View Full Version : Help with malware removal please, possibly Virtumonde?
Hi,
I am hoping you can help me.
My computer keeps telling me it is infected with spyware/malware. I get a blue desktop on startup with regular warnings saying the computer is infected with:
Trojan-Clicker.Win32.Tiny.h
Trojan-Downloader.Win32.Agent.bq
Trojan-Spy.Win32.KeyLogger.aa
Trojan-Spy.Win32.GreenScreen
Trojan-Spy.HTML.Bankfraud.dq
Strange thing is that these only show up when I log in to my user account. If I log in as administrator, another user or as any user in safe mode I get no warnings and nothing shows up on scans.
The pop up warings direct me to this site: www.antispyware-review.info/?wmid=46638&pwebmid=uWfLn0pimL&a= which is Smartsoft reviews to buy PC Antispy or PC Clean pro.
Malwarebytes scan picks up Fake.Dropped.Malware, Malware.Trace, Trojan.FakeAlert and Hijack.Wallpaper and even if I remove these and restart the PC they come back.
A spybot scan pointed to 2 entries of Virtumonde
I'll attach the latest HJT log, Malwarebytes log and Spybot logs in case you need them. Please help me with this, I cant seem to shift it
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:34 AM, on 8/7/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Avast Antivirus\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\ProgramData\SmartShCom\hcfgfytg.exe
C:\ProgramData\rcvsxmzo\nqlszova.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Guy\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SmartShCom] C:\ProgramData\SmartShCom\hcfgfytg.exe
O4 - HKCU\..\Run: [WvSbO1Kv04] C:\ProgramData\rcvsxmzo\nqlszova.exe
O4 - HKCU\..\Run: [ProcDsc] C:\ProgramData\ProcDsc\zcvgzsly.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [monwin] C:\ProgramData\monwin\verohots.exe
O4 - HKCU\..\Run: [proccfg] C:\ProgramData\proccfg\zmtqrwdk.exe
O4 - HKCU\..\Run: [enstrapp] C:\ProgramData\enstrapp\lifonape.exe
O4 - HKCU\..\Run: [infosys] C:\ProgramData\infosys\gzmhghgd.exe
O4 - HKCU\..\Run: [EnUiProc] C:\ProgramData\EnUiProc\gfsfsrcf.exe
O4 - HKCU\..\Run: [ChkHlp] C:\ProgramData\ChkHlp\clybelup.exe
O4 - HKCU\..\Run: [WebSrv] C:\ProgramData\WebSrv\ibkdivij.exe
O4 - HKCU\..\Run: [sysmsg] C:\ProgramData\sysmsg\jwbwdqrw.exe
O4 - HKCU\..\Run: [shactmsg] C:\ProgramData\shactmsg\hqfslgvi.exe
O4 - HKCU\..\Run: [lphctmdj0ec0e] C:\Windows\system32\lphctmdj0ec0e.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [infodbset] C:\ProgramData\infodbset\gzufknil.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast Antivirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast Antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast Antivirus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast Antivirus\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 7291 bytes
--------------------------------------------
Malwarebytes' Anti-Malware 1.24
Database version: 1020
Windows 6.0.6001 Service Pack 1
11:53:44 AM 8/7/2008
mbam-log-8-7-2008 (11-53-40).txt
Scan type: Quick Scan
Objects scanned: 39401
Time elapsed: 2 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\uninstall (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphctmdj0ec0e (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-------------------------------------------------------
-- Search result list ---
Hint of the Day: Click the bar at the right of this to see more information! ()
Virtumonde: [SBI $3BE84E58] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2358783837-1417064347-3650377784-1000\Software\mwc
Virtumonde: [SBI $0FB400C8] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2358783837-1417064347-3650377784-1000\Software\wkey
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-07-07 TeaTimer.exe (1.6.0.20)
2008-08-06 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-07-07 SDHelper.dll (1.6.0.12)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-08-05 Includes\Adware.sbi (*)
2008-08-05 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-08-05 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-07-30 Includes\Hijackers.sbi (*)
2008-07-08 Includes\HijackersC.sbi (*)
2008-08-05 Includes\Keyloggers.sbi (*)
2008-08-05 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-08-05 Includes\Malware.sbi (*)
2008-08-05 Includes\MalwareC.sbi (*)
2008-08-05 Includes\PUPS.sbi (*)
2008-08-05 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-08-05 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-08-04 Includes\Spyware.sbi (*)
2008-08-05 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-08-05 Includes\Trojans.sbi (*)
2008-08-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows Vista (Build: 6001) Service Pack 1 (6.0.6001)
--- Startup entries list ---
Located: HK_LM:Run, Adobe Photo Downloader
command: "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
file: C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
size: 67488
MD5: BCCB77572408155F984A02F9BFFDF225
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: 8B9145D229D4E89D15ACB820D4A3A90F
Located: HK_LM:Run, avast!
command: C:\PROGRA~1\AVASTA~1\ashDisp.exe
file: C:\PROGRA~1\AVASTA~1\ashDisp.exe
size: 78008
MD5: 66893067C2FB0505F151D3FCB8EA92B5
Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
file: C:\Windows\system32\NvCpl.dll
size: 8497696
MD5: 54D449998EB6C4DB4FD07C46D00A54BF
Located: HK_LM:Run, NvMediaCenter
command: RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
file: C:\Windows\system32\NvMcTray.dll
size: 81920
MD5: D5E4522BC1C85E7D97E0662907900FAD
Located: HK_LM:Run, NvSvc
command: RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
file: C:\Windows\system32\nvsvc.dll
size: 86016
MD5: 009FFD54A521FE7385BD96AA1515A43B
Located: HK_LM:Run, RtHDVCpl
command: RtHDVCpl.exe
file: C:\Windows\RtHDVCpl.exe
size: 4702208
MD5: A360F8AA95A086CB7F9D361B5485858F
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
size: 144784
MD5: 6AB4C021FBD36DC6764924C312428D97
Located: HK_LM:Run, Windows Defender
command: %ProgramFiles%\Windows Defender\MSASCui.exe -hide
file: C:\Program Files\Windows Defender\MSASCui.exe
size: 1008184
MD5: 0D392EDE3B97E0B3131B2F63EF1DB94E
Located: HK_CU:Run, ChkHlp
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\ProgramData\ChkHlp\clybelup.exe
file: C:\ProgramData\ChkHlp\clybelup.exe
size: 98304
MD5: FB29BD9ABAA77BF40D313D9B9D0E30A2
Located: HK_CU:Run, enstrapp
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\ProgramData\enstrapp\lifonape.exe
file: C:\ProgramData\enstrapp\lifonape.exe
size: 73728
MD5: 81B2E9817A49B94965A70E2F6E2D228F
Located: HK_CU:Run, EnUiProc
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\ProgramData\EnUiProc\gfsfsrcf.exe
file: C:\ProgramData\EnUiProc\gfsfsrcf.exe
size: 73728
MD5: 81B2E9817A49B94965A70E2F6E2D228F
Located: HK_CU:Run, infodbset
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\ProgramData\infodbset\gzufknil.exe
file: C:\ProgramData\infodbset\gzufknil.exe
size: 94208
MD5: 27807B6182AAE09EA8C5C1CAC8F1BC8C
Located: HK_CU:Run, infosys
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\ProgramData\infosys\gzmhghgd.exe
file: C:\ProgramData\infosys\gzmhghgd.exe
size: 73728
MD5: 81B2E9817A49B94965A70E2F6E2D228F
Located: HK_CU:Run, lphctmdj0ec0e
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\Windows\system32\lphctmdj0ec0e.exe
file: C:\Windows\system32\lphctmdj0ec0e.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, monwin
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\ProgramData\monwin\verohots.exe
file: C:\ProgramData\monwin\verohots.exe
size: 73728
MD5: 81B2E9817A49B94965A70E2F6E2D228F
Located: HK_CU:Run, Nokia.PCSync
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
file: C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
size: 1232896
MD5: E10B85BCFEE1CA3B61D894CA162E21FC
Located: HK_CU:Run, PC Suite Tray
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
file: C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
size: 1079808
MD5: 14B9B18A34616D297DE05943096450B7
Located: HK_CU:Run, proccfg
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\ProgramData\proccfg\zmtqrwdk.exe
file: C:\ProgramData\proccfg\zmtqrwdk.exe
size: 73728
MD5: 81B2E9817A49B94965A70E2F6E2D228F
Located: HK_CU:Run, ProcDsc
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\ProgramData\ProcDsc\zcvgzsly.exe
file: C:\ProgramData\ProcDsc\zcvgzsly.exe
size: 77824
MD5: 258A8883167BE1BD71E6EEA957A57F63
Located: HK_CU:Run, shactmsg
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\ProgramData\shactmsg\hqfslgvi.exe
file: C:\ProgramData\shactmsg\hqfslgvi.exe
size: 94208
MD5: 27807B6182AAE09EA8C5C1CAC8F1BC8C
Located: HK_CU:Run, Sidebar
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
file: C:\Program Files\Windows Sidebar\sidebar.exe
size: 1233920
MD5: FD278E51A7D6F52D22FCE6C67E037AD6
Located: HK_CU:Run, SmartShCom
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\ProgramData\SmartShCom\hcfgfytg.exe
file: C:\ProgramData\SmartShCom\hcfgfytg.exe
size: 77824
MD5: DC68E8A8465FCE6D7ED6BCEAB70C47D5
Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2156368
MD5: 08FC1FAD357F053043016597B6559BDC
Located: HK_CU:Run, SUPERAntiSpyware
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
file: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
size: 1506544
MD5: 24A3D7D9DD5555F409CF909600D32D60
Located: HK_CU:Run, sysmsg
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\ProgramData\sysmsg\jwbwdqrw.exe
file: C:\ProgramData\sysmsg\jwbwdqrw.exe
size: 81920
MD5: 3813DBDB04D674A9D4A9FC705117F9D7
Located: HK_CU:Run, WebSrv
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\ProgramData\WebSrv\ibkdivij.exe
file: C:\ProgramData\WebSrv\ibkdivij.exe
size: 77824
MD5: E54E8A6F53F4796D4BEAC7A01B0BFF90
Located: HK_CU:Run, WMPNSCFG
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\Program Files\Windows Media Player\WMPNSCFG.exe
file: C:\Program Files\Windows Media Player\WMPNSCFG.exe
size: 202240
MD5: 35937EAD711207544E219C2A19A78A7D
Located: HK_CU:Run, WvSbO1Kv04
where: S-1-5-21-2358783837-1417064347-3650377784-1000...
command: C:\ProgramData\rcvsxmzo\nqlszova.exe
file: C:\ProgramData\rcvsxmzo\nqlszova.exe
size: 57344
MD5: C9D5481EFF107DA5A880029EEB539707
Located: WinLogon, !SASWinLogon
command: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
file: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
size: 294912
MD5: 3B2F85D8C913CE452ADE4A0D24299FEA
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 10/22/2006 11:08:42 PM
Date (last access): 6/5/2008 5:56:42 PM
Date (last write): 10/22/2006 11:08:42 PM
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 8/6/2008 8:14:44 PM
Date (last access): 8/6/2008 8:14:44 PM
Date (last write): 7/7/2008 9:41:58 AM
Filesize: 1562448
Attributes: archive
MD5: 32981ADE44D01EC2A9EBC2E311291707
CRC32: C2F522E6
Version: 1.6.0.12
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: ssv.dll
Short name:
Date (created): 7/15/2008 9:03:42 AM
Date (last access): 6/10/2072 2:32:34 AM
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 509328
Attributes: archive
MD5: F921D875A1CBD69A6A462BA2514BC831
CRC32: 38AC9EE2
Version: 6.0.70.6
{7E853D72-626A-48EC-A868-BA8D5E23E045} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live Sign-in Helper
Path: C:\Program Files\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 9/20/2007 10:30:18 AM
Date (last access): 6/17/2008 7:53:52 PM
Date (last write): 9/20/2007 10:30:18 AM
Filesize: 328752
Attributes: archive
MD5: 59CF5BF6684AFCF906CADAD39B4214DE
CRC32: C363813C
Version: 4.200.520.1
--- ActiveX list ---
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 2:32:34 AM
Date (last access): 6/10/2072 2:32:34 AM
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 2:32:34 AM
Date (last access): 6/10/2072 2:32:34 AM
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 2:32:34 AM
Date (last access): 6/10/2072 2:32:34 AM
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\Windows\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\Windows\system32\Macromed\Flash\
Long name: Flash9f.ocx
Short name:
Date (created): 3/25/2008 3:32:42 AM
Date (last access): 6/17/2008 8:07:20 PM
Date (last write): 3/25/2008 3:32:42 AM
Filesize: 2991488
Attributes: readonly archive
MD5: 48FDF435B8595604E54125B321924510
CRC32: 12335E29
Version: 9.0.124.0
--- Process list ---
PID: 3744 (1184) C:\Windows\system32\taskeng.exe
size: 169472
MD5: 5F109032CE46B7184ED9E50F9FE8489E
PID: 4084 (1160) C:\Windows\system32\Dwm.exe
size: 81920
MD5: 59903071D7ACE6A02093C47E9E38AF97
PID: 4016 (1448) C:\Windows\Explorer.EXE
size: 2927104
MD5: FFA764631CB70A30065C12EF8E174F9F
PID: 2316 (4016) C:\Program Files\Windows Defender\MSASCui.exe
size: 1008184
MD5: 0D392EDE3B97E0B3131B2F63EF1DB94E
PID: 1756 (4016) C:\Windows\RtHDVCpl.exe
size: 4702208
MD5: A360F8AA95A086CB7F9D361B5485858F
PID: 2788 (4016) C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
size: 67488
MD5: BCCB77572408155F984A02F9BFFDF225
PID: 3832 (4016) C:\Program Files\Avast Antivirus\ashDisp.exe
size: 78008
MD5: 66893067C2FB0505F151D3FCB8EA92B5
PID: 996 (4016) C:\Windows\System32\rundll32.exe
size: 44544
MD5: 4B555106290BD117334E9A08761C035A
PID: 2920 (4016) C:\Program Files\Windows Sidebar\sidebar.exe
size: 1233920
MD5: FD278E51A7D6F52D22FCE6C67E037AD6
PID: 1572 (4016) C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
size: 1232896
MD5: E10B85BCFEE1CA3B61D894CA162E21FC
PID: 2484 (4016) C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
size: 1079808
MD5: 14B9B18A34616D297DE05943096450B7
PID: 3068 (4016) C:\Program Files\Windows Media Player\wmpnscfg.exe
size: 202240
MD5: 35937EAD711207544E219C2A19A78A7D
PID: 3060 (1456) C:\Windows\System32\rundll32.exe
size: 44544
MD5: 4B555106290BD117334E9A08761C035A
PID: 320 (4016) C:\ProgramData\SmartShCom\hcfgfytg.exe
size: 77824
MD5: DC68E8A8465FCE6D7ED6BCEAB70C47D5
PID: 844 (4016) C:\ProgramData\rcvsxmzo\nqlszova.exe
size: 57344
MD5: C9D5481EFF107DA5A880029EEB539707
PID: 3088 (4016) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
size: 1506544
MD5: 24A3D7D9DD5555F409CF909600D32D60
PID: 1848 (4016) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2156368
MD5: 08FC1FAD357F053043016597B6559BDC
PID: 2976 (2920) C:\Program Files\Windows Sidebar\sidebar.exe
size: 1233920
MD5: FD278E51A7D6F52D22FCE6C67E037AD6
PID: 1056 ( 908) C:\Windows\system32\wbem\unsecapp.exe
size: 37888
MD5: 25873356E52849C3F5B3F1B02317E8C8
PID: 1444 ( 908) C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
size: 199688
MD5: 8219160C141B505AB5C112F73405C348
PID: 204 ( 908) C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
size: 474624
MD5: D54D5E5518A148851509A5E5906D80CD
PID: 900 (4016) C:\Program Files\Mozilla Firefox\firefox.exe
size: 307712
MD5: A6D64056AD6CA84534143757FD782D7A
PID: 1672 (4016) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
PID: 4404 (4016) C:\Windows\system32\NOTEPAD.EXE
size: 151040
MD5: DAF60E13E96ECB67F0EDAA89C6B01B8D
PID: 3856 (1672) C:\Windows\hh.exe
size: 14848
MD5: 7C06CED2F7B9272A126D53A2A9F52AC0
PID: 0 ( 0) [System Process]
PID: 4 ( 0) System
PID: 516 ( 4) smss.exe
size: 64000
PID: 592 ( 580) csrss.exe
size: 6144
PID: 644 ( 580) wininit.exe
size: 96768
PID: 656 ( 636) csrss.exe
size: 6144
PID: 688 ( 644) services.exe
size: 279040
PID: 704 ( 644) lsass.exe
size: 9728
PID: 712 ( 644) lsm.exe
size: 229888
PID: 828 ( 636) winlogon.exe
size: 314880
PID: 908 ( 688) svchost.exe
size: 21504
PID: 972 ( 688) svchost.exe
size: 21504
PID: 1008 ( 688) svchost.exe
size: 21504
PID: 1104 ( 688) svchost.exe
size: 21504
PID: 1160 ( 688) svchost.exe
size: 21504
PID: 1184 ( 688) svchost.exe
size: 21504
PID: 1268 (1104) audiodg.exe
size: 88064
PID: 1312 ( 688) SLsvc.exe
size: 2623488
PID: 1364 ( 688) svchost.exe
size: 21504
PID: 1560 ( 688) svchost.exe
size: 21504
PID: 1700 ( 688) aswUpdSv.exe
PID: 1716 ( 688) ashServ.exe
PID: 2012 ( 688) spoolsv.exe
size: 125952
PID: 2036 ( 688) svchost.exe
size: 21504
PID: 800 ( 688) PhotoshopElementsFileAgent.exe
PID: 1604 ( 688) MDM.EXE
PID: 1932 ( 688) svchost.exe
size: 21504
PID: 636 ( 688) svchost.exe
size: 21504
PID: 2060 ( 688) svchost.exe
size: 21504
PID: 2144 ( 688) SearchIndexer.exe
size: 439808
PID: 2268 ( 688) ashMaiSv.exe
PID: 2308 ( 688) ashWebSv.exe
PID: 2608 (1184) taskeng.exe
size: 169472
PID: 2736 ( 688) ServiceLayer.exe
PID: 2944 (2736) NclUSBSrv.exe
PID: 2236 (2736) NclRSSrv.exe
PID: 2844 ( 688) wmpnetwk.exe
PID: 3220 ( 908) WmiPrvSE.exe
PID: 2276 (5364) jusched.exe
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 8/7/2008 12:18:52 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 4: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 5: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 6: RSVP TCPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 7: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 8: RSVP UDPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 9: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{76A446BE-0792-46F1-A016-3E659FDA1CB8}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{76A446BE-0792-46F1-A016-3E659FDA1CB8}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{83ABB540-DCD2-4387-80DE-647CAA0177A6}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{83ABB540-DCD2-4387-80DE-647CAA0177A6}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{6262A262-7C74-44A0-B238-B3E1D8709EE9}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{6262A262-7C74-44A0-B238-B3E1D8709EE9}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{76A446BE-0792-46F1-A016-3E659FDA1CB8}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{76A446BE-0792-46F1-A016-3E659FDA1CB8}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Network Location Awareness Legacy (NLAv1) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename:
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Namespace Provider 1: E-mail Naming Shim Provider
GUID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}
Filename:
Namespace Provider 2: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename:
Namespace Provider 3: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename:
Namespace Provider 4: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename:
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 5: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
I also noticed today that I cannot access my application data, temp folder and a few others. It comes up with access denied whereas I normally would be able to access them.
Please help, I have had this for nearly a week now and just cant shift it :sad:
Hi Garfie
Please perform a full scan with MBAM and post back its log and a fresh Hijackthis log :)
Hi Shaba,
Many thanks for your help, I really appreciate it.
I now seem to have got my desktop back but still have regular virus warning pop-ups and am randomly denied access to certain folders.
Here are the MBAM and HJT logs as requested:
Malwarebytes' Anti-Malware 1.24
Database version: 1020
Windows 6.0.6001 Service Pack 1
8:48:55 PM 8/10/2008
mbam-log-8-10-2008 (20-48-50).txt
Scan type: Full Scan (C:\|)
Objects scanned: 113982
Time elapsed: 50 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\uninstall (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphctmdj0ec0e (Trojan.FakeAlert) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
----------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:23 PM, on 8/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Avast Antivirus\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\ProgramData\rcvsxmzo\nqlszova.exe
C:\ProgramData\proccfg\zmtqrwdk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Guy\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SmartShCom] C:\ProgramData\SmartShCom\hcfgfytg.exe
O4 - HKCU\..\Run: [WvSbO1Kv04] C:\ProgramData\rcvsxmzo\nqlszova.exe
O4 - HKCU\..\Run: [ProcDsc] C:\ProgramData\ProcDsc\zcvgzsly.exe
O4 - HKCU\..\Run: [monwin] C:\ProgramData\monwin\verohots.exe
O4 - HKCU\..\Run: [proccfg] C:\ProgramData\proccfg\zmtqrwdk.exe
O4 - HKCU\..\Run: [enstrapp] C:\ProgramData\enstrapp\lifonape.exe
O4 - HKCU\..\Run: [infosys] C:\ProgramData\infosys\gzmhghgd.exe
O4 - HKCU\..\Run: [EnUiProc] C:\ProgramData\EnUiProc\gfsfsrcf.exe
O4 - HKCU\..\Run: [ChkHlp] C:\ProgramData\ChkHlp\clybelup.exe
O4 - HKCU\..\Run: [WebSrv] C:\ProgramData\WebSrv\ibkdivij.exe
O4 - HKCU\..\Run: [sysmsg] C:\ProgramData\sysmsg\jwbwdqrw.exe
O4 - HKCU\..\Run: [shactmsg] C:\ProgramData\shactmsg\hqfslgvi.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [infodbset] C:\ProgramData\infodbset\gzufknil.exe
O4 - HKCU\..\Run: [lphctmdj0ec0e] C:\Windows\system32\lphctmdj0ec0e.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: DesktopKeeley.lnk = C:\Program Files\DesktopKeeley\DesktopKeeley.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast Antivirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast Antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast Antivirus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast Antivirus\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 7297 bytes
OK, seems that it doesn't remove all.
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
Logs as requested
Deckard's System Scanner v20071014.68
Run by Guy on 2008-08-11 18:46:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- Last 5 Restore Point(s) --
29: 2008-08-09 10:12:23 UTC - RP80 - Windows Update
28: 2008-08-07 09:56:07 UTC - RP79 - Removed Ad-Aware
27: 2008-08-07 09:54:24 UTC - RP78 - Removed Java(TM) 6 Update 6
26: 2008-08-07 00:45:36 UTC - RP77 - Windows Update
25: 2008-08-06 18:00:39 UTC - RP76 - Scheduled Checkpoint
-- First Restore Point --
1: 2008-07-02 01:20:57 UTC - RP52 - Windows Update
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Guy.exe) -------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:56 PM, on 8/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Avast Antivirus\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\ProgramData\rcvsxmzo\nqlszova.exe
C:\ProgramData\shactmsg\hqfslgvi.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Windows\system32\wuauclt.exe
C:\Users\Guy\Desktop\dss.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Guy\Desktop\Guy.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SmartShCom] C:\ProgramData\SmartShCom\hcfgfytg.exe
O4 - HKCU\..\Run: [WvSbO1Kv04] C:\ProgramData\rcvsxmzo\nqlszova.exe
O4 - HKCU\..\Run: [ProcDsc] C:\ProgramData\ProcDsc\zcvgzsly.exe
O4 - HKCU\..\Run: [monwin] C:\ProgramData\monwin\verohots.exe
O4 - HKCU\..\Run: [proccfg] C:\ProgramData\proccfg\zmtqrwdk.exe
O4 - HKCU\..\Run: [enstrapp] C:\ProgramData\enstrapp\lifonape.exe
O4 - HKCU\..\Run: C:\ProgramData\infosys\gzmhghgd.exe
O4 - HKCU\..\Run: [EnUiProc] C:\ProgramData\EnUiProc\gfsfsrcf.exe
O4 - HKCU\..\Run: [ChkHlp] C:\ProgramData\ChkHlp\clybelup.exe
O4 - HKCU\..\Run: [WebSrv] C:\ProgramData\WebSrv\ibkdivij.exe
O4 - HKCU\..\Run: [sysmsg] C:\ProgramData\sysmsg\jwbwdqrw.exe
O4 - HKCU\..\Run: [shactmsg] C:\ProgramData\shactmsg\hqfslgvi.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [infodbset] C:\ProgramData\infodbset\gzufknil.exe
O4 - HKCU\..\Run: [lphctmdj0ec0e] C:\Windows\system32\lphctmdj0ec0e.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast Antivirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast Antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast Antivirus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast Antivirus\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 7223 bytes
-- File Associations -----------------------------------------------------------
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
All drivers whitelisted.
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-08-11 18:45:00 418 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{4C2CA7F6-4C9C-40B8-B648-AEAB11146C92}.job
2008-08-11 18:38:32 414 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{DC8E5C6E-A31E-4F8A-8F15-600FF31E8820}.job
-- Files created between 2008-07-11 and 2008-08-11 -----------------------------
2008-08-09 19:28:49 0 d-------- C:\Users\All Users\dbgensh
2008-08-09 19:28:47 0 d-------- C:\Users\All Users\WebCfg
2008-08-08 08:44:31 0 d-------- C:\Users\All Users\strhlpcfg
2008-08-08 08:44:29 0 d-------- C:\Users\All Users\CmdGen
2008-08-07 22:28:17 0 d-------- C:\Program Files\DesktopKeeley
2008-08-07 22:28:14 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-07 10:55:24 0 d-------- C:\Windows\system32\appmgmt
2008-08-07 02:01:22 0 d-------- C:\VundoFix Backups
2008-08-07 00:59:32 0 d-------- C:\Windows\Sun
2008-08-06 21:20:06 0 d-------- C:\Users\All Users\infodbset
2008-08-06 21:20:05 0 d-------- C:\Users\All Users\CmdStr
2008-08-06 20:14:43 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-06 19:51:14 0 d-------- C:\Users\All Users\shactmsg
2008-08-06 19:51:13 0 d-------- C:\Users\All Users\dscsys
2008-08-06 03:43:18 0 d-------- C:\Users\All Users\sysmsg
2008-08-06 03:43:17 0 d-------- C:\Users\All Users\WebHlp
2008-08-05 18:28:43 0 d-------- C:\Users\All Users\WebSrv
2008-08-05 18:28:41 0 d-------- C:\Users\All Users\cfgcmdwin
2008-08-05 08:53:14 0 d-------- C:\Users\All Users\ChkHlp
2008-08-05 08:53:14 0 d-------- C:\Users\All Users\cfgwinsrv
2008-08-05 00:36:46 0 d-------- C:\Users\Administrator\Virus removal
2008-08-04 23:39:24 0 d-------- C:\Users\All Users\EnUiProc
2008-08-04 23:39:23 0 d-------- C:\Users\All Users\smarthlp
2008-08-04 23:34:46 0 d-------- C:\Users\All Users\infosys
2008-08-04 23:34:43 0 d-------- C:\Users\All Users\cfgdscsys
2008-08-04 23:10:17 0 d-------- C:\Windows\pss
2008-08-04 22:57:56 0 d-------- C:\Users\All Users\enstrapp
2008-08-04 22:57:55 0 d-------- C:\Users\All Users\SetEn
2008-08-04 22:48:51 0 d-------- C:\Users\All Users\proccfg
2008-08-04 22:48:51 0 d-------- C:\Users\All Users\DbSys
2008-08-04 22:43:38 0 d-------- C:\Users\All Users\monwin
2008-08-04 22:43:37 0 d-------- C:\Users\All Users\mntsh
2008-08-04 21:52:06 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-08-04 21:51:44 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-04 08:51:06 0 d-------- C:\Program Files\CCleaner
2008-08-04 01:38:22 0 d-------- C:\Users\All Users\Lavasoft
2008-08-04 01:37:16 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-04 01:31:10 0 d-------- C:\Users\All Users\ProcDsc
2008-08-04 01:31:09 0 d-------- C:\Users\All Users\DscHlpCom
2008-08-04 01:13:20 0 d-------- C:\Users\All Users\Malwarebytes
2008-08-04 01:12:38 0 d-------- C:\Program Files\Virus removal
2008-08-04 00:56:47 0 d-------- C:\Program Files\Panda Security
2008-08-04 00:35:30 0 d-------- C:\Users\Guy\Virus removal
2008-08-04 00:03:44 0 d-------- C:\Users\All Users\rcvsxmzo
2008-08-04 00:03:37 0 d-------- C:\Users\All Users\SmartShCom
2008-08-04 00:03:36 0 d-------- C:\Users\All Users\infomntgen
2008-07-17 19:40:47 0 d-------- C:\Users\All Users\hpdj1280
-- Find3M Report ---------------------------------------------------------------
2008-08-07 22:28:31 0 d-------- C:\Users\Guy\AppData\Roaming\DesktopKeeley.67EC435B62486C772528D0A6C46FFC4DE1624B6B.1
2008-08-07 22:28:14 0 d-------- C:\Program Files\Common Files
2008-08-07 22:26:18 0 d-------- C:\Users\Guy\AppData\Roaming\Adobe
2008-08-07 10:55:21 0 d-------- C:\Program Files\Java
2008-08-04 21:51:44 0 d-------- C:\Users\Guy\AppData\Roaming\SUPERAntiSpyware.com
2008-08-04 01:13:24 0 d-------- C:\Users\Guy\AppData\Roaming\Malwarebytes
2008-07-30 23:59:07 0 d-------- C:\Program Files\Avast Antivirus
2008-07-09 08:58:37 0 d-------- C:\Program Files\Windows Mail
2008-06-30 01:00:14 0 d-------- C:\Users\Guy\AppData\Roaming\Mozilla
2008-06-26 20:25:30 0 d-------- C:\Users\Guy\AppData\Roaming\LimeWire
2008-06-26 19:26:21 0 d-------- C:\Users\Guy\AppData\Roaming\Nokia Multimedia Player
2008-06-18 17:45:56 0 d-------- C:\Users\Guy\AppData\Roaming\Nokia
2008-06-18 17:44:14 0 d-------- C:\Users\Guy\AppData\Roaming\PC Suite
2008-06-18 17:41:50 0 d-------- C:\Program Files\Common Files\Nokia
2008-06-18 17:41:49 0 d-------- C:\Program Files\Common Files\PCSuite
2008-06-18 17:41:44 0 d-------- C:\Program Files\Nokia
2008-06-18 17:41:35 0 d-------- C:\Program Files\DIFX
2008-06-18 17:40:32 0 d-------- C:\Program Files\PC Connectivity Solution
2008-06-18 00:29:15 0 d-------- C:\Program Files\Windows Live
2008-06-17 22:07:30 0 d-------- C:\Program Files\Common Files\Java
2008-06-17 22:06:06 0 d-------- C:\Program Files\LimeWire
2008-06-17 21:22:53 0 d-------- C:\Program Files\BitLocker
2008-06-17 21:19:25 0 d-------- C:\Program Files\Microsoft Games
2008-06-17 19:58:20 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-06-17 19:58:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-17 19:55:06 0 d-------- C:\Program Files\Msn Messenger
2008-06-17 19:16:28 174 --ahs---- C:\Program Files\desktop.ini
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Sidebar
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Journal
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Collaboration
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Calendar
2008-06-17 19:02:08 0 d-------- C:\Program Files\Movie Maker
2008-06-17 19:02:07 0 d-------- C:\Program Files\Windows Defender
2008-06-07 00:58:21 0 --a------ C:\Windows\nsreg.dat
2008-06-05 13:38:39 315392 --a------ C:\Windows\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 08:38 AM]
"RtHDVCpl"="RtHDVCpl.exe" [10/01/2007 04:53 AM C:\Windows\RtHDVCpl.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [09/11/2007 12:43 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"avast!"="C:\PROGRA~1\AVASTA~1\ashDisp.exe" [07/19/2008 03:38 PM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [09/12/2007 05:28 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [09/12/2007 05:28 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [09/12/2007 05:28 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 08:33 AM]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [03/26/2008 06:41 PM]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [04/16/2008 12:53 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 08:33 AM]
"SmartShCom"="C:\ProgramData\SmartShCom\hcfgfytg.exe" []
"WvSbO1Kv04"="C:\ProgramData\rcvsxmzo\nqlszova.exe" [08/04/2008 12:03 AM]
"ProcDsc"="C:\ProgramData\ProcDsc\zcvgzsly.exe" []
"monwin"="C:\ProgramData\monwin\verohots.exe" [08/04/2008 10:43 PM]
"proccfg"="C:\ProgramData\proccfg\zmtqrwdk.exe" [08/04/2008 10:48 PM]
"enstrapp"="C:\ProgramData\enstrapp\lifonape.exe" [08/04/2008 10:57 PM]
"infosys"="C:\ProgramData\infosys\gzmhghgd.exe" [08/04/2008 11:34 PM]
"EnUiProc"="C:\ProgramData\EnUiProc\gfsfsrcf.exe" [08/04/2008 11:39 PM]
"ChkHlp"="C:\ProgramData\ChkHlp\clybelup.exe" [08/05/2008 08:53 AM]
"WebSrv"="C:\ProgramData\WebSrv\ibkdivij.exe" [08/05/2008 06:28 PM]
"sysmsg"="C:\ProgramData\sysmsg\jwbwdqrw.exe" [08/06/2008 03:43 AM]
"shactmsg"="C:\ProgramData\shactmsg\hqfslgvi.exe" [08/06/2008 07:51 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]
"infodbset"="C:\ProgramData\infodbset\gzufknil.exe" [08/06/2008 09:20 PM]
"lphctmdj0ec0e"="C:\Windows\system32\lphctmdj0ec0e.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c116be0-33d0-11dd-aa29-001fc60705ae}]
AutoRun\command- G:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c116be3-33d0-11dd-aa29-001fc60705ae}]
AutoRun\command- F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64b80e04-3376-11dd-ab9b-806e6f6e6963}]
AutoRun\command- D:\autorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
-- End of Deckard's System Scanner: finished at 2008-08-11 18:50:12 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft® Windows Vista™ Ultimate (build 6001) SP 1.0
Architecture: X86; Language: English
CPU 0: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 1918.5 MiB / 1083.53 MiB
Pagefile Memory (total/avail): 4081.47 MiB / 3096.1 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1880.52 MiB
C: is Fixed (NTFS) - 298.09 GiB total, 227.17 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - MAXTOR STM3320820AS ATA Device - 298.09 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 298.09 GiB - C:
-- Security Center -------------------------------------------------------------
AUOptions is set to notify before download.
Windows Internal Firewall is enabled.
AV: avast! antivirus 4.8.1229 [VPS 080811-0] v4.8.1229 (ALWIL Software)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: avast! antivirus 4.8.1229 [VPS 080811-0] v4.8.1229 (ALWIL Software)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Guy\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GUY-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Guy
LOCALAPPDATA=C:\Users\Guy\AppData\Local
LOGONSERVER=\\GUY-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 107 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=6b02
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Guy\AppData\Local\Temp
TMP=C:\Users\Guy\AppData\Local\Temp
USERDOMAIN=Guy-PC
USERNAME=Guy
USERPROFILE=C:\Users\Guy
windir=C:\Windows
-- User Profiles ---------------------------------------------------------------
Guy
Helen.Guy-PC
Administrator [I](admin)
-- Add/Remove Programs ---------------------------------------------------------
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe AIR --> C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR --> MsiExec.exe /I{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop Elements 6.0 --> msiexec /I {F54AC413-D2C6-4A24-B324-370C223C6250}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
avast! Antivirus --> C:\Program Files\Avast Antivirus\aswRunDll.exe "C:\Program Files\Avast Antivirus\Setup\setiface.dll",RunSetup
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Desktop Keeley --> msiexec /qb /x {0BD4335E-CF25-00F2-2AC3-086ACF60B52F}
DesktopKeeley --> MsiExec.exe /I{0BD4335E-CF25-00F2-2AC3-086ACF60B52F}
HijackThis 2.0.2 --> "C:\Users\Guy\Desktop\HijackThis.exe" /uninstall
Java(TM) 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LimeWire 4.18.2 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Virus removal\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Sounds --> MsiExec.exe /I{10CE1EA2-12E9-11D3-825E-00C04F6843FE}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{4F1DCA42-2030-437C-A94E-736692A499C1}
Nokia PC Suite --> C:\ProgramData\Installations\{9C05FA75-0337-4523-AA57-9D3511018887}\Nokia_PC_Suite_rel_6_86_9_3_eng_web.exe
Nokia PC Suite --> MsiExec.exe /I{9C05FA75-0337-4523-AA57-9D3511018887}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PC Connectivity Solution --> MsiExec.exe /I{AC599724-5755-48C1-ABE7-ABB857652930}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Windows Driver Package - Nokia Modem (03/05/2008 3.7) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\nokia_bluetooth.inf_ce5ad925\nokia_bluetooth.inf
Windows Driver Package - Nokia Modem (03/13/2008 6.86.0.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\nokbtmdm.inf_674398ba\nokbtmdm.inf
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Photo Gallery --> MsiExec.exe /X{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows Sound Schemes --> RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\UltSound.inf,Uninstall
-- Application Event Log -------------------------------------------------------
Event Record #/Type6101 / Error
Event Submitted/Written: 08/11/2008 06:38:16 PM
Event ID/Source: 33 / SideBySide
Event Description:
Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
Event Record #/Type6094 / Success
Event Submitted/Written: 08/11/2008 06:37:25 PM
Event ID/Source: 5617 / WinMgmt
Event Description:
Event Record #/Type6092 / Success
Event Submitted/Written: 08/11/2008 06:37:24 PM
Event ID/Source: 5615 / WinMgmt
Event Description:
Event Record #/Type6091 / Success
Event Submitted/Written: 08/11/2008 06:37:23 PM
Event ID/Source: 2570 / Adobe Active File Monitor 6.0
Event Description:
Adobe Active File Monitor Service has Started.
Event Record #/Type6090 / Error
Event Submitted/Written: 08/11/2008 06:37:23 PM
Event ID/Source: 2720 / AdobePlatform
Event Description:
Thread 708!d! has terminated with exception: Access is denied.
For additional information on this message, please visit our support Web site
http://www.adobe.com/support/main.html
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type38747 / Warning
Event Submitted/Written: 08/11/2008 06:49:16 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Guy-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Guy-PC27 can't undo changes that you allow.
For more information please see the following:
%Guy-PC275
Scan ID: {0833A2E1-F232-436C-BCBF-7A751C0DD59A}
User: Guy-PC\Guy
Name: %Guy-PC271
ID: %Guy-PC272
Severity ID: %Guy-PC273
Category ID: %Guy-PC274
Path Found: %Guy-PC276
Alert Type: %Guy-PC278
Detection Type: 1.1.1600.02
Event Record #/Type38746 / Warning
Event Submitted/Written: 08/11/2008 06:49:16 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Guy-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Guy-PC27 can't undo changes that you allow.
For more information please see the following:
%Guy-PC275
Scan ID: {DBB48C08-1ECF-4194-9DCF-C5B6A32EB814}
User: Guy-PC\Guy
Name: %Guy-PC271
ID: %Guy-PC272
Severity ID: %Guy-PC273
Category ID: %Guy-PC274
Path Found: %Guy-PC276
Alert Type: %Guy-PC278
Detection Type: 1.1.1600.02
Event Record #/Type38745 / Warning
Event Submitted/Written: 08/11/2008 06:49:16 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Guy-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Guy-PC27 can't undo changes that you allow.
For more information please see the following:
%Guy-PC275
Scan ID: {38F14FC2-5DD7-4F9E-9DC7-6F097F551CDD}
User: Guy-PC\Guy
Name: %Guy-PC271
ID: %Guy-PC272
Severity ID: %Guy-PC273
Category ID: %Guy-PC274
Path Found: %Guy-PC276
Alert Type: %Guy-PC278
Detection Type: 1.1.1600.02
Event Record #/Type38744 / Warning
Event Submitted/Written: 08/11/2008 06:49:16 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Guy-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Guy-PC27 can't undo changes that you allow.
For more information please see the following:
%Guy-PC275
Scan ID: {CFF5ED94-F794-4C7F-BD05-2DA84FD03FD1}
User: Guy-PC\Guy
Name: %Guy-PC271
ID: %Guy-PC272
Severity ID: %Guy-PC273
Category ID: %Guy-PC274
Path Found: %Guy-PC276
Alert Type: %Guy-PC278
Detection Type: 1.1.1600.02
Event Record #/Type38743 / Warning
Event Submitted/Written: 08/11/2008 06:49:16 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Guy-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Guy-PC27 can't undo changes that you allow.
For more information please see the following:
%Guy-PC275
Scan ID: {94002085-8FC1-414C-8EA7-F8D4C4196EF5}
User: Guy-PC\Guy
Name: %Guy-PC271
ID: %Guy-PC272
Severity ID: %Guy-PC273
Category ID: %Guy-PC274
Path Found: %Guy-PC276
Alert Type: %Guy-PC278
Detection Type: 1.1.1600.02
-- End of Deckard's System Scanner: finished at 2008-08-11 18:50:12 ------------
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
Limewire 4.18.2
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
After that:
Click Start and then Run to bring up the Run box.
Copy and paste the contents of this quote box into the run box:
"%userprofile%\desktop\dss.exe" /config
Close all other open windows.
Click OK.
A window will now open. Click Check All and then click Scan!.
When the scan is complete, two text files will open in Notepad: main.txt <- this one will be maximized
extra.txt <- this one will be minimized
If not, they both can be found in the C:\Deckard\System Scanner folder.
Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
Ok, done that, here is the main.txt file.
There was no extra.txt file this time
Deckard's System Scanner v20071014.68
Run by Guy on 2008-08-11 19:43:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Guy.exe) -------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:47 PM, on 8/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Avast Antivirus\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\ProgramData\rcvsxmzo\nqlszova.exe
C:\ProgramData\shactmsg\hqfslgvi.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Guy\Desktop\dss.exe
C:\Users\Guy\Desktop\Guy.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SmartShCom] C:\ProgramData\SmartShCom\hcfgfytg.exe
O4 - HKCU\..\Run: [WvSbO1Kv04] C:\ProgramData\rcvsxmzo\nqlszova.exe
O4 - HKCU\..\Run: [ProcDsc] C:\ProgramData\ProcDsc\zcvgzsly.exe
O4 - HKCU\..\Run: [monwin] C:\ProgramData\monwin\verohots.exe
O4 - HKCU\..\Run: [proccfg] C:\ProgramData\proccfg\zmtqrwdk.exe
O4 - HKCU\..\Run: [enstrapp] C:\ProgramData\enstrapp\lifonape.exe
O4 - HKCU\..\Run: [infosys] C:\ProgramData\infosys\gzmhghgd.exe
O4 - HKCU\..\Run: [EnUiProc] C:\ProgramData\EnUiProc\gfsfsrcf.exe
O4 - HKCU\..\Run: [ChkHlp] C:\ProgramData\ChkHlp\clybelup.exe
O4 - HKCU\..\Run: [WebSrv] C:\ProgramData\WebSrv\ibkdivij.exe
O4 - HKCU\..\Run: [sysmsg] C:\ProgramData\sysmsg\jwbwdqrw.exe
O4 - HKCU\..\Run: [shactmsg] C:\ProgramData\shactmsg\hqfslgvi.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [infodbset] C:\ProgramData\infodbset\gzufknil.exe
O4 - HKCU\..\Run: [lphctmdj0ec0e] C:\Windows\system32\lphctmdj0ec0e.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast Antivirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast Antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast Antivirus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast Antivirus\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 7223 bytes
-- Files created between 2008-07-11 and 2008-08-11 -----------------------------
2008-08-09 19:28:49 0 d-------- C:\Users\All Users\dbgensh
2008-08-09 19:28:47 0 d-------- C:\Users\All Users\WebCfg
2008-08-08 08:44:31 0 d-------- C:\Users\All Users\strhlpcfg
2008-08-08 08:44:29 0 d-------- C:\Users\All Users\CmdGen
2008-08-07 22:28:17 0 d-------- C:\Program Files\DesktopKeeley
2008-08-07 22:28:14 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-07 10:55:24 0 d-------- C:\Windows\system32\appmgmt
2008-08-07 02:01:22 0 d-------- C:\VundoFix Backups
2008-08-07 00:59:32 0 d-------- C:\Windows\Sun
2008-08-06 21:20:06 0 d-------- C:\Users\All Users\infodbset
2008-08-06 21:20:05 0 d-------- C:\Users\All Users\CmdStr
2008-08-06 20:14:43 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-06 19:51:14 0 d-------- C:\Users\All Users\shactmsg
2008-08-06 19:51:13 0 d-------- C:\Users\All Users\dscsys
2008-08-06 03:43:18 0 d-------- C:\Users\All Users\sysmsg
2008-08-06 03:43:17 0 d-------- C:\Users\All Users\WebHlp
2008-08-05 18:28:43 0 d-------- C:\Users\All Users\WebSrv
2008-08-05 18:28:41 0 d-------- C:\Users\All Users\cfgcmdwin
2008-08-05 08:53:14 0 d-------- C:\Users\All Users\ChkHlp
2008-08-05 08:53:14 0 d-------- C:\Users\All Users\cfgwinsrv
2008-08-05 00:36:46 0 d-------- C:\Users\Administrator\Virus removal
2008-08-04 23:39:24 0 d-------- C:\Users\All Users\EnUiProc
2008-08-04 23:39:23 0 d-------- C:\Users\All Users\smarthlp
2008-08-04 23:34:46 0 d-------- C:\Users\All Users\infosys
2008-08-04 23:34:43 0 d-------- C:\Users\All Users\cfgdscsys
2008-08-04 23:10:17 0 d-------- C:\Windows\pss
2008-08-04 22:57:56 0 d-------- C:\Users\All Users\enstrapp
2008-08-04 22:57:55 0 d-------- C:\Users\All Users\SetEn
2008-08-04 22:48:51 0 d-------- C:\Users\All Users\proccfg
2008-08-04 22:48:51 0 d-------- C:\Users\All Users\DbSys
2008-08-04 22:43:38 0 d-------- C:\Users\All Users\monwin
2008-08-04 22:43:37 0 d-------- C:\Users\All Users\mntsh
2008-08-04 21:52:06 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-08-04 21:51:44 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-04 08:51:06 0 d-------- C:\Program Files\CCleaner
2008-08-04 01:38:22 0 d-------- C:\Users\All Users\Lavasoft
2008-08-04 01:37:16 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-04 01:31:10 0 d-------- C:\Users\All Users\ProcDsc
2008-08-04 01:31:09 0 d-------- C:\Users\All Users\DscHlpCom
2008-08-04 01:13:20 0 d-------- C:\Users\All Users\Malwarebytes
2008-08-04 01:12:38 0 d-------- C:\Program Files\Virus removal
2008-08-04 00:56:47 0 d-------- C:\Program Files\Panda Security
2008-08-04 00:35:30 0 d-------- C:\Users\Guy\Virus removal
2008-08-04 00:03:44 0 d-------- C:\Users\All Users\rcvsxmzo
2008-08-04 00:03:37 0 d-------- C:\Users\All Users\SmartShCom
2008-08-04 00:03:36 0 d-------- C:\Users\All Users\infomntgen
2008-07-17 19:40:47 0 d-------- C:\Users\All Users\hpdj1280
-- Find3M Report ---------------------------------------------------------------
2008-08-07 22:28:31 0 d-------- C:\Users\Guy\AppData\Roaming\DesktopKeeley.67EC435B62486C772528D0A6C46FFC4DE1624B6B.1
2008-08-07 22:28:14 0 d-------- C:\Program Files\Common Files
2008-08-07 22:26:18 0 d-------- C:\Users\Guy\AppData\Roaming\Adobe
2008-08-07 10:55:21 0 d-------- C:\Program Files\Java
2008-08-04 21:51:44 0 d-------- C:\Users\Guy\AppData\Roaming\SUPERAntiSpyware.com
2008-08-04 01:13:24 0 d-------- C:\Users\Guy\AppData\Roaming\Malwarebytes
2008-07-30 23:59:07 0 d-------- C:\Program Files\Avast Antivirus
2008-07-09 08:58:37 0 d-------- C:\Program Files\Windows Mail
2008-06-30 01:00:14 0 d-------- C:\Users\Guy\AppData\Roaming\Mozilla
2008-06-26 20:25:30 0 d-------- C:\Users\Guy\AppData\Roaming\LimeWire
2008-06-26 19:26:21 0 d-------- C:\Users\Guy\AppData\Roaming\Nokia Multimedia Player
2008-06-18 17:45:56 0 d-------- C:\Users\Guy\AppData\Roaming\Nokia
2008-06-18 17:44:14 0 d-------- C:\Users\Guy\AppData\Roaming\PC Suite
2008-06-18 17:41:50 0 d-------- C:\Program Files\Common Files\Nokia
2008-06-18 17:41:49 0 d-------- C:\Program Files\Common Files\PCSuite
2008-06-18 17:41:44 0 d-------- C:\Program Files\Nokia
2008-06-18 17:41:35 0 d-------- C:\Program Files\DIFX
2008-06-18 17:40:32 0 d-------- C:\Program Files\PC Connectivity Solution
2008-06-18 00:29:15 0 d-------- C:\Program Files\Windows Live
2008-06-17 22:07:30 0 d-------- C:\Program Files\Common Files\Java
2008-06-17 21:22:53 0 d-------- C:\Program Files\BitLocker
2008-06-17 21:19:25 0 d-------- C:\Program Files\Microsoft Games
2008-06-17 19:58:20 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-06-17 19:58:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-17 19:55:06 0 d-------- C:\Program Files\Msn Messenger
2008-06-17 19:16:28 174 --ahs---- C:\Program Files\desktop.ini
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Sidebar
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Journal
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Collaboration
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Calendar
2008-06-17 19:02:08 0 d-------- C:\Program Files\Movie Maker
2008-06-17 19:02:07 0 d-------- C:\Program Files\Windows Defender
2008-06-07 00:58:21 0 --a------ C:\Windows\nsreg.dat
2008-06-05 13:38:39 315392 --a------ C:\Windows\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 08:38 AM]
"RtHDVCpl"="RtHDVCpl.exe" [10/01/2007 04:53 AM C:\Windows\RtHDVCpl.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [09/11/2007 12:43 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"avast!"="C:\PROGRA~1\AVASTA~1\ashDisp.exe" [07/19/2008 03:38 PM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [09/12/2007 05:28 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [09/12/2007 05:28 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [09/12/2007 05:28 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 08:33 AM]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [03/26/2008 06:41 PM]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [04/16/2008 12:53 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 08:33 AM]
"SmartShCom"="C:\ProgramData\SmartShCom\hcfgfytg.exe" []
"WvSbO1Kv04"="C:\ProgramData\rcvsxmzo\nqlszova.exe" [08/04/2008 12:03 AM]
"ProcDsc"="C:\ProgramData\ProcDsc\zcvgzsly.exe" []
"monwin"="C:\ProgramData\monwin\verohots.exe" [08/04/2008 10:43 PM]
"proccfg"="C:\ProgramData\proccfg\zmtqrwdk.exe" [08/04/2008 10:48 PM]
"enstrapp"="C:\ProgramData\enstrapp\lifonape.exe" [08/04/2008 10:57 PM]
"infosys"="C:\ProgramData\infosys\gzmhghgd.exe" [08/04/2008 11:34 PM]
"EnUiProc"="C:\ProgramData\EnUiProc\gfsfsrcf.exe" [08/04/2008 11:39 PM]
"ChkHlp"="C:\ProgramData\ChkHlp\clybelup.exe" [08/05/2008 08:53 AM]
"WebSrv"="C:\ProgramData\WebSrv\ibkdivij.exe" [08/05/2008 06:28 PM]
"sysmsg"="C:\ProgramData\sysmsg\jwbwdqrw.exe" [08/06/2008 03:43 AM]
"shactmsg"="C:\ProgramData\shactmsg\hqfslgvi.exe" [08/06/2008 07:51 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]
"infodbset"="C:\ProgramData\infodbset\gzufknil.exe" [08/06/2008 09:20 PM]
"lphctmdj0ec0e"="C:\Windows\system32\lphctmdj0ec0e.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c116be0-33d0-11dd-aa29-001fc60705ae}]
AutoRun\command- G:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c116be3-33d0-11dd-aa29-001fc60705ae}]
AutoRun\command- F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64b80e04-3376-11dd-ab9b-806e6f6e6963}]
AutoRun\command- D:\autorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
-- End of Deckard's System Scanner: finished at 2008-08-11 19:44:13 ------------
Then you didn't follow my instructions.
Please follow dss instructions exactly and you will get also extra.txt :)
Sorry about that, my mistake. I'm still trying to get used to Vista after upgrading from Windows 2000 :red:
Deckard's System Scanner v20071014.68
Run by Guy on 2008-08-11 22:34:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- Last 5 Restore Point(s) --
28: 2008-08-11 20:14:01 UTC - RP81 - Scheduled Checkpoint
27: 2008-08-09 10:12:23 UTC - RP80 - Windows Update
26: 2008-08-07 09:56:07 UTC - RP79 - Removed Ad-Aware
25: 2008-08-07 09:54:24 UTC - RP78 - Removed Java(TM) 6 Update 6
24: 2008-08-07 00:45:36 UTC - RP77 - Windows Update
-- First Restore Point --
1: 2008-07-07 09:52:33 UTC - RP54 - Windows Update
Performed disk cleanup.
-- HijackThis (run as Guy.exe) -------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:13 PM, on 8/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Avast Antivirus\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\ProgramData\rcvsxmzo\nqlszova.exe
C:\ProgramData\shactmsg\hqfslgvi.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Guy\Desktop\dss.exe
C:\Windows\system32\DllHost.exe
C:\Users\Guy\Desktop\Guy.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SmartShCom] C:\ProgramData\SmartShCom\hcfgfytg.exe
O4 - HKCU\..\Run: [WvSbO1Kv04] C:\ProgramData\rcvsxmzo\nqlszova.exe
O4 - HKCU\..\Run: [ProcDsc] C:\ProgramData\ProcDsc\zcvgzsly.exe
O4 - HKCU\..\Run: [monwin] C:\ProgramData\monwin\verohots.exe
O4 - HKCU\..\Run: [proccfg] C:\ProgramData\proccfg\zmtqrwdk.exe
O4 - HKCU\..\Run: [enstrapp] C:\ProgramData\enstrapp\lifonape.exe
O4 - HKCU\..\Run: C:\ProgramData\infosys\gzmhghgd.exe
O4 - HKCU\..\Run: [EnUiProc] C:\ProgramData\EnUiProc\gfsfsrcf.exe
O4 - HKCU\..\Run: [ChkHlp] C:\ProgramData\ChkHlp\clybelup.exe
O4 - HKCU\..\Run: [WebSrv] C:\ProgramData\WebSrv\ibkdivij.exe
O4 - HKCU\..\Run: [sysmsg] C:\ProgramData\sysmsg\jwbwdqrw.exe
O4 - HKCU\..\Run: [shactmsg] C:\ProgramData\shactmsg\hqfslgvi.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [infodbset] C:\ProgramData\infodbset\gzufknil.exe
O4 - HKCU\..\Run: [lphctmdj0ec0e] C:\Windows\system32\lphctmdj0ec0e.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast Antivirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast Antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast Antivirus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast Antivirus\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 7257 bytes
-- File Associations -----------------------------------------------------------
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
All drivers whitelisted.
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Process Modules -------------------------------------------------------------
C:\Windows\explorer.exe (pid 3032)
2008-03-31 09:58:18 617472 --a------ C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll <Not Verified; Nokia; Phone Browser>
2008-03-27 15:22:04 815104 --a------ C:\Program Files\Nokia\Nokia PC Suite 6\NGSCM.dll <Not Verified; Nokia; Next Gen Suite Common Modules>
2008-03-11 13:55:06 26624 --a------ C:\Program Files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.NLR <Not Verified; Nokia; Nokia Phone Browser>
2008-03-08 12:52:22 573440 --a------ C:\Program Files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.NGR <Not Verified; Nokia; Nokia Phone Browser>
2007-02-27 12:39:26 61440 --a------ C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware Context Menu Extension>
-- Scheduled Tasks -------------------------------------------------------------
2008-08-11 22:30:00 418 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{4C2CA7F6-4C9C-40B8-B648-AEAB11146C92}.job
2008-08-11 18:38:32 414 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{DC8E5C6E-A31E-4F8A-8F15-600FF31E8820}.job
-- Files created between 2008-07-11 and 2008-08-11 -----------------------------
2008-08-09 19:28:49 0 d-------- C:\Users\All Users\dbgensh
2008-08-09 19:28:47 0 d-------- C:\Users\All Users\WebCfg
2008-08-08 08:44:31 0 d-------- C:\Users\All Users\strhlpcfg
2008-08-08 08:44:29 0 d-------- C:\Users\All Users\CmdGen
2008-08-07 22:28:17 0 d-------- C:\Program Files\DesktopKeeley
2008-08-07 22:28:14 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-07 10:55:24 0 d-------- C:\Windows\system32\appmgmt
2008-08-07 02:01:22 0 d-------- C:\VundoFix Backups
2008-08-07 00:59:32 0 d-------- C:\Windows\Sun
2008-08-06 21:20:06 0 d-------- C:\Users\All Users\infodbset
2008-08-06 21:20:05 0 d-------- C:\Users\All Users\CmdStr
2008-08-06 20:14:43 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-06 19:51:14 0 d-------- C:\Users\All Users\shactmsg
2008-08-06 19:51:13 0 d-------- C:\Users\All Users\dscsys
2008-08-06 03:43:18 0 d-------- C:\Users\All Users\sysmsg
2008-08-06 03:43:17 0 d-------- C:\Users\All Users\WebHlp
2008-08-05 18:28:43 0 d-------- C:\Users\All Users\WebSrv
2008-08-05 18:28:41 0 d-------- C:\Users\All Users\cfgcmdwin
2008-08-05 08:53:14 0 d-------- C:\Users\All Users\ChkHlp
2008-08-05 08:53:14 0 d-------- C:\Users\All Users\cfgwinsrv
2008-08-05 00:36:46 0 d-------- C:\Users\Administrator\Virus removal
2008-08-04 23:39:24 0 d-------- C:\Users\All Users\EnUiProc
2008-08-04 23:39:23 0 d-------- C:\Users\All Users\smarthlp
2008-08-04 23:34:46 0 d-------- C:\Users\All Users\infosys
2008-08-04 23:34:43 0 d-------- C:\Users\All Users\cfgdscsys
2008-08-04 23:10:17 0 d-------- C:\Windows\pss
2008-08-04 22:57:56 0 d-------- C:\Users\All Users\enstrapp
2008-08-04 22:57:55 0 d-------- C:\Users\All Users\SetEn
2008-08-04 22:48:51 0 d-------- C:\Users\All Users\proccfg
2008-08-04 22:48:51 0 d-------- C:\Users\All Users\DbSys
2008-08-04 22:43:38 0 d-------- C:\Users\All Users\monwin
2008-08-04 22:43:37 0 d-------- C:\Users\All Users\mntsh
2008-08-04 21:52:06 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-08-04 21:51:44 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-04 08:51:06 0 d-------- C:\Program Files\CCleaner
2008-08-04 01:38:22 0 d-------- C:\Users\All Users\Lavasoft
2008-08-04 01:37:16 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-04 01:31:10 0 d-------- C:\Users\All Users\ProcDsc
2008-08-04 01:31:09 0 d-------- C:\Users\All Users\DscHlpCom
2008-08-04 01:13:20 0 d-------- C:\Users\All Users\Malwarebytes
2008-08-04 01:12:38 0 d-------- C:\Program Files\Virus removal
2008-08-04 00:56:47 0 d-------- C:\Program Files\Panda Security
2008-08-04 00:35:30 0 d-------- C:\Users\Guy\Virus removal
2008-08-04 00:03:44 0 d-------- C:\Users\All Users\rcvsxmzo
2008-08-04 00:03:37 0 d-------- C:\Users\All Users\SmartShCom
2008-08-04 00:03:36 0 d-------- C:\Users\All Users\infomntgen
2008-07-17 19:40:47 0 d-------- C:\Users\All Users\hpdj1280
-- Find3M Report ---------------------------------------------------------------
2008-08-07 22:28:31 0 d-------- C:\Users\Guy\AppData\Roaming\DesktopKeeley.67EC435B62486C772528D0A6C46FFC4DE1624B6B.1
2008-08-07 22:28:14 0 d-------- C:\Program Files\Common Files
2008-08-07 22:26:18 0 d-------- C:\Users\Guy\AppData\Roaming\Adobe
2008-08-07 10:55:21 0 d-------- C:\Program Files\Java
2008-08-04 21:51:44 0 d-------- C:\Users\Guy\AppData\Roaming\SUPERAntiSpyware.com
2008-08-04 01:13:24 0 d-------- C:\Users\Guy\AppData\Roaming\Malwarebytes
2008-07-30 23:59:07 0 d-------- C:\Program Files\Avast Antivirus
2008-07-09 08:58:37 0 d-------- C:\Program Files\Windows Mail
2008-06-30 01:00:14 0 d-------- C:\Users\Guy\AppData\Roaming\Mozilla
2008-06-26 20:25:30 0 d-------- C:\Users\Guy\AppData\Roaming\LimeWire
2008-06-26 19:26:21 0 d-------- C:\Users\Guy\AppData\Roaming\Nokia Multimedia Player
2008-06-18 17:45:56 0 d-------- C:\Users\Guy\AppData\Roaming\Nokia
2008-06-18 17:44:14 0 d-------- C:\Users\Guy\AppData\Roaming\PC Suite
2008-06-18 17:41:50 0 d-------- C:\Program Files\Common Files\Nokia
2008-06-18 17:41:49 0 d-------- C:\Program Files\Common Files\PCSuite
2008-06-18 17:41:44 0 d-------- C:\Program Files\Nokia
2008-06-18 17:41:35 0 d-------- C:\Program Files\DIFX
2008-06-18 17:40:32 0 d-------- C:\Program Files\PC Connectivity Solution
2008-06-18 00:29:15 0 d-------- C:\Program Files\Windows Live
2008-06-17 22:07:30 0 d-------- C:\Program Files\Common Files\Java
2008-06-17 21:22:53 0 d-------- C:\Program Files\BitLocker
2008-06-17 21:19:25 0 d-------- C:\Program Files\Microsoft Games
2008-06-17 19:58:20 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-06-17 19:58:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-17 19:55:06 0 d-------- C:\Program Files\Msn Messenger
2008-06-17 19:16:28 174 --ahs---- C:\Program Files\desktop.ini
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Sidebar
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Journal
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Collaboration
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Calendar
2008-06-17 19:02:08 0 d-------- C:\Program Files\Movie Maker
2008-06-17 19:02:07 0 d-------- C:\Program Files\Windows Defender
2008-06-07 00:58:21 0 --a------ C:\Windows\nsreg.dat
2008-06-05 13:38:39 315392 --a------ C:\Windows\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 08:38 AM]
"RtHDVCpl"="RtHDVCpl.exe" [10/01/2007 04:53 AM C:\Windows\RtHDVCpl.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [09/11/2007 12:43 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"avast!"="C:\PROGRA~1\AVASTA~1\ashDisp.exe" [07/19/2008 03:38 PM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [09/12/2007 05:28 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [09/12/2007 05:28 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [09/12/2007 05:28 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 08:33 AM]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [03/26/2008 06:41 PM]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [04/16/2008 12:53 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 08:33 AM]
"SmartShCom"="C:\ProgramData\SmartShCom\hcfgfytg.exe" []
"WvSbO1Kv04"="C:\ProgramData\rcvsxmzo\nqlszova.exe" [08/04/2008 12:03 AM]
"ProcDsc"="C:\ProgramData\ProcDsc\zcvgzsly.exe" []
"monwin"="C:\ProgramData\monwin\verohots.exe" [08/04/2008 10:43 PM]
"proccfg"="C:\ProgramData\proccfg\zmtqrwdk.exe" [08/04/2008 10:48 PM]
"enstrapp"="C:\ProgramData\enstrapp\lifonape.exe" [08/04/2008 10:57 PM]
"infosys"="C:\ProgramData\infosys\gzmhghgd.exe" [08/04/2008 11:34 PM]
"EnUiProc"="C:\ProgramData\EnUiProc\gfsfsrcf.exe" [08/04/2008 11:39 PM]
"ChkHlp"="C:\ProgramData\ChkHlp\clybelup.exe" [08/05/2008 08:53 AM]
"WebSrv"="C:\ProgramData\WebSrv\ibkdivij.exe" [08/05/2008 06:28 PM]
"sysmsg"="C:\ProgramData\sysmsg\jwbwdqrw.exe" [08/06/2008 03:43 AM]
"shactmsg"="C:\ProgramData\shactmsg\hqfslgvi.exe" [08/06/2008 07:51 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]
"infodbset"="C:\ProgramData\infodbset\gzufknil.exe" [08/06/2008 09:20 PM]
"lphctmdj0ec0e"="C:\Windows\system32\lphctmdj0ec0e.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c116be0-33d0-11dd-aa29-001fc60705ae}]
AutoRun\command- G:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c116be3-33d0-11dd-aa29-001fc60705ae}]
AutoRun\command- F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64b80e04-3376-11dd-ab9b-806e6f6e6963}]
AutoRun\command- D:\autorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
-- End of Deckard's System Scanner: finished at 2008-08-11 22:35:22 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft® Windows Vista™ Ultimate (build 6001) SP 1.0
Architecture: X86; Language: English
CPU 0: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+
Percentage of Memory in Use: 52%
Physical Memory (total/avail): 1918.5 MiB / 908.49 MiB
Pagefile Memory (total/avail): 4081.47 MiB / 3035.46 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1905.34 MiB
C: is Fixed (NTFS) - 298.09 GiB total, 227.39 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - MAXTOR STM3320820AS ATA Device - 298.09 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 298.09 GiB - C:
-- Security Center -------------------------------------------------------------
AUOptions is set to notify before download.
Windows Internal Firewall is enabled.
AV: avast! antivirus 4.8.1229 [VPS 080811-0] v4.8.1229 (ALWIL Software)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: avast! antivirus 4.8.1229 [VPS 080811-0] v4.8.1229 (ALWIL Software)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Guy\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GUY-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Guy
LOCALAPPDATA=C:\Users\Guy\AppData\Local
LOGONSERVER=\\GUY-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 107 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=6b02
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Guy\AppData\Local\Temp
TMP=C:\Users\Guy\AppData\Local\Temp
USERDOMAIN=Guy-PC
USERNAME=Guy
USERPROFILE=C:\Users\Guy
windir=C:\Windows
-- User Profiles ---------------------------------------------------------------
Guy
Helen.Guy-PC
Administrator [I](admin)
-- Add/Remove Programs ---------------------------------------------------------
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe AIR --> C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR --> MsiExec.exe /I{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop Elements 6.0 --> msiexec /I {F54AC413-D2C6-4A24-B324-370C223C6250}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
avast! Antivirus --> C:\Program Files\Avast Antivirus\aswRunDll.exe "C:\Program Files\Avast Antivirus\Setup\setiface.dll",RunSetup
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Desktop Keeley --> msiexec /qb /x {0BD4335E-CF25-00F2-2AC3-086ACF60B52F}
DesktopKeeley --> MsiExec.exe /I{0BD4335E-CF25-00F2-2AC3-086ACF60B52F}
HijackThis 2.0.2 --> "C:\Users\Guy\Desktop\HijackThis.exe" /uninstall
Java(TM) 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Malwarebytes' Anti-Malware --> "C:\Program Files\Virus removal\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Sounds --> MsiExec.exe /I{10CE1EA2-12E9-11D3-825E-00C04F6843FE}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{4F1DCA42-2030-437C-A94E-736692A499C1}
Nokia PC Suite --> C:\ProgramData\Installations\{9C05FA75-0337-4523-AA57-9D3511018887}\Nokia_PC_Suite_rel_6_86_9_3_eng_web.exe
Nokia PC Suite --> MsiExec.exe /I{9C05FA75-0337-4523-AA57-9D3511018887}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PC Connectivity Solution --> MsiExec.exe /I{AC599724-5755-48C1-ABE7-ABB857652930}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Windows Driver Package - Nokia Modem (03/05/2008 3.7) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\nokia_bluetooth.inf_ce5ad925\nokia_bluetooth.inf
Windows Driver Package - Nokia Modem (03/13/2008 6.86.0.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\nokbtmdm.inf_674398ba\nokbtmdm.inf
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Photo Gallery --> MsiExec.exe /X{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows Sound Schemes --> RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\UltSound.inf,Uninstall
-- Application Event Log -------------------------------------------------------
Event Record #/Type6101 / Error
Event Submitted/Written: 08/11/2008 06:38:16 PM
Event ID/Source: 33 / SideBySide
Event Description:
Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
Event Record #/Type6094 / Success
Event Submitted/Written: 08/11/2008 06:37:25 PM
Event ID/Source: 5617 / WinMgmt
Event Description:
Event Record #/Type6092 / Success
Event Submitted/Written: 08/11/2008 06:37:24 PM
Event ID/Source: 5615 / WinMgmt
Event Description:
Event Record #/Type6091 / Success
Event Submitted/Written: 08/11/2008 06:37:23 PM
Event ID/Source: 2570 / Adobe Active File Monitor 6.0
Event Description:
Adobe Active File Monitor Service has Started.
Event Record #/Type6090 / Error
Event Submitted/Written: 08/11/2008 06:37:23 PM
Event ID/Source: 2720 / AdobePlatform
Event Description:
Thread 708!d! has terminated with exception: Access is denied.
For additional information on this message, please visit our support Web site
http://www.adobe.com/support/main.html
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type38772 / Warning
Event Submitted/Written: 08/11/2008 10:34:26 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Guy-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Guy-PC27 can't undo changes that you allow.
For more information please see the following:
%Guy-PC275
Scan ID: {915BBC46-B0D4-4575-A49B-754F1B6D219F}
User: Guy-PC\Guy
Name: %Guy-PC271
ID: %Guy-PC272
Severity ID: %Guy-PC273
Category ID: %Guy-PC274
Path Found: %Guy-PC276
Alert Type: %Guy-PC278
Detection Type: 1.1.1600.02
Event Record #/Type38771 / Warning
Event Submitted/Written: 08/11/2008 10:34:26 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Guy-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Guy-PC27 can't undo changes that you allow.
For more information please see the following:
%Guy-PC275
Scan ID: {24F2620A-5371-4961-8B1F-DAA001A3A0EC}
User: Guy-PC\Guy
Name: %Guy-PC271
ID: %Guy-PC272
Severity ID: %Guy-PC273
Category ID: %Guy-PC274
Path Found: %Guy-PC276
Alert Type: %Guy-PC278
Detection Type: 1.1.1600.02
Event Record #/Type38770 / Warning
Event Submitted/Written: 08/11/2008 10:34:26 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Guy-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Guy-PC27 can't undo changes that you allow.
For more information please see the following:
%Guy-PC275
Scan ID: {900E0F59-6AC9-4FB5-9B6F-1F67207B7E4E}
User: Guy-PC\Guy
Name: %Guy-PC271
ID: %Guy-PC272
Severity ID: %Guy-PC273
Category ID: %Guy-PC274
Path Found: %Guy-PC276
Alert Type: %Guy-PC278
Detection Type: 1.1.1600.02
Event Record #/Type38769 / Warning
Event Submitted/Written: 08/11/2008 10:34:26 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Guy-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Guy-PC27 can't undo changes that you allow.
For more information please see the following:
%Guy-PC275
Scan ID: {E20161AE-5F32-4876-A4BF-89C5BDF1A2C8}
User: Guy-PC\Guy
Name: %Guy-PC271
ID: %Guy-PC272
Severity ID: %Guy-PC273
Category ID: %Guy-PC274
Path Found: %Guy-PC276
Alert Type: %Guy-PC278
Detection Type: 1.1.1600.02
Event Record #/Type38747 / Warning
Event Submitted/Written: 08/11/2008 06:49:16 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Guy-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Guy-PC27 can't undo changes that you allow.
For more information please see the following:
%Guy-PC275
Scan ID: {0833A2E1-F232-436C-BCBF-7A751C0DD59A}
User: Guy-PC\Guy
Name: %Guy-PC271
ID: %Guy-PC272
Severity ID: %Guy-PC273
Category ID: %Guy-PC274
Path Found: %Guy-PC276
Alert Type: %Guy-PC278
Detection Type: 1.1.1600.02
-- End of Deckard's System Scanner: finished at 2008-08-11 22:35:22 ------------
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [SmartShCom] C:\ProgramData\SmartShCom\hcfgfytg.exe
O4 - HKCU\..\Run: [WvSbO1Kv04] C:\ProgramData\rcvsxmzo\nqlszova.exe
O4 - HKCU\..\Run: [ProcDsc] C:\ProgramData\ProcDsc\zcvgzsly.exe
O4 - HKCU\..\Run: [monwin] C:\ProgramData\monwin\verohots.exe
O4 - HKCU\..\Run: [proccfg] C:\ProgramData\proccfg\zmtqrwdk.exe
O4 - HKCU\..\Run: [enstrapp] C:\ProgramData\enstrapp\lifonape.exe
O4 - HKCU\..\Run: [infosys] C:\ProgramData\infosys\gzmhghgd.exe
O4 - HKCU\..\Run: [EnUiProc] C:\ProgramData\EnUiProc\gfsfsrcf.exe
O4 - HKCU\..\Run: [ChkHlp] C:\ProgramData\ChkHlp\clybelup.exe
O4 - HKCU\..\Run: [WebSrv] C:\ProgramData\WebSrv\ibkdivij.exe
O4 - HKCU\..\Run: [sysmsg] C:\ProgramData\sysmsg\jwbwdqrw.exe
O4 - HKCU\..\Run: [shactmsg] C:\ProgramData\shactmsg\hqfslgvi.exe
O4 - HKCU\..\Run: [infodbset] C:\ProgramData\infodbset\gzufknil.exe
O4 - HKCU\..\Run: [lphctmdj0ec0e] C:\Windows\system32\lphctmdj0ec0e.exe
Close all windows including browser and press fix checked.
Reboot.
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\Users\All Users\dbgensh
C:\Users\All Users\WebCfg
C:\Users\All Users\strhlpcfg
C:\Users\All Users\CmdGen
C:\Users\All Users\infodbset
C:\Users\All Users\CmdStr
C:\Users\All Users\shactmsg
C:\Users\All Users\dscsys
C:\Users\All Users\sysmsg
C:\Users\All Users\WebHlp
C:\Users\All Users\WebSrv
C:\Users\All Users\cfgcmdwin
C:\Users\All Users\ChkHlp
C:\Users\All Users\cfgwinsrv
C:\Users\All Users\EnUiProc
C:\Users\All Users\smarthlp
C:\Users\All Users\infosys
C:\Users\All Users\cfgdscsys
C:\Users\All Users\enstrapp
C:\Users\All Users\SetEn
C:\Users\All Users\proccfg
C:\Users\All Users\DbSys
C:\Users\All Users\monwin
C:\Users\All Users\mntsh
C:\Users\All Users\ProcDsc
C:\Users\All Users\DscHlpCom
C:\Users\All Users\rcvsxmzo
C:\Users\All Users\SmartShCom
C:\Users\All Users\infomntgen
C:\Users\Guy\AppData\Roaming\LimeWire
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Re-run dss.
Post:
- a fresh dss log
- otmoveit2 report
C:\Users\All Users\infodbset moved successfully.
C:\Users\All Users\CmdStr moved successfully.
C:\Users\All Users\shactmsg moved successfully.
C:\Users\All Users\dscsys moved successfully.
C:\Users\All Users\sysmsg moved successfully.
C:\Users\All Users\WebHlp moved successfully.
C:\Users\All Users\WebSrv moved successfully.
C:\Users\All Users\cfgcmdwin moved successfully.
C:\Users\All Users\ChkHlp moved successfully.
C:\Users\All Users\cfgwinsrv moved successfully.
C:\Users\All Users\EnUiProc moved successfully.
C:\Users\All Users\smarthlp moved successfully.
C:\Users\All Users\infosys moved successfully.
C:\Users\All Users\cfgdscsys moved successfully.
C:\Users\All Users\enstrapp moved successfully.
C:\Users\All Users\SetEn moved successfully.
C:\Users\All Users\proccfg moved successfully.
C:\Users\All Users\DbSys moved successfully.
C:\Users\All Users\monwin moved successfully.
C:\Users\All Users\mntsh moved successfully.
C:\Users\All Users\ProcDsc moved successfully.
C:\Users\All Users\DscHlpCom moved successfully.
C:\Users\All Users\rcvsxmzo moved successfully.
C:\Users\All Users\SmartShCom moved successfully.
C:\Users\All Users\infomntgen moved successfully.
C:\Users\Guy\AppData\Roaming\LimeWire\xml\data moved successfully.
C:\Users\Guy\AppData\Roaming\LimeWire\xml moved successfully.
C:\Users\Guy\AppData\Roaming\LimeWire\themes\windows_theme moved successfully.
C:\Users\Guy\AppData\Roaming\LimeWire\themes moved successfully.
C:\Users\Guy\AppData\Roaming\LimeWire\promotion moved successfully.
C:\Users\Guy\AppData\Roaming\LimeWire\.AppSpecialShare moved successfully.
C:\Users\Guy\AppData\Roaming\LimeWire moved successfully.
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08122008_194507
---------------------------------
Deckard's System Scanner v20071014.68
Run by Guy on 2008-08-12 19:46:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Guy.exe) -------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:36 PM, on 8/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Avast Antivirus\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Guy\Desktop\dss.exe
C:\Users\Guy\Desktop\Guy.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast Antivirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast Antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast Antivirus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast Antivirus\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 5963 bytes
-- Files created between 2008-07-12 and 2008-08-12 -----------------------------
2008-08-07 22:28:17 0 d-------- C:\Program Files\DesktopKeeley
2008-08-07 22:28:14 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-07 10:55:24 0 d-------- C:\Windows\system32\appmgmt
2008-08-07 02:01:22 0 d-------- C:\VundoFix Backups
2008-08-07 00:59:32 0 d-------- C:\Windows\Sun
2008-08-06 20:14:43 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-05 00:36:46 0 d-------- C:\Users\Administrator\Virus removal
2008-08-04 23:10:17 0 d-------- C:\Windows\pss
2008-08-04 21:52:06 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-08-04 21:51:44 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-04 08:51:06 0 d-------- C:\Program Files\CCleaner
2008-08-04 01:38:22 0 d-------- C:\Users\All Users\Lavasoft
2008-08-04 01:37:16 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-04 01:13:20 0 d-------- C:\Users\All Users\Malwarebytes
2008-08-04 01:12:38 0 d-------- C:\Program Files\Virus removal
2008-08-04 00:56:47 0 d-------- C:\Program Files\Panda Security
2008-08-04 00:35:30 0 d-------- C:\Users\Guy\Virus removal
2008-07-17 19:40:47 0 d-------- C:\Users\All Users\hpdj1280
-- Find3M Report ---------------------------------------------------------------
2008-08-07 22:28:31 0 d-------- C:\Users\Guy\AppData\Roaming\DesktopKeeley.67EC435B62486C772528D0A6C46FFC4DE1624B6B.1
2008-08-07 22:28:14 0 d-------- C:\Program Files\Common Files
2008-08-07 22:26:18 0 d-------- C:\Users\Guy\AppData\Roaming\Adobe
2008-08-07 10:55:21 0 d-------- C:\Program Files\Java
2008-08-04 21:51:44 0 d-------- C:\Users\Guy\AppData\Roaming\SUPERAntiSpyware.com
2008-08-04 01:13:24 0 d-------- C:\Users\Guy\AppData\Roaming\Malwarebytes
2008-07-30 23:59:07 0 d-------- C:\Program Files\Avast Antivirus
2008-07-09 08:58:37 0 d-------- C:\Program Files\Windows Mail
2008-06-30 01:00:14 0 d-------- C:\Users\Guy\AppData\Roaming\Mozilla
2008-06-26 19:26:21 0 d-------- C:\Users\Guy\AppData\Roaming\Nokia Multimedia Player
2008-06-18 17:45:56 0 d-------- C:\Users\Guy\AppData\Roaming\Nokia
2008-06-18 17:44:14 0 d-------- C:\Users\Guy\AppData\Roaming\PC Suite
2008-06-18 17:41:50 0 d-------- C:\Program Files\Common Files\Nokia
2008-06-18 17:41:49 0 d-------- C:\Program Files\Common Files\PCSuite
2008-06-18 17:41:44 0 d-------- C:\Program Files\Nokia
2008-06-18 17:41:35 0 d-------- C:\Program Files\DIFX
2008-06-18 17:40:32 0 d-------- C:\Program Files\PC Connectivity Solution
2008-06-18 00:29:15 0 d-------- C:\Program Files\Windows Live
2008-06-17 22:07:30 0 d-------- C:\Program Files\Common Files\Java
2008-06-17 21:22:53 0 d-------- C:\Program Files\BitLocker
2008-06-17 21:19:25 0 d-------- C:\Program Files\Microsoft Games
2008-06-17 19:58:20 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-06-17 19:58:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-17 19:55:06 0 d-------- C:\Program Files\Msn Messenger
2008-06-17 19:16:28 174 --ahs---- C:\Program Files\desktop.ini
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Sidebar
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Journal
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Collaboration
2008-06-17 19:02:08 0 d-------- C:\Program Files\Windows Calendar
2008-06-17 19:02:08 0 d-------- C:\Program Files\Movie Maker
2008-06-17 19:02:07 0 d-------- C:\Program Files\Windows Defender
2008-06-07 00:58:21 0 --a------ C:\Windows\nsreg.dat
2008-06-05 13:38:39 315392 --a------ C:\Windows\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 08:38 AM]
"RtHDVCpl"="RtHDVCpl.exe" [10/01/2007 04:53 AM C:\Windows\RtHDVCpl.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [09/11/2007 12:43 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"avast!"="C:\PROGRA~1\AVASTA~1\ashDisp.exe" [07/19/2008 03:38 PM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [09/12/2007 05:28 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [09/12/2007 05:28 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [09/12/2007 05:28 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 08:33 AM]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [03/26/2008 06:41 PM]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [04/16/2008 12:53 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 08:33 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c116be0-33d0-11dd-aa29-001fc60705ae}]
AutoRun\command- G:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c116be3-33d0-11dd-aa29-001fc60705ae}]
AutoRun\command- F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64b80e04-3376-11dd-ab9b-806e6f6e6963}]
AutoRun\command- D:\autorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
-- End of Deckard's System Scanner: finished at 2008-08-12 19:47:02 ------------
Looks much better :)
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, August 13, 2008
Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 13, 2008 19:15:57
Records in database: 1090114
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 95135
Threat name: 4
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 00:59:21
File name / Threat name / Threats count
C:\Users\Helen.Guy-PC\Documents\LimeWire\Incomplete\Preview-T-5745425-riannah cinderella.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Users\Helen.Guy-PC\Documents\LimeWire\Saved\riannah cinderella.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\_OTMoveIt\MovedFiles\08122008_194507\Users\All Users\cfgcmdwin\edmxatul.exe Infected: Trojan-Downloader.Win32.Small.aaeu 1
C:\_OTMoveIt\MovedFiles\08122008_194507\Users\All Users\cfgdscsys\ypybgxmn.exe Infected: Trojan-Downloader.Win32.Small.aaeu 1
C:\_OTMoveIt\MovedFiles\08122008_194507\Users\All Users\cfgwinsrv\gzcdixwx.exe Infected: Trojan-Downloader.Win32.Small.aaeu 1
C:\_OTMoveIt\MovedFiles\08122008_194507\Users\All Users\CmdGen\buzmnafe.exe Infected: Trojan-Downloader.Win32.Small.aaeu 1
C:\_OTMoveIt\MovedFiles\08122008_194507\Users\All Users\CmdStr\grgbedul.exe Infected: Trojan-Downloader.Win32.Small.aaeu 1
C:\_OTMoveIt\MovedFiles\08122008_194507\Users\All Users\DbSys\rmlytcbq.exe Infected: Trojan-Downloader.Win32.Small.aaeu 1
C:\_OTMoveIt\MovedFiles\08122008_194507\Users\All Users\dscsys\xydetahg.exe Infected: Trojan-Downloader.Win32.Small.aaeu 1
C:\_OTMoveIt\MovedFiles\08122008_194507\Users\All Users\infomntgen\dqhulsto.exe Infected: Trojan-Downloader.Win32.Small.aadx 1
C:\_OTMoveIt\MovedFiles\08122008_194507\Users\All Users\mntsh\fexmhgto.exe Infected: Trojan-Downloader.Win32.Small.aaeu 1
C:\_OTMoveIt\MovedFiles\08122008_194507\Users\All Users\SetEn\jofgzajw.exe Infected: Trojan-Downloader.Win32.Small.aaeu 1
C:\_OTMoveIt\MovedFiles\08122008_194507\Users\All Users\smarthlp\qvypavkt.exe Infected: Trojan-Downloader.Win32.Small.aaeu 1
C:\_OTMoveIt\MovedFiles\08122008_194507\Users\All Users\WebCfg\ihyvonej.exe Infected: Trojan-Downloader.Win32.Small.aasl 1
C:\_OTMoveIt\MovedFiles\08122008_194507\Users\All Users\WebHlp\hobifiji.exe Infected: Trojan-Downloader.Win32.Small.aaeu 1
The selected area was scanned.
----------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:54 PM, on 8/13/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Avast Antivirus\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conime.exe
C:\Users\Guy\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast Antivirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast Antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast Antivirus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast Antivirus\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 5972 bytes
Delete these:
C:\Users\Helen.Guy-PC\Documents\LimeWire\
C:\_OTMoveIt\MovedFiles
Empty Recycle Bin.
Still problems?
Its looking good. PC running a lot better now.
Did a mbam scan and it found 1 entry though
Malwarebytes' Anti-Malware 1.24
Database version: 1020
Windows 6.0.6001 Service Pack 1
8:35:41 PM 8/13/2008
mbam-log-8-13-2008 (20-35-41).txt
Scan type: Quick Scan
Objects scanned: 40243
Time elapsed: 2 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Yes, that was a leftover.
Other issues left? :)
No, all seems ok now :)
Thank you so much for your help Shaba, it is so greatly appreciated.
One last thing, can you advise on what security products I should run on my computer?
I was running Avast Antivirus and Windows Firewall but this infection still managed to get through.
Presumable I can uninstall all the virus removal programs now although Mbam seems like a handy one to keep.
Is there anything else I need or shall I stick with Avast, Windows Firewall and Mbam?
Perhaps re-enable Sypybot tea timer and keep that?
Thanks again
Guy
"One last thing, can you advise on what security products I should run on my computer?"
"Is there anything else I need or shall I stick with Avast, Windows Firewall and Mbam?"
Just see from below :)
"Perhaps re-enable Sypybot tea timer and keep that?"
Yes :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Looking over your log, it seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) Comodo (http://www.personalfirewall.comodo.com/) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
Next we remove all used tools.
Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.
Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows Vista System Restore Guide (http://www.bleepingcomputer.com/tutorials/tutorial143.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
Malwarebytes' Anti-Malware Setup Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1644)
Malwarebytes' Anti-Malware Scanning Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1645)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean! :bigthumb:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.