Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Installed Tencent Qq


  • Please log in to reply
4 replies to this topic

#1 jolleyjoe

jolleyjoe

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 19 July 2007 - 10:39 PM

My friend installed Tencent's QQ Instant Messaging program on my computer without my knowledge. I wanted to get rid of it because I believe it's spyware/adware.
I ran spybot and adaware and removed what it told me to remove. Now I'm wondering if there's anything left. And moreso, if there's anything else wrong with my PC?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:50 PM, on 7/19/2007
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SlickRun\sr.exe
C:\Program Files\Strokeit\strokeit.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\RMClock\RMClock.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\Users\Chan\Programs\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {669751ED-D558-49AE-B01A-3B374CC7910E} - C:\Program Files\TENCENT\SSPlus\SSup.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SlickRun] "C:\Program Files\SlickRun\sr.exe"
O4 - HKCU\..\Run: [StrokeIt] C:\Program Files\Strokeit\strokeit.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: RMClock.lnk = ?
O4 - Startup: wikipedia_autocorrect_with_helper.ahk
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix: 
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) - Unknown owner - C:\Program Files\Google\Common\Update\1.0.69.0\GoogleUpdate.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6570 bytes

Please let me know if there is anything amiss with my computer!

Thanks.

BC AdBot (Login to Remove)

 


m

#2 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 01 August 2007 - 06:24 AM

Hello jolleyjoe, sorry for the delay. I'm just looking over your log and will get back to you soon.

#3 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 01 August 2007 - 08:53 AM

Hello jolleyjoe, my name is Rorschach and I'll be helping you with your problems.

There is no need to put the logs in quote boxes as it makes them harder to read, you can just paste them normally onto the
forum.



We must disable the Real-Time Protection feature of Windows Defender for it may interfere with the changes we need to make.

To disable Real-Time Protection:
  • Go to "Tools" | "General Settings"
  • Scroll down to "Real-time protection options"
  • Uncheck "Turn on real-time protection (recommended)"
  • Remember to reactivate this feature when we have finished all our work.

Please run HijackThis, click "Do a system scan only" and check these entries in bold

R3 - URLSearchHook: (no name) - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - (no file)
O2 - BHO: (no name) - {669751ED-D558-49AE-B01A-3B374CC7910E} - C:\Program Files\TENCENT\SSPlus\SSup.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


Close all windows except for HijackThis and click "Fix checked".



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


So in your next reply please post the following : the two DSS texts in full, and tell me how your PC is running now and if you had any problems.

#4 jolleyjoe

jolleyjoe
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 02 August 2007 - 10:01 PM

Thank you, Rorschach.

main.txt:

Deckard's System Scanner v20070729.57
Run by Chan on 2007-08-02 at 20:49:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 3 Restore Point(s) --
3: 2007-08-02 10:51:53 UTC - RP217 - Scheduled Checkpoint
2: 2007-08-01 01:26:53 UTC - RP216 - Installed Microsoft Visual C++ 2005 Redistributable
1: 2007-07-28 04:43:38 UTC - RP215 - Scheduled Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Chan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:32 PM, on 8/2/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SlickRun\sr.exe
C:\Program Files\Strokeit\strokeit.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\RMClock\RMClock.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Windows\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Chan\Programs\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {669751ED-D558-49AE-B01A-3B374CC7910E} - C:\Program Files\TENCENT\SSPlus\SSup.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SlickRun] "C:\Program Files\SlickRun\sr.exe"
O4 - HKCU\..\Run: [StrokeIt] C:\Program Files\Strokeit\strokeit.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: RMClock.lnk = ?
O4 - Startup: wikipedia_autocorrect_with_helper.ahk
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) - Unknown owner - C:\Program Files\Google\Common\Update\1.0.69.0\GoogleUpdate.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5907 bytes

-- HijackThis Fixed Entries (C:\Users\Chan\Programs\HIJACK~2\backups\) ---------

backup-20070802-204835-685 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20070802-204835-906 O2 - BHO: (no name) - {669751ED-D558-49AE-B01A-3B374CC7910E} - C:\Program Files\TENCENT\SSPlus\SSup.dll (file missing)
backup-20070802-204835-989 R3 - URLSearchHook: (no name) - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - (no file)

-- File Associations -----------------------------------------------------------

.ini - Notepad++_file - DefaultIcon - "%1"
.ini - Notepad++_file - shell\open\command - "C:\Users\Chan\Programs\Notepad++\notepad++.exe" "%1"
.js - Notepad++_file - DefaultIcon - "%1"
.js - Notepad++_file - shell\open\command - "C:\Users\Chan\Programs\Notepad++\notepad++.exe" "%1"
.txt - Notepad++_file - DefaultIcon - "%1"
.txt - Notepad++_file - shell\open\command - "C:\Users\Chan\Programs\Notepad++\notepad++.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 RTCore32 - \??\c:\program files\rmclock\rtcore32.sys

S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ASLDRService (ASLDR Service) - c:\program files\atk hotkey\asldrsrv.exe <Not Verified; ; ADSMSrv>

S2 gupdate (Google Update Service) - "c:\program files\google\common\update\1.0.69.0\googleupdate.exe" /svc (file missing)
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>


-- Scheduled Tasks -------------------------------------------------------------

2007-08-02 19:41:14 416 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{F5D27371-EF18-482A-8DA4-E42C719D4EBB}.job


-- Files created between 2007-07-02 and 2007-08-02 -----------------------------

2007-07-30 18:09:31 0 d-------- C:\Program Files\Aspell
2007-07-25 02:00:16 0 d-------- C:\Program Files\PDFTK Builder
2007-07-24 07:23:59 2560 --a------ C:\Windows\_MSRSTRT.EXE
2007-07-24 06:58:34 0 d-------- C:\Program Files\Stardock
2007-07-23 23:40:16 53248 --a------ C:\Windows\system32\ImageOle.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2007-07-23 23:40:11 0 d-------- C:\Program Files\Ocean Technology
2007-07-22 18:35:46 0 d-------- C:\Windows\Downloaded Installations
2007-07-22 15:31:55 0 d-------- C:\Users\All Users\VMware
2007-07-22 07:47:12 0 d-------- C:\Program Files\JGoodies
2007-07-21 22:22:12 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-07-21 20:15:38 0 d-------- C:\Users\All Users\Adobe
2007-07-21 16:22:54 0 d-------- C:\Program Files\Common Files\Adobe
2007-07-21 04:02:47 0 d-------- C:\Program Files\MagicISO
2007-07-20 07:11:01 0 d-------- C:\Program Files\MSXML 4.0
2007-07-20 06:43:46 0 d-------- C:\Program Files\QuickTime
2007-07-20 01:14:24 0 d-------- C:\Program Files\Skype
2007-07-20 01:14:23 0 d-------- C:\Program Files\Common Files\Skype
2007-07-19 20:37:49 201728 --a------ C:\Windows\system32\PolarClock3.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2007-07-19 20:37:49 0 d-------- C:\Windows\system32\PolarClock3 dir
2007-07-19 19:43:00 262144 --a------ C:\Windows\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2007-07-19 19:42:59 86016 --a------ C:\Windows\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2007-07-18 23:52:30 0 d-------- C:\Program Files\Cool Timer
2007-07-18 11:57:14 967 --a------ C:\Windows\ScUnin.pif
2007-07-18 11:57:14 34706 --a------ C:\Windows\scunin.dat
2007-07-18 11:57:13 70656 --a------ C:\Windows\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2007-07-18 11:56:11 0 d-------- C:\Program Files\Starcraft
2007-07-18 04:39:30 0 d-------- C:\Program Files\Switch Off
2007-07-17 18:29:29 0 d-------- C:\Program Files\uTorrent
2007-07-17 00:30:46 0 dr------- C:\Users\Visitor\Searches
2007-07-17 00:30:46 0 dr------- C:\Users\Visitor\Contacts
2007-07-17 00:30:18 0 d--hs---- C:\Users\Visitor\Templates
2007-07-17 00:30:18 0 d--hs---- C:\Users\Visitor\Start Menu
2007-07-17 00:30:18 0 d--hs---- C:\Users\Visitor\SendTo
2007-07-17 00:30:18 0 d--hs---- C:\Users\Visitor\Recent
2007-07-17 00:30:18 0 d--hs---- C:\Users\Visitor\PrintHood
2007-07-17 00:30:18 0 d--hs---- C:\Users\Visitor\NetHood
2007-07-17 00:30:18 0 d--hs---- C:\Users\Visitor\My Documents
2007-07-17 00:30:18 0 d--hs---- C:\Users\Visitor\Local Settings
2007-07-17 00:30:18 0 d--hs---- C:\Users\Visitor\Cookies
2007-07-17 00:30:18 0 d--hs---- C:\Users\Visitor\Application Data
2007-07-17 00:30:16 0 dr------- C:\Users\Visitor\Videos
2007-07-17 00:30:16 0 dr------- C:\Users\Visitor\Saved Games
2007-07-17 00:30:16 0 dr------- C:\Users\Visitor\Pictures
2007-07-17 00:30:16 786432 --ahs---- C:\Users\Visitor\ntuser.dat
2007-07-17 00:30:16 0 dr------- C:\Users\Visitor\Music
2007-07-17 00:30:16 0 dr------- C:\Users\Visitor\Links
2007-07-17 00:30:16 0 dr------- C:\Users\Visitor\Favorites
2007-07-17 00:30:16 0 dr------- C:\Users\Visitor\Downloads
2007-07-17 00:30:16 0 dr------- C:\Users\Visitor\Documents
2007-07-17 00:30:16 0 dr------- C:\Users\Visitor\Desktop
2007-07-17 00:30:16 0 d--h----- C:\Users\Visitor\AppData
2007-07-16 21:31:40 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2007-07-16 19:23:27 0 d-------- C:\Windows\system32\qqedit
2007-07-14 06:50:46 74 --a------ C:\Windows\system32\(null)id
2007-07-12 18:52:17 0 d-------- C:\Windows\system32\ElectricSheep
2007-07-11 21:26:43 0 d-------- C:\Program Files\Last.fm
2007-07-11 20:10:37 0 d-------- C:\Program Files\iPod
2007-07-11 20:10:14 0 d-------- C:\Program Files\iTunes
2007-07-11 01:47:53 0 d-------- C:\Program Files\Warkeys
2007-07-10 16:33:37 0 d-------- C:\Program Files\Media Player Classic
2007-07-10 16:33:35 0 d-------- C:\Users\All Users\Real
2007-07-10 16:33:35 0 d-------- C:\Program Files\Real Alternative
2007-07-09 21:40:18 48456 --a------ C:\Windows\system32\UninstallElectricSheep.exe
2007-07-06 07:12:18 122880 --a------ C:\Windows\system32\DreamScene.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-05 10:28:16 0 d-------- C:\Program Files\Common Files\NSV


-- Find3M Report ---------------------------------------------------------------

2007-08-02 20:58:23 0 d-------- C:\Users\Chan\AppData\Roaming\.purple
2007-08-02 20:54:49 0 d-------- C:\Users\Chan\AppData\Roaming\Skype
2007-08-02 20:49:23 0 d-------- C:\Users\Chan\AppData\Roaming\Hamachi
2007-08-02 14:19:29 0 d-------- C:\Users\Chan\AppData\Roaming\gtk-2.0
2007-08-01 20:46:40 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-08-01 20:25:48 42174 --a------ C:\Users\Chan\AppData\Roaming\nvModes.001
2007-08-01 12:08:16 0 d-------- C:\Program Files\Diablo II
2007-07-31 20:56:21 0 d-------- C:\Program Files\Pidgin
2007-07-30 14:47:51 0 d-------- C:\Program Files\Chameleon Clock
2007-07-25 02:45:32 0 d-------- C:\Users\Chan\AppData\Roaming\foobar2000
2007-07-25 02:33:03 0 d-------- C:\Users\Chan\AppData\Roaming\uTorrent
2007-07-23 23:40:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-23 01:13:22 0 d-------- C:\Program Files\Common Files
2007-07-23 01:06:32 0 d-------- C:\Users\Chan\AppData\Roaming\VMware
2007-07-22 15:33:55 0 d-------- C:\Users\Chan\AppData\Roaming\JDiskReport
2007-07-21 21:22:18 0 d-------- C:\Users\Chan\AppData\Roaming\SlickRun
2007-07-21 19:49:40 0 d-------- C:\Program Files\SlickRun
2007-07-21 17:49:12 0 d-------- C:\Users\Chan\AppData\Roaming\PCF-VLC
2007-07-21 16:41:16 0 d-------- C:\Users\Chan\AppData\Roaming\Adobe
2007-07-19 20:36:16 0 d-------- C:\Program Files\Google
2007-07-19 20:30:19 0 d-------- C:\Program Files\NCSoft
2007-07-19 18:56:24 42174 --a------ C:\Users\Chan\AppData\Roaming\nvModes.dat
2007-07-19 08:14:24 0 d-------- C:\Users\Chan\AppData\Roaming\Participatory Culture Foundation
2007-07-19 01:44:32 0 d-------- C:\Program Files\Steam
2007-07-19 00:52:21 0 d-------- C:\Program Files\MSN Messenger
2007-07-18 23:18:54 0 d-------- C:\Program Files\Picasa2
2007-07-18 22:51:09 0 d-------- C:\Program Files\Audacity
2007-07-17 18:28:55 0 d-------- C:\Users\Chan\AppData\Roaming\Azureus
2007-07-16 21:24:58 0 d-------- C:\Users\Chan\AppData\Roaming\QQ
2007-07-16 19:26:56 0 d-------- C:\Users\Chan\AppData\Roaming\QQUpdate
2007-07-16 19:24:02 0 d-------- C:\Users\Chan\AppData\Roaming\tencent
2007-07-16 19:14:23 0 d-------- C:\Program Files\Warcraft III
2007-07-14 16:17:50 0 d-------- C:\Program Files\Safari
2007-07-11 20:16:01 0 d-------- C:\Users\Chan\AppData\Roaming\Apple Computer
2007-07-11 17:38:12 0 d-------- C:\Program Files\Windows Mail
2007-07-10 18:39:44 0 d-------- C:\Users\Chan\AppData\Roaming\Mozilla
2007-07-10 16:34:17 0 d-------- C:\Users\Chan\AppData\Roaming\Real
2007-07-10 16:34:16 0 d-------- C:\Users\Chan\AppData\Roaming\Media Player Classic
2007-07-09 22:11:57 0 d-------- C:\Program Files\7-Zip
2007-07-08 02:07:21 0 d-------- C:\Program Files\Messenger Plus! Live
2007-06-29 05:21:07 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-06-28 17:32:12 32239 --a------ C:\Windows\DIIUnin.dat
2007-06-25 04:40:00 43520 --a------ C:\Windows\system32\CmdLineExt03.dll
2007-06-24 03:45:57 2829 --a------ C:\Windows\DIIUnin.pif
2007-06-24 03:45:57 94208 --a------ C:\Windows\DIIUnin.exe <Not Verified; Blizzard Entertainment; Diablo II Uninstaller>
2007-06-23 20:16:54 0 d-------- C:\Users\Chan\AppData\Roaming\SecondLife
2007-06-23 15:31:09 0 d-------- C:\Users\Chan\AppData\Roaming\GetRightToGo
2007-06-22 20:16:36 0 d-------- C:\Program Files\Realtek
2007-06-22 05:42:35 0 d-------- C:\Program Files\Dofus
2007-06-15 04:59:03 0 d-------- C:\Program Files\Joost
2007-06-13 19:27:38 0 d-------- C:\Program Files\TUGZip
2007-06-13 18:23:37 0 d-------- C:\Users\Chan\AppData\Roaming\Winamp
2007-06-13 18:11:50 0 d-------- C:\Program Files\Winamp
2007-06-13 17:42:05 0 d-------- C:\Program Files\foobar2000
2007-06-11 16:53:52 134944 --ah----- C:\Windows\system32\mlfcache.dat
2007-06-09 03:45:41 0 d-------- C:\Users\Chan\AppData\Roaming\Opera
2007-06-09 03:45:20 0 d-------- C:\Program Files\Opera
2007-06-08 04:45:30 240640 --a------ C:\Windows\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-06-08 04:45:30 615424 --a------ C:\Windows\system32\themeui.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-06-08 04:36:57 0 d-------- C:\Program Files\CodeGazer
2007-06-08 03:56:18 0 d-------- C:\Users\Chan\AppData\Roaming\Bao_Nguyen
2007-06-07 15:33:38 226672 --a------ C:\Windows\system32\DimSaver.scr
2007-06-06 18:04:08 2598148 --a------ C:\Windows\Zoomquilt Screensaver.scr <Not Verified; Goldshell Digital Media; FlashForge>
2007-06-06 14:13:31 0 d-------- C:\Program Files\Vim
2007-06-06 13:48:36 0 d-------- C:\Users\Chan\AppData\Roaming\JGsoft
2007-06-04 11:31:14 0 d-------- C:\Program Files\Java
2007-05-13 02:38:58 0 -ra------ C:\logwmemory.bin
2007-05-10 00:41:34 3471 --a------ C:\Windows\mozver.dat
2007-05-03 17:44:02 335 --a------ C:\Windows\mozregistry.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [04/11/2007 02:16 PM]
"RtHDVCpl"="RtHDVCpl.exe" [12/01/2006 01:37 PM C:\Windows\RtHDVCpl.exe]
"WPCUMI"="C:\Windows\system32\WpcUmi.exe" [11/02/2006 06:35 AM]
"UltraMon"="C:\Program Files\UltraMon\UltraMon.exe" [04/01/2007 06:47 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [02/05/2007 03:52 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/27/2007 04:03 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SlickRun"="C:\Program Files\SlickRun\sr.exe" [03/21/2007 01:43 AM]
"StrokeIt"="C:\Program Files\Strokeit\strokeit.exe" [02/17/2005 01:13 PM]
"Steam"="" []
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [04/03/2007 04:29 PM]

C:\Users\Chan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
RMClock.lnk - C:\Program Files\RMClock\RMClockLauncher.exe [5/21/2007 9:46:42 PM]
wikipedia_autocorrect_with_helper.ahk [7/1/2007 12:04:45 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"=2 (0x2)
"DontDisplayLogonHoursWarnings"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\Windows\pss\Last.fm Helper.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
C:\Windows\ehome\ehTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stup.exe]
C:\PROGRA~1\TENCENT\SSPlus\Stup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3ab186c-e39e-11db-821e-806e6f6e6963}]
AutoRun\command- D:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaa1fd7d-0131-11dc-a073-0011d8e2f86a}]
AutoRun\command- F:\SETUP.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2007-08-02 at 20:59:02 ---------









extra.txt:

Deckard's System Scanner v20070729.57
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.60GHz
Percentage of Memory in Use: 81%
Physical Memory (total/avail): 1022.75 MiB / 189.39 MiB
Pagefile Memory (total/avail): 2295.09 MiB / 927.8 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.04 MiB

C: is Fixed (NTFS) - 55.89 GiB total, 11.91 GiB free.
D: is CDROM (CDFS)
E: is Removable (Unformatted)
F: is CDROM (CDFS)
G: is Removable (FAT32)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AV: avast! antivirus 4.7.1029 [VPS 000762-5] v4.7.1029 (ALWIL Software) Disabled
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Chan\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CHANORAMA
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Chan
LOCALAPPDATA=C:\Users\Chan\AppData\Local
LOGONSERVER=\\CHANORAMA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\SSH Communications Security\SSH Secure Shell
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Chan\AppData\Local\Temp
TMP=C:\Users\Chan\AppData\Local\Temp
ULTRAMON_LANGDIR=C:\Program Files\UltraMon\Resources\en
USERDOMAIN=CHANORAMA
USERNAME=Chan
USERPROFILE=C:\Users\Chan
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Chan (admin)
Eve (new local, net ready)
Visitor


-- Add/Remove Programs ---------------------------------------------------------

µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
7-Zip 4.42 --> "C:\Program Files\7-Zip\Uninstall.exe"
Adobe Bridge 1.0 --> MsiExec.exe /I{AE3D38A6-13B1-40B3-9423-D1FA9982FB6A}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5102}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 2.0 --> MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}
Adobe Premiere Pro 2.0 --> msiexec /I {FA17A726-B229-4116-B793-A2AB1A4EAE2E}
Adobe Shockwave Player --> C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1437-443D-B06E-79A00FE45110}
Aspell English Dictionary-0.50-2 --> "C:\Program Files\Aspell\unins001.exe"
ATK Hotkey --> C:\Program Files\InstallShield Installation Information\{3912D529-02BC-4CA8-B5ED-0D0C20EB6003}\setup.exe -runfromtemp -l0x0009 -removeonly
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
AutoHotkey 1.0.46.10 --> C:\Program Files\AutoHotkey\uninst.exe
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Azureus --> C:\Program Files\Azureus\Uninstall.exe
Bayden SlickRun (remove only) --> "C:\Program Files\SlickRun\uninst.exe"
Chameleon Clock 3.7 --> "C:\Program Files\Chameleon Clock\unins000.exe"
Cool Timer 2.2 --> "C:\Program Files\Cool Timer\unins000.exe"
Counter-Strike: Source --> "C:\Program Files\Steam\steam.exe" steam://uninstall/240
CutePDF Writer 2.7 --> C:\Program Files\Acro Software\CutePDF Writer\uninscpw.exe /uninstall
Diablo II --> C:\Windows\DIIUnin.exe C:\Windows\DIIUnin.dat
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
ElectricSheep 2.6.7b3 --> C:\Windows\system32\ElectricSheep\UninstallElectricSheep.exe
foobar2000 v0.9.4.3 --> "C:\Program Files\foobar2000\uninstall.exe"
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
GG E-Sports Platform --> C:\Program Files\InstallShield Installation Information\{89C89156-A70F-4C6D-9CAE-2EA71F1396FE}\setup.exe -runfromtemp -l0x0009 -removeonly
GMail Drive Shell Extension --> rundll32.exe C:\Windows\system32\ShellExt\GMailFS.dll,Uninstall C:\Windows\system32\ShellExt\GMailFS.inf
GNU Aspell 0.50-3 --> "C:\Program Files\Aspell\unins000.exe"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
GTK+ Runtime 2.10.13 rev a (remove only) --> C:\Program Files\Common Files\GTK\2.0\uninst.exe
Guifications Plugin (remove only) --> C:\Program Files\Pidgin\pidgin-guifications-uninst.exe
Half-Life 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/220
Hamachi 1.0.2.2 --> C:\Program Files\Hamachi\uninstall.exe
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10431966\HXFSETUP.EXE -U -IA5AZL5K.inf
HijackThis 2.0.2 --> "C:\Users\Chan\Programs\HiJackThis\HijackThis.exe" /uninstall
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
iTunes --> MsiExec.exe /I{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
JGoodies JDiskReport 1.3.0 --> "C:\Program Files\JGoodies\JDiskReport 1.3.0\uninstall.exe"
Joost ™ 0.10.1 --> C:\Program Files\Joost\uninst.exe
Last.fm 1.3.1.1 --> "C:\Program Files\Last.fm\unins000.exe"
Magic ISO Maker v5.4 (build 0239) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.5) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (2.0.0.6) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.6) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
msxml4 --> MsiExec.exe /X{5AE3D9F1-9E9E-4015-8787-E22705AA32C5}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
Opera 9.21 --> MsiExec.exe /X{AF599832-2305-4922-9342-6FF48894E384}
PDFTK Builder 3.2 --> "C:\Program Files\PDFTK Builder\unins000.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Pidgin --> C:\Program Files\Pidgin\pidgin-uninst.exe
PLSinWindowsMedia --> MsiExec.exe /I{AFADAD9E-40AE-4653-B70A-2B44740DDD51}
PolarClock3 Screen Saver --> C:\Windows\system32\PolarClock3.scr /u
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Real Alternative 1.52 --> "C:\Program Files\Real Alternative\unins000.exe"
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Safari --> MsiExec.exe /I{3F9EFA28-D2FE-44B7-8896-0B0FF8DF5517}
Security Update for Excel 2007 (KB936509) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A00724F5-82C4-4924-B707-0E5A84B52471}
Security Update for Office 2007 (KB934062) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB936514) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C7A78F7F-EF32-4477-BAD7-3439EA7571BF}
Security Update for Publisher 2007 (KB936646) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A32E4BAF-6477-45FA-B8AB-E743FA8D63FF}
Skype™ 3.2 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Soldat 1.4.0 --> "C:\Program Files\Soldat\unins000.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SSH Secure Shell --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}\Setup.exe"
Starcraft --> C:\Windows\SCunin.exe C:\Windows\SCunin.dat
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
StrokeIt (remove only) --> "C:\Program Files\Strokeit\uninstall.exe"
Switch Off --> "C:\Program Files\Switch Off\uninstall.exe"
Trillian --> C:\Program Files\Trillian\Trillian.exe /uninstall
TVUPlayer 2.3.2.34 --> C:\Program Files\TVUPlayer\uninst.exe
UltraMon --> MsiExec.exe /I{B71F4653-6F4A-4983-8ED9-EB19AB18E2BD}
Update for Office 2007 (KB932080) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB934393) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {92FBAD46-E7F6-49FA-89B5-C39FC5BFAD15}
Update for Outlook 2007 (KB937608) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {CBB2454D-193F-4523-8A31-FEB343B7C30E}
Update for Outlook 2007 Junk Email Filter (kb936558) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B6B2802B-6631-4EBE-A062-44AE0C1F0BED}
Update for Word 2007 (KB934173) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C6A89125-5473-45E3-B413-ED8186437475}
VideoLAN VLC media player 0.8.6b --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Vim 7.1 (self-installing) --> C:\Program Files\Vim\vim71\uninstall-gui.exe
VistaGlazz --> MsiExec.exe /X{CCBCD550-D91D-443D-9CF0-0CD02D2FDB95}
Warcraft III --> C:\Windows\War3Unin.exe C:\Windows\War3Unin.dat
Warcraft III: All Products --> C:\Windows\War3Unin.exe C:\Windows\War3Unin.dat
WC3Banlist --> "C:\Program Files\WC3Banlist\unins000.exe"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows Sidebar Styler --> MsiExec.exe /I{CE23BAB3-0CF7-4CFE-9427-CC0835D1DF6A}
WinPcap 3.1 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XLink Kai Evolution 7 --> MsiExec.exe /X{F90592EC-5E58-4EE6-A333-EC05ED57ACF4}
Zoomquilt Screensaver --> C:\Windows\Zoomquilt Screensaver.scr /U


-- End of Deckard's System Scanner: finished at 2007-08-02 at 20:59:02 ---------

#5 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 03 August 2007 - 06:58 PM

Hello jolleyjoe

Just a question before we start, did you change your file associations?


We must disable the Real-Time Protection feature of Windows Defender for it may interfere with the changes we need to make.

To disable Real-Time Protection:
  • Go to "Tools" | "General Settings"
  • Scroll down to "Real-time protection options"
  • Uncheck "Turn on real-time protection (recommended)"
  • Remember to reactivate this feature when we have finished all our work.
Please run HijackThis again, click "Do a system scan only" and check these entries


R3 - URLSearchHook: (no name) - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - (no file)
O2 - BHO: (no name) - {669751ED-D558-49AE-B01A-3B374CC7910E} - C:\Program Files\TENCENT\SSPlus\SSup.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


Close all windows except for HijackThis and click "Fix checked"


Next :

Please delete these files and folders in bold

C:\Windows\system32\ImageOle.dll
C:\Users\Chan\AppData\Roaming\QQ
C:\Users\Chan\AppData\Roaming\QQUpdate
C:\Users\Chan\AppData\Roaming\tencent
C:\Program Files\TENCENT



Now we need to make a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stup.exe]

Then double click on the fix.reg file, when it prompts to merge click "Yes".


So in your next reply please post the following : a new DSS log, answer my question about your file associations, and tell me how your PC is running now and if you had any problems.




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users