK
2008-07-23 18:59:37 0 d-------- C:\Program Files\RailFoxsoft
2008-07-23 17:12:00 0 d-------- C:\Documents and Settings\Wallboy\Application Data\WebMoney
2008-07-23 17:08:25 0 d-------- C:\Program Files\WebMoney
2008-07-22 23:54:08 0 d-------- C:\Program Files\eMule
2008-07-22 23:43:31 0 d-------- C:\Program Files\DC++
2008-07-22 22:55:18 0 d-------- C:\Documents and Settings\Wallboy\Application Data\LimeWire
2008-07-22 22:55:06 0 d-------- C:\Program Files\LimeWire
2008-07-22 05:20:39 0 d-------- C:\Program Files\RenList
2008-07-22 03:03:39 5 --a------ C:\WINDOWS\system32\SySAVI2WMV.dat
2008-07-22 03:03:37 196608 --a------ C:\WINDOWS\system32\NCTWMVFile.dll <Not Verified; NCT Company Ltd.; NCTWMVFile ActiveX DLL>
2008-07-22 03:03:37 139264 --a------ C:\WINDOWS\system32\NCTVideoFile.dll <Not Verified; NCT Company Ltd.; NCTVideoFile ActiveX DLL>
2008-07-22 03:03:37 356352 --a------ C:\WINDOWS\system32\NCTVideoDxPlayer.dll <Not Verified; NCT Company Ltd.; NCTVideoDxPlayer ActiveX DLL>
2008-07-22 03:03:37 991232 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll <Not Verified; NCT Company Ltd.; NCTVideoCoreM ActiveX DLL>
2008-07-22 03:03:37 90112 --a------ C:\WINDOWS\system32\NCTAudioFormatSettings3.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFormatSettings3 Module>
2008-07-22 03:03:36 2260992 --a------ C:\WINDOWS\system32\NCTVideoCompress.dll <Not Verified; NCT Company Ltd.; NCTVideoCompress ActiveX DLL>
2008-07-22 03:03:36 282624 --a------ C:\WINDOWS\system32\NCTQuickTimeFile.dll <Not Verified; Online Media Technologies Company Ltd.; NCTQuickTimeFile Module>
2008-07-22 03:03:36 294912 --a------ C:\WINDOWS\system32\NCTAVIFile.dll <Not Verified; NCT Company Ltd.; NCTAVIFile ActiveX DLL>
2008-07-22 03:03:36 2658304 --a------ C:\WINDOWS\system32\NCTAudioCompress3.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress3 Module>
2008-07-22 03:03:36 1810432 --a------ C:\WINDOWS\system32\NCTAudioCompress2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress2 Module>
2008-07-22 03:03:36 237568 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-07-22 03:03:35 0 d-------- C:\Program Files\ezvideotools.com
2008-07-22 02:23:50 0 d-------- C:\Program Files\Vidlock
2008-07-22 01:49:10 0 d-------- C:\WINDOWS\system32\windows media
2008-07-22 01:49:05 0 d-------- C:\WINDOWS\RegisteredPackages
2008-07-22 01:49:05 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-07-22 01:49:01 0 d-------- C:\Program Files\Windows Media Components
2008-07-21 21:29:45 0 d-------- C:\Program Files\Data Doctor MSI to EXE Creator Demo
2008-07-21 18:50:50 0 d-------- C:\Documents and Settings\Wallboy\Application Data\ICQ Toolbar
2008-07-21 18:46:42 0 d-------- C:\Program Files\ICQToolbar
2008-07-21 18:46:15 0 d-------- C:\Documents and Settings\Wallboy\Application Data\ICQ
2008-07-21 18:45:55 0 d-------- C:\Program Files\ICQ6
2008-07-21 02:25:19 0 d-------- C:\Program Files\ProxyFirewall
2008-07-20 17:57:31 0 d-------- C:\Documents and Settings\Wallboy\Application Data\Dev-Cpp
2008-07-20 17:57:10 0 d-------- C:\Dev-Cpp
2008-07-18 15:17:41 59692 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-07-18 14:00:49 0 d--h----- C:\WINDOWS\PIF
2008-07-18 01:14:28 176235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2008-07-18 01:14:27 0 d-------- C:\WINDOWS\PrimoPDF4
2008-07-18 01:14:27 0 d-------- C:\Program Files\activePDF
2008-07-18 01:11:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-18 00:51:09 0 d-------- C:\Documents and Settings\Wallboy\Application Data\OpenOffice.org2
2008-07-18 00:49:56 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-07-09 03:03:00 0 d-------- C:\WINDOWS\system32\AGEIA
2008-07-09 03:02:59 0 d-------- C:\Program Files\AGEIA Technologies
2008-07-09 03:00:16 0 d-------- C:\Program Files\THQ
2008-07-08 23:54:06 0 d-------- C:\Documents and Settings\Wallboy\Application Data\NuSphere
2008-07-07 19:08:02 0 d-------- C:\Program Files\AVPRP
2008-07-07 18:55:23 0 d-------- C:\Program Files\Excel Add Data, Text & Characters To All Cells Software
2008-07-06 19:40:38 0 d-------- C:\Program Files\Codemasters
2008-07-04 19:36:20 0 d-------- C:\Program Files\Java
2008-07-04 19:35:55 0 d-------- C:\Program Files\Common Files\Java
2008-07-04 19:04:38 0 d-------- C:\Program Files\GRLevelX
2008-07-03 01:16:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-03 01:08:39 0 d-------- C:\Documents and Settings\NetworkService\Desktop
-- Find3M Report ---------------------------------------------------------------
2008-08-01 17:48:10 0 d-------- C:\Documents and Settings\Wallboy\Application Data\uTorrent
2008-07-31 21:25:50 0 d-------- C:\Documents and Settings\Wallboy\Application Data\mIRC
2008-07-31 17:38:27 0 d-------- C:\Program Files\mIRC
2008-07-29 23:37:57 0 d-------- C:\Documents and Settings\Wallboy\Application Data\GrabIt
2008-07-28 17:22:54 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-28 04:46:50 0 d-------- C:\Program Files\Common Files
2008-07-23 22:50:27 0 d-------- C:\Documents and Settings\Wallboy\Application Data\FileZilla
2008-07-21 04:55:01 0 d-------- C:\Program Files\QuickPar
2008-07-18 00:46:20 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-17 05:20:06 0 d-------- C:\Program Files\thinkorswim
2008-07-14 01:08:22 0 d-------- C:\Documents and Settings\Wallboy\Application Data\Skype
2008-07-12 19:20:17 0 d-------- C:\Documents and Settings\Wallboy\Application Data\AdobeUM
2008-07-12 19:18:34 0 d-------- C:\Documents and Settings\Wallboy\Application Data\Adobe
2008-07-09 03:02:40 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-03 00:25:20 0 d-------- C:\Program Files\Windows Media Connect 2
2008-07-02 18:30:16 0 d-------- C:\Program Files\PokerStars
2008-06-30 01:02:37 0 d-------- C:\Program Files\SEO Elite 4
2008-06-30 00:21:01 0 d-------- C:\Program Files\Keyword Elite
2008-06-27 21:04:52 0 d-------- C:\Program Files\Microsoft adCenter Add-in for Excel 2.0 (Beta)
2008-06-27 21:02:58 0 d-------- C:\Program Files\Reference Assemblies
2008-06-27 18:06:31 0 d-------- C:\Program Files\Back Link Analyzer v2.0-cp
2008-06-23 20:37:13 0 d-------- C:\Documents and Settings\Wallboy\Application Data\dvdcss
2008-06-23 16:21:07 0 d-------- C:\Program Files\Google
2008-06-21 18:26:50 0 d-------- C:\Documents and Settings\Wallboy\Application Data\SPORE Creature Creator
2008-06-21 18:24:41 0 d-------- C:\Program Files\Electronic Arts
2008-06-17 16:09:39 0 d-------- C:\Documents and Settings\Wallboy\Application Data\Mozilla
2008-06-16 18:51:12 0 d-------- C:\Program Files\FileZilla FTP Client
2008-06-07 20:27:37 0 d-------- C:\Program Files\PartyGaming
2008-06-07 02:57:56 0 d-------- C:\Documents and Settings\Wallboy\Application Data\Sun
2008-06-04 02:58:42 0 d-------- C:\Documents and Settings\Wallboy\Application Data\streamripper
2008-06-04 02:58:36 0 d-------- C:\Program Files\Streamripper
2008-06-02 21:05:00 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-05-21 20:33:03 23552 --a------ C:\WINDOWS\system32\ctfmon.exe <Not Verified; Gerhard Schlager; Dummy CTFMON.EXE (part of the CTFMON-Remover)>
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A871CE06-1CC1-4E47-BC04-A9BC9BC800CE}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E77A877E-BE26-4C95-BB62-138097A69241}]
C:\WINDOWS\system32\opnolMEU.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [12/18/2006 09:34 PM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [07/13/2006 07:12 AM]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [10/25/2007 09:26 AM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [01/21/2008 12:17 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 11:34 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [05/21/2008 08:33 PM]
"SandboxieControl"="C:\Program Files\Sandboxie\SbieCtrl.exe" [06/30/2008 03:19 PM]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
C:\Documents and Settings\Wallboy\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 8:24:54 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
UltraMon.lnk - C:\WINDOWS\Installer\{AF0FA6D7-96F3-468A-ABB7-28BE006EA8E9}\IcoUltraMon.ico [4/3/2008 4:54:19 AM]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8cab1d73]
rundll32.exe "C:\WINDOWS\system32\mqqyqqwf.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8f982eef]
Rundll32.exe "C:\WINDOWS\system32\jlgcerje.dll",s
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\Setup.exe
-- End of Deckard's System Scanner: finished at 2008-08-01 17:48:43 ------------
Let's try this then:
Click Start and then Run to bring up the Run box.
Copy and paste the contents of this quote box into the run box:
"%userprofile%\desktop\dss.exe" /config
Close all other open windows.
Click OK.
A window will now open. Click Check All and then click Scan!.
When the scan is complete, two text files will open in Notepad: main.txt <- this one will be maximized
extra.txt <- this one will be minimized
If not, they both can be found in the C:\Deckard\System Scanner folder.
Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
Deckard's System Scanner v20071014.68
Run by Wallboy on 2008-08-02 16:35:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
-- Last 5 Restore Point(s) --
106: 2008-08-01 23:42:40 UTC - RP165 - Deckard's System Scanner Restore Point
105: 2008-08-01 00:12:12 UTC - RP164 - System Checkpoint
104: 2008-07-30 08:50:42 UTC - RP163 - Last known good configuration
103: 2008-07-30 08:50:37 UTC - RP162 - Installed PowerDirector
102: 2008-07-30 08:50:36 UTC - RP161 - Configured PowerDirector
-- First Restore Point --
1: 2008-07-30 08:50:26 UTC - RP60 - System Checkpoint
Performed disk cleanup.
-- HijackThis (run as Wallboy.exe) -------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:26 PM, on 8/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Wallboy\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADAMWA~1.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A871CE06-1CC1-4E47-BC04-A9BC9BC800CE} - (no file)
O2 - BHO: (no name) - {E77A877E-BE26-4C95-BB62-138097A69241} - C:\WINDOWS\system32\opnolMEU.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: UltraMon.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207217332156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207217950968
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe
--
End of file - 8098 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------
backup-20080521-201757-547 O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
backup-20080730-033221-906 O2 - BHO: {2e245e51-12fe-998a-26f4-46f5665940d8} - {8d049566-5f64-4f62-a899-ef2115e542e2} - C:\WINDOWS\system32\qyglkf.dll (file missing)
backup-20080730-033419-298 O2 - BHO: (no name) - {A871CE06-1CC1-4E47-BC04-A9BC9BC800CE} - C:\WINDOWS\system32\yayArrPh.dll (file missing)
backup-20080730-033433-181 O4 - HKLM\..\Run: [BM8f982eef] Rundll32.exe "C:\WINDOWS\system32\qylgemem.dll",s
backup-20080730-033510-378 O4 - HKLM\..\Run: [BM8f982eef] Rundll32.exe "C:\WINDOWS\system32\qylgemem.dll",s
backup-20080730-033518-452 O4 - HKLM\..\Run: [BM8f982eef] Rundll32.exe "C:\WINDOWS\system32\qylgemem.dll",s
-- File Associations -----------------------------------------------------------
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 Haspnt - c:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
R2 UltraMonUtility (UltraMon Utility Driver) - c:\program files\common files\realtime soft\ultramonmirrordrv\x32\ultramonutility.sys <Not Verified; Realtime Soft; UltraMon>
R3 SbieDrv - c:\program files\sandboxie\sbiedrv.sys <Not Verified; tzuk; Sandboxie>
R3 UltraMonMirror - c:\windows\system32\drivers\ultramonmirror.sys <Not Verified; Realtime Soft; UltraMon>
S2 DS1410D - c:\windows\system32\drivers\ds1410d.sys
S2 zumbus (Zune Bus Enumerator Driver) - c:\windows\system32\drivers\zumbus.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 Sntnlusb (Rainbow USB SuperPro) - c:\windows\system32\drivers\sntnlusb.sys <Not Verified; Rainbow Technologies Inc.; Rainbow Technologies USB Security Device Driver>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>
R2 SbieSvc (Sandboxie Service) - c:\program files\sandboxie\sbiesvc.exe <Not Verified; tzuk; Sandboxie>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 wampapache - "c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
S3 wampmysqld - c:\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe wampmysqld
S4 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
S4 PLFlash DeviceIoControl Service - c:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application>
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&B6AFFD&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&B6AFFD&0
Service: i8042prt
-- Process Modules -------------------------------------------------------------
C:\WINDOWS\system32\svchost.exe (pid 1184)
2006-02-28 12:42:30 94208 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Computer, Inc.; Bonjour>
C:\WINDOWS\explorer.exe (pid 1956)
2008-01-14 19:24:48 57856 --a------ C:\Program Files\UltraMon\RTSUltraMonHook.dll <Not Verified; Realtime Soft Ltd; UltraMon>
-- Files created between 2008-07-02 and 2008-08-02 -----------------------------
2008-07-31 00:20:54 0 d-------- C:\Sandbox
2008-07-31 00:20:13 0 d-------- C:\Program Files\Sandboxie
2008-07-30 03:45:58 0 d-------- C:\Documents and Settings\Wallboy\Application Data\Malwarebytes
2008-07-30 03:45:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 03:45:53 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-30 03:34:04 89088 --a------ C:\WINDOWS\system32\qylgemem.dll
2008-07-30 03:00:53 0 d-------- C:\VundoFix Backups
2008-07-30 02:50:16 1774 --ahs---- C:\WINDOWS\system32\hPrrAyay.ini2
2008-07-29 01:13:51 0 d-------- C:\Program Files\The Longest Journey
2008-07-28 17:30:01 0 d-------- C:\Documents and Settings\All Users\CyberLink
2008-07-28 17:25:25 0 d-------- C:\Documents and Settings\Wallboy\Application Data\CyberLink
2008-07-28 17:22:51 0 d-------- C:\Program Files\SmartSound Software
2008-07-28 17:22:51 0 d-------- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-07-28 17:02:04 0 d-------- C:\Program Files\CyberLink
2008-07-28 16:45:56 0 d-------- C:\Program Files\Shareaza
2008-07-28 16:45:56 0 d-------- C:\Documents and Settings\Wallboy\Application Data\Shareaza
2008-07-28 04:46:50 0 d-------- C:\Program Files\Common Files\Bcgsoft
2008-07-28 04:46:42 0 d-------- C:\Documents and Settings\Wallboy\Application Data\ECSoftware
2008-07-28 04:46:41 0 d-------- C:\Program Files\HexEdit
2008-07-23 19:28:11 0 d-------- C:\WMSDK
2008-07-23 18:59:37 0 d-------- C:\Program Files\RailFoxsoft
2008-07-23 17:12:00 0 d-------- C:\Documents and Settings\Wallboy\Application Data\WebMoney
2008-07-23 17:08:25 0 d-------- C:\Program Files\WebMoney
2008-07-22 23:54:08 0 d-------- C:\Program Files\eMule
2008-07-22 23:43:31 0 d-------- C:\Program Files\DC++
2008-07-22 22:55:18 0 d-------- C:\Documents and Settings\Wallboy\Application Data\LimeWire
2008-07-22 22:55:06 0 d-------- C:\Program Files\LimeWire
2008-07-22 05:20:39 0 d-------- C:\Program Files\RenList
2008-07-22 03:03:39 5 --a------ C:\WINDOWS\system32\SySAVI2WMV.dat
2008-07-22 03:03:37 196608 --a------ C:\WINDOWS\system32\NCTWMVFile.dll <Not Verified; NCT Company Ltd.; NCTWMVFile ActiveX DLL>
2008-07-22 03:03:37 139264 --a------ C:\WINDOWS\system32\NCTVideoFile.dll <Not Verified; NCT Company Ltd.; NCTVideoFile ActiveX DLL>
2008-07-22 03:03:37 356352 --a------ C:\WINDOWS\system32\NCTVideoDxPlayer.dll <Not Verified; NCT Company Ltd.; NCTVideoDxPlayer ActiveX DLL>
2008-07-22 03:03:37 991232 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll <Not Verified; NCT Company Ltd.; NCTVideoCoreM ActiveX DLL>
2008-07-22 03:03:37 90112 --a------ C:\WINDOWS\system32\NCTAudioFormatSettings3.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFormatSettings3 Module>
2008-07-22 03:03:36 2260992 --a------ C:\WINDOWS\system32\NCTVideoCompress.dll <Not Verified; NCT Company Ltd.; NCTVideoCompress ActiveX DLL>
2008-07-22 03:03:36 282624 --a------ C:\WINDOWS\system32\NCTQuickTimeFile.dll <Not Verified; Online Media Technologies Company Ltd.; NCTQuickTimeFile Module>
2008-07-22 03:03:36 294912 --a------ C:\WINDOWS\system32\NCTAVIFile.dll <Not Verified; NCT Company Ltd.; NCTAVIFile ActiveX DLL>
2008-07-22 03:03:36 2658304 --a------ C:\WINDOWS\system32\NCTAudioCompress3.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress3 Module>
2008-07-22 03:03:36 1810432 --a------ C:\WINDOWS\system32\NCTAudioCompress2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress2 Module>
2008-07-22 03:03:36 237568 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-07-22 03:03:35 0 d-------- C:\Program Files\ezvideotools.com
2008-07-22 02:23:50 0 d-------- C:\Program Files\Vidlock
2008-07-22 01:49:10 0 d-------- C:\WINDOWS\system32\windows media
2008-07-22 01:49:05 0 d-------- C:\WINDOWS\RegisteredPackages
2008-07-22 01:49:05 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-07-22 01:49:01 0 d-------- C:\Program Files\Windows Media Components
2008-07-21 21:29:45 0 d-------- C:\Program Files\Data Doctor MSI to EXE Creator Demo
2008-07-21 18:50:50 0 d-------- C:\Documents and Settings\Wallboy\Application Data\ICQ Toolbar
2008-07-21 18:46:42 0 d-------- C:\Program Files\ICQToolbar
2008-07-21 18:46:15 0 d-------- C:\Documents and Settings\Wallboy\Application Data\ICQ
2008-07-21 18:45:55 0 d-------- C:\Program Files\ICQ6
2008-07-21 02:25:19 0 d-------- C:\Program Files\ProxyFirewall
2008-07-20 17:57:31 0 d-------- C:\Documents and Settings\Wallboy\Application Data\Dev-Cpp
2008-07-20 17:57:10 0 d-------- C:\Dev-Cpp
2008-07-18 15:17:41 59692 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-07-18 14:00:49 0 d--h----- C:\WINDOWS\PIF
2008-07-18 01:14:28 176235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2008-07-18 01:14:27 0 d-------- C:\WINDOWS\PrimoPDF4
2008-07-18 01:14:27 0 d-------- C:\Program Files\activePDF
2008-07-18 01:11:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-18 00:51:09 0 d-------- C:\Documents and Settings\Wallboy\Application Data\OpenOffice.org2
2008-07-18 00:49:56 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-07-09 03:03:00 0 d-------- C:\WINDOWS\system32\AGEIA
2008-07-09 03:02:59 0 d-------- C:\Program Files\AGEIA Technologies
2008-07-09 03:00:16 0 d-------- C:\Program Files\THQ
2008-07-08 23:54:06 0 d-------- C:\Documents and Settings\Wallboy\Application Data\NuSphere
2008-07-07 19:08:02 0 d-------- C:\Program Files\AVPRP
2008-07-07 18:55:23 0 d-------- C:\Program Files\Excel Add Data, Text & Characters To All Cells Software
2008-07-06 19:40:38 0 d-------- C:\Program Files\Codemasters
2008-07-04 19:36:20 0 d-------- C:\Program Files\Java
2008-07-04 19:35:55 0 d-------- C:\Program Files\Common Files\Java
2008-07-04 19:04:38 0 d-------- C:\Program Files\GRLevelX
2008-07-03 01:16:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-03 01:08:39 0 d-------- C:\Documents and Settings\NetworkService\Desktop
-- Find3M Report ---------------------------------------------------------------
2008-08-02 16:32:49 0 d-------- C:\Documents and Settings\Wallboy\Application Data\uTorrent
2008-08-01 22:43:05 0 d-------- C:\Documents and Settings\Wallboy\Application Data\mIRC
2008-08-01 20:35:05 0 d-------- C:\Program Files\mIRC
2008-07-29 23:37:57 0 d-------- C:\Documents and Settings\Wallboy\Application Data\GrabIt
2008-07-28 17:22:54 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-28 04:46:50 0 d-------- C:\Program Files\Common Files
2008-07-23 22:50:27 0 d-------- C:\Documents and Settings\Wallboy\Application Data\FileZilla
2008-07-21 04:55:01 0 d-------- C:\Program Files\QuickPar
2008-07-18 00:46:20 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-17 05:20:06 0 d-------- C:\Program Files\thinkorswim
2008-07-14 01:08:22 0 d-------- C:\Documents and Settings\Wallboy\Application Data\Skype
2008-07-12 19:20:17 0 d-------- C:\Documents and Settings\Wallboy\Application Data\AdobeUM
2008-07-12 19:18:34 0 d-------- C:\Documents and Settings\Wallboy\Application Data\Adobe
2008-07-09 03:02:40 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-03 00:25:20 0 d-------- C:\Program Files\Windows Media Connect 2
2008-07-02 18:30:16 0 d-------- C:\Program Files\PokerStars
2008-06-30 01:02:37 0 d-------- C:\Program Files\SEO Elite 4
2008-06-30 00:21:01 0 d-------- C:\Program Files\Keyword Elite
2008-06-27 21:04:52 0 d-------- C:\Program Files\Microsoft adCenter Add-in for Excel 2.0 (Beta)
2008-06-27 21:02:58 0 d-------- C:\Program Files\Reference Assemblies
2008-06-27 18:06:31 0 d-------- C:\Program Files\Back Link Analyzer v2.0-cp
2008-06-23 20:37:13 0 d-------- C:\Documents and Settings\Wallboy\Application Data\dvdcss
2008-06-23 16:21:07 0 d-------- C:\Program Files\Google
2008-06-21 18:26:50 0 d-------- C:\Documents and Settings\Wallboy\Application Data\SPORE Creature Creator
2008-06-21 18:24:41 0 d-------- C:\Program Files\Electronic Arts
2008-06-17 16:09:39 0 d-------- C:\Documents and Settings\Wallboy\Application Data\Mozilla
2008-06-16 18:51:12 0 d-------- C:\Program Files\FileZilla FTP Client
2008-06-07 20:27:37 0 d-------- C:\Program Files\PartyGaming
2008-06-07 02:57:56 0 d-------- C:\Documents and Settings\Wallboy\Application Data\Sun
2008-06-04 02:58:42 0 d-------- C:\Documents and Settings\Wallboy\Application Data\streamripper
2008-06-04 02:58:36 0 d-------- C:\Program Files\Streamripper
2008-06-02 21:05:00 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-05-21 20:33:03 23552 --a------ C:\WINDOWS\system32\ctfmon.exe <Not Verified; Gerhard Schlager; Dummy CTFMON.EXE (part of the CTFMON-Remover)>
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A871CE06-1CC1-4E47-BC04-A9BC9BC800CE}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E77A877E-BE26-4C95-BB62-138097A69241}]
C:\WINDOWS\system32\opnolMEU.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [12/18/2006 09:34 PM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [07/13/2006 07:12 AM]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [10/25/2007 09:26 AM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [01/21/2008 12:17 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 11:34 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [05/21/2008 08:33 PM]
"SandboxieControl"="C:\Program Files\Sandboxie\SbieCtrl.exe" [06/30/2008 03:19 PM]
C:\Documents and Settings\Wallboy\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 8:24:54 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
UltraMon.lnk - C:\WINDOWS\Installer\{AF0FA6D7-96F3-468A-ABB7-28BE006EA8E9}\IcoUltraMon.ico [4/3/2008 4:54:19 AM]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8cab1d73]
rundll32.exe "C:\WINDOWS\system32\mqqyqqwf.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8f982eef]
Rundll32.exe "C:\WINDOWS\system32\jlgcerje.dll",s
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\Setup.exe
-- Hosts -----------------------------------------------------------------------
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
8772 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2008-08-02 16:35:59 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
CPU 1: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
CPU 2: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
CPU 3: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
Percentage of Memory in Use: 15%
Physical Memory (total/avail): 3071.04 MiB / 2606.9 MiB
Pagefile Memory (total/avail): 4961.52 MiB / 4630.3 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1924.67 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 465.75 GiB total, 361.48 GiB free.
D: is Fixed (NTFS) - 465.76 GiB total, 150.52 GiB free.
E: is CDROM (No Media)
\\.\PHYSICALDRIVE1 - WDC WD5000AAKS-00YGA0 - 465.76 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 465.76 GiB - D:
\\.\PHYSICALDRIVE0 - WDC WD5000AAKS-00YGA0 - 465.76 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 465.75 GiB - C:
-- Security Center -------------------------------------------------------------
AUOptions is disabled.
Windows Internal Firewall is disabled.
FirstRunDisabled is set.
AV: ESET NOD32 Antivirus 3.0 v3.0 (ESET, spol. s r. o.)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp:*:Enabled:KazaaLite"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe:*:Enabled:Crysis_32"
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\THQ\\Frontlines-Fuel of War Demo\\Binaries\\FFOW-MPDemo.exe"="C:\\Program Files\\THQ\\Frontlines-Fuel of War Demo\\Binaries\\FFOW-MPDemo.exe:*:Enabled:Frontlines Game"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"="C:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe:*:Enabled:CyberLink PowerDirector"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Wallboy\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ADAM-A4A1399F65
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Wallboy
LOGONSERVER=\\ADAM-A4A1399F65
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\Program Files\Autodesk\Maya2008\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Smart Projects\IsoBuster
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADAMWA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADAMWA~1\LOCALS~1\Temp
ULTRAMON_LANGDIR=C:\Program Files\UltraMon\Resources\en
USERDOMAIN=ADAM-A4A1399F65
USERNAME=Wallboy
USERPROFILE=C:\Documents and Settings\Wallboy
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
Wallboy (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> MsiExec /X{95FC26FB-19FD-4A96-BBB1-B1062E8648F5}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
3DMark06 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}\setup.exe" -l0x9 -removeonly
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\719d6f144d0c086a0dfa7ff76bb9ac1\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Adobe Setup --> MsiExec.exe /I{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Advanced VBA Password Recovery PRO --> C:\PROGRA~1\AVPRP\UNWISE.EXE C:\PROGRA~1\AVPRP\INSTALL.LOG
Age of Conan - Hyborian Adventures --> "C:\Program Files\Funcom\Age of Conan\unins000.exe"
AGEIA PhysX v7.11.13 --> MsiExec.exe /X{95FC26FB-19FD-4A96-BBB1-B1062E8648F5}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x7379
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Autodesk DirectConnect 2.0 --> MsiExec.exe /I{C033BF6E-9D82-4E0B-A46E-ABC746D6F431}
Back Link Analyzer v2.0-cp --> C:\Program Files\Back Link Analyzer v2.0-cp\Uninstall.exe
Battlefield 2(TM) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}\setup.exe" -l0x9 -removeonly
CryEngine(R)2 Sandbox(TM)2 --> MsiExec.exe /I{7E4B7FD9-4ECE-4298-A910-3160B7918059}
Crysis(R) --> MsiExec.exe /I{000E79B7-E725-4F01-870A-C12942B7F8E4}
CyberLink PhotoNow --> "C:\Program Files\InstallShield Installation Information\{D36DD326-7280-11D8-97C8-000129760CBE}\Setup.exe" /z-uninstall
CyberLink PowerDirector --> "C:\Program Files\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\Setup.exe" /z-uninstall
Data Doctor MSI to EXE Creator Demo --> C:\Program Files\Data Doctor MSI to EXE Creator Demo\Uninstall.exe
DC++ 0.707 --> "C:\Program Files\DC++\uninstall.exe"
Deer Hunter - The 2005 Season --> "C:\Program Files\Atari\Deer Hunter 2005\unins000.exe"
Dev-C++ 5 beta 9 release (4.9.9.2) --> "C:\Dev-Cpp\uninstall.exe"
DiRT --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57B89E30-0BBA-4F20-9F2C-8E8CDE1CEDB6}\setup.exe" -l0x9 -removeonly
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
eMule --> "C:\Program Files\eMule\Uninstall.exe"
ESET NOD32 Antivirus --> MsiExec.exe /I{944BFDEB-868F-4943-A37C-2852C7D9824A}
EVEREST Corporate Edition v4.50 --> "C:\Program Files\Lavalys\EVEREST Corporate Edition\unins000.exe"
Excel Add Data, Text & Characters To All Cells Software 7.0 --> "C:\Program Files\Excel Add Data, Text & Characters To All Cells Software\unins000.exe"
EZ AVI TO WMV Converter 3.00 --> "C:\Program Files\ezvideotools.com\EZ AVI TO WMV Converter\unins000.exe"
FileZilla Client 3.0.11 --> C:\Program Files\FileZilla FTP Client\uninstall.exe
Flight Simulator X -->
Flight Simulator X Service Pack 1 -->
Fraps (remove only) --> "C:\Fraps\uninstall.exe"
Frontlines: Fuel of War Demo --> "C:\Program Files\InstallShield Installation Information\{7DE44E89-0544-4374-BECE-F63E8F542B8F}\setup.exe" -runfromtemp -l0x0009 -removeonly
GLOBEtrotter FLEXid Drivers --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\GLOBEtrotter Software Inc.\GLOBEtrotter FLEXid Drivers\Uninst.isu"
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
GrabIt 1.7.1 Beta (build 960) --> "C:\Program Files\GrabIt\unins000.exe"
GRLevel3 version 1.43 --> "C:\Program Files\GRLevelX\GRLevel3\unins000.exe"
Guitar Hero III --> MsiExec.exe /I{0CE1A6C0-F3F7-49E6-8F9D-2431F9827441}
Haali Media Splitter --> "C:\Program Files\Haali\MatroskaSplitter\uninstall.exe"
HexEdit --> MsiExec.exe /I{5961E918-1156-480E-B408-8937075F4388}
High Definition Audio Driver Package - KB888111 --> C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
ICQ Toolbar --> regsvr32 /u /s "C:\PROGRA~1\ICQTOO~1\toolbaru.dll"
ICQ6 --> "C:\Program Files\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe" -runfromtemp -l0x0009 -removeonly
Java(TM) 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java(TM) 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java(TM) 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Kazaa Lite K++ v2.4.3 --> "C:\Program Files\Kazaa Lite K++\unins000.exe"
LimeWire 4.18.3 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Maya 2008 --> MsiExec.exe /I{DA864DC0-0BF2-454B-A6A9-08A45EB97D3B}
Maya 2008 Documentation (en_US) --> MsiExec.exe /I{6C70ACE2-6EF2-4F8D-8C4A-78198AA979DD}
Microsoft adCenter Add-in for Excel 2.0 (Beta) --> MsiExec.exe /I{A0D66C5B-A622-475D-AD04-4B9E80F7DBB9}
Microsoft Bootvis --> MsiExec.exe /I{0F9196C6-58B4-445B-B56E-B1200FECC151}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Flight Simulator X --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{9527A496-5DF9-412A-ADC7-168BA5379CA6}
Microsoft Flight Simulator X: Acceleration --> C:\WINDOWS\system32\msiexec.exe /qb /l*vx "%TEMP%\FlightSimUninstall.log" /uninstall {A9729B90-D37B-4A69-B66A-7436AC1F7274}
Microsoft Flight Simulator X: Acceleration --> MsiExec.exe /I{A9729B90-D37B-4A69-B66A-7436AC1F7274}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 --> "C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual Studio 2005 Tools for Office Runtime --> MsiExec.exe /X{388E4B09-3E71-4649-8921-F44A3A2954A7}
mIRC --> C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB925673) --> MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
Nero 8 --> MsiExec.exe /X{BE282C23-5484-47FF-B2C1-EBEA5C891033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Notepad++ --> C:\Program Files\Notepad++\uninstall.exe
OpenAL --> "C:\Program Files\OpenAL\OalinstGridRelease.exe" /U
OpenOffice.org 2.4 --> MsiExec.exe /I{2CD2C0DB-81C3-416B-9FA6-589B9235359B}
PartyPoker --> "C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe" "C:\Program Files\PartyGaming\PartyPoker\install.log"
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PerfectDisk 2008 Professional --> MsiExec.exe /I{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}
PokerStars --> "C:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
ProxyFirewall 1.0.4 Beta --> "C:\Program Files\ProxyFirewall\unins000.exe"
PunkBuster Services --> C:\WINDOWS\system32\pbsvc.exe -u
QuickPar 0.9 --> C:\Program Files\QuickPar\uninst.exe
QuickTime Alternative 2.5.1 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
Sandboxie 3.28 --> "C:\WINDOWS\Installer\SandboxieInstall.exe" /remove
Sentinel System Driver --> C:\WINDOWS\SYSTEM32\RNBOSENT\SETUPX86.EXE /U /q
Shareaza 2.3.1.0 --> "C:\Program Files\Shareaza\Uninstall\unins000.exe"
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
SPORE™ Creature Creator Trial Edition --> "C:\Program Files\InstallShield Installation Information\{ECEE0279-785F-4CB3-9F28-E69813234BF8}\setup.exe" -runfromtemp -l0x0009 -removeonly
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Streamripper (Remove only) --> C:\Program Files\Streamripper\Uninstall.exe
Test Drive Unlimited --> MsiExec.exe /X{C37A0BC1-52EE-4F97-8223-5CA9FC0357B0}
thinkorswim --> C:\Program Files\thinkorswim\uninstall.exe
TmNationsForever --> "C:\Program Files\TmNationsForever\unins000.exe"
Tortun 0.74 --> "C:\Program Files\Tortun\unins000.exe"
UltraMon --> MsiExec.exe /I{AF0FA6D7-96F3-468A-ABB7-28BE006EA8E9}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VideoLAN VLC media player 0.8.6f --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Visual Studio 2005 Tools for Office Second Edition Runtime --> c:\Program Files\Common Files\Microsoft Shared\VSTO\8.0\Microsoft Visual Studio 2005 Tools for Office Runtime\install.exe
WampServer 2.0 --> "c:\wamp\unins000.exe"
WebMoney Keeper Classic 3.6.0.2 --> "C:\Program Files\WebMoney\Uninstall.exe" "C:\Program Files\WebMoney\install.log" -u
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format 11 SDK --> MsiExec.exe /X{009435FA-9011-4C36-AE7C-CCC9669E7875}
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Xbox 360 Controller for Windows --> "C:\WINDOWS\$NtUninstall_Xbox_360_CC_Driver$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->
XP Codec Pack --> C:\Program Files\XP Codec Pack\Uninstall.exe
Xtreme Prototypes X-15-2-3 for Flight Simulator --> "C:\WINDOWS\Xtreme Prototypes X-15-2-3 for Flight Simulator\uninstall.exe" "/U:C:\Program Files\Xtreme Prototypes\X-15-2-3 Uninstall\uninstall.xml"
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
-- Application Event Log -------------------------------------------------------
Event Record #/Type4077 / Error
Event Submitted/Written: 08/02/2008 04:31:47 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.
Event Record #/Type4076 / Error
Event Submitted/Written: 08/02/2008 04:31:47 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 80070422 from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Event Record #/Type4073 / Error
Event Submitted/Written: 08/02/2008 04:31:36 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 80070422 from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Event Record #/Type4054 / Error
Event Submitted/Written: 08/01/2008 05:49:32 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 80070422 from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Event Record #/Type4032 / Success
Event Submitted/Written: 07/31/2008 04:26:12 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type31274 / Error
Event Submitted/Written: 08/02/2008 01:23:57 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1058
Event Record #/Type31273 / Error
Event Submitted/Written: 08/02/2008 01:23:57 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1058
Event Record #/Type31272 / Error
Event Submitted/Written: 08/01/2008 10:33:06 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1058
Event Record #/Type31271 / Error
Event Submitted/Written: 08/01/2008 08:51:29 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1058
Event Record #/Type31270 / Error
Event Submitted/Written: 08/01/2008 08:51:29 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1058
-- End of Deckard's System Scanner: finished at 2008-08-02 16:35:59 ------------
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
µTorrent
DC++ 0.707
eMule
Kazaa Lite K++ v2.4.3
LimeWire 4.18.3
Shareaza 2.3.1.0
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Delete these folders afterwards:
C:\Program Files\Shareaza
C:\Documents and Settings\Wallboy\Application Data\Shareaza
C:\Program Files\eMule
C:\Program Files\DC++
C:\Documents and Settings\Wallboy\Application Data\LimeWire
C:\Program Files\LimeWire
C:\Documents and Settings\Wallboy\Application Data\uTorrent
Empty Recycle Bin.
After that:
Click Start and then Run to bring up the Run box.
Copy and paste the contents of this quote box into the run box:
"%userprofile%\desktop\dss.exe" /config
Close all other open windows.
Click OK.
A window will now open. Click Check All and then click Scan!.
When the scan is complete, two text files will open in Notepad: main.txt <- this one will be maximized
extra.txt <- this one will be minimized
If not, they both can be found in the C:\Deckard\System Scanner folder.
Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.