Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected !


  • This topic is locked This topic is locked
6 replies to this topic

#1 loverZ

loverZ

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:26 PM

Posted 25 July 2007 - 01:35 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:51 AM, on 7/26/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Video ActiveX Access\iesmn.exe
C:\Program Files\Video ActiveX Access\imsmain.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Video ActiveX Access\imsmn.exe
C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Video ActiveX Access\iesmin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\vsjitdebugger.exe
C:\WINDOWS\system32\vsjitdebugger.exe
C:\WINDOWS\TEMP\EBDF13.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xpinstall.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gmail.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll (file missing)
O2 - BHO: (no name) - {D61D7E1A-6613-49CA-B6F9-51DB248E209D} - C:\Program Files\Video ActiveX Access\iesplg.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - C:\Program Files\Video ActiveX Access\iesbpl.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [RAMDrive] "C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe"
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Video ActiveX Access\imsmain.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O15 - ESC Trusted Zone: http://www.google-analytics.com
O15 - ESC Trusted Zone: http://pagead2.googlesyndication.com
O15 - ESC Trusted Zone: http://a.rad.live.com
O15 - ESC Trusted Zone: http://b.rad.live.com
O15 - ESC Trusted Zone: http://gfx6.mail.live.com
O15 - ESC Trusted Zone: http://gfx7.mail.live.com
O15 - ESC Trusted Zone: http://help.live.com
O15 - ESC Trusted Zone: http://rad.live.com
O15 - ESC Trusted Zone: http://www.megaupload.com
O15 - ESC Trusted Zone: http://ads1.msn.com
O15 - ESC Trusted Zone: http://rad.msn.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://stj.msn.com
O15 - ESC Trusted Zone: http://tp.msn.com
O15 - ESC Trusted Zone: http://www.hotmail.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1184420468546
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A560E42-3723-42A2-8002-BCC93E084696}: NameServer = 203.153.34.190,203.153.41.28
O17 - HKLM\System\CS1\Services\Tcpip\..\{7A560E42-3723-42A2-8002-BCC93E084696}: NameServer = 203.153.34.190,203.153.41.28
O17 - HKLM\System\CS2\Services\Tcpip\..\{7A560E42-3723-42A2-8002-BCC93E084696}: NameServer = 203.153.34.190,203.153.41.28
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: enlodgement - {aa6d4f53-4c8d-4549-84d2-02d584acc4e9} - C:\WINDOWS\system32\wzhtjqo.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 9777 bytes

BC AdBot (Login to Remove)

 


m

#2 ricox

ricox

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 26 July 2007 - 09:54 AM

Hi loverZ,
I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

Edited by ricox, 26 July 2007 - 09:55 AM.

Let's play a little game ...

#3 loverZ

loverZ
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:26 PM

Posted 26 July 2007 - 10:15 AM

Sure!! I think my brother installed some thin Unwanted in my PC thats way it happened like this..


Me to trying to fix up. :thumbsup:

#4 loverZ

loverZ
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:26 PM

Posted 26 July 2007 - 11:05 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:35 PM, on 7/26/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\LA7BB9.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gmail.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll (file missing)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [RAMDrive] "C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe"
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingD2657] cmd /c del "C:\Program Files\Video ActiveX Access\imsmain.exe_tobedeleted_old"
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1184420468546
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A560E42-3723-42A2-8002-BCC93E084696}: NameServer = 203.153.34.190,203.153.41.28
O17 - HKLM\System\CS1\Services\Tcpip\..\{7A560E42-3723-42A2-8002-BCC93E084696}: NameServer = 203.153.34.190,203.153.41.28
O17 - HKLM\System\CS2\Services\Tcpip\..\{7A560E42-3723-42A2-8002-BCC93E084696}: NameServer = 203.153.34.190,203.153.41.28
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 8104 bytes


***********
NEW LOG
***********


#5 ricox

ricox

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 27 July 2007 - 02:47 AM

Hi again :thumbsup:

Please download SmitfraudFix to your desktop

********************************************

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

********************************************

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Let's play a little game ...

#6 loverZ

loverZ
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:26 PM

Posted 28 July 2007 - 01:27 AM

rapport.txt
***************************************************************************************

SmitFraudFix v2.207

Scan done at 20:55:29.23, Thu 07/26/2007
Run from C:\Documents and Settings\Administrator\Desktop\Virus\SmitfraudFix
OS: Microsoft Windows [Version 5.2.3790] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{aa6d4f53-4c8d-4549-84d2-02d584acc4e9}"="enlodgement"

[HKEY_CLASSES_ROOT\CLSID\{aa6d4f53-4c8d-4549-84d2-02d584acc4e9}\InProcServer32]
@="C:\WINDOWS\system32\wzhtjqo.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{aa6d4f53-4c8d-4549-84d2-02d584acc4e9}\InProcServer32]
@="C:\WINDOWS\system32\wzhtjqo.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\wzhtjqo.dll -> Hoax.Win32.Renos.gen.o
C:\WINDOWS\system32\wzhtjqo.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\ADMINI~1\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\Video ActiveX Access\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC #2
DNS Server Search Order: 203.153.34.190
DNS Server Search Order: 203.153.41.28

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7A560E42-3723-42A2-8002-BCC93E084696}: NameServer=203.153.34.190,203.153.41.28
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7A560E42-3723-42A2-8002-BCC93E084696}: NameServer=203.153.34.190,203.153.41.28
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7A560E42-3723-42A2-8002-BCC93E084696}: NameServer=203.153.34.190,203.153.41.28


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

***************************************************************************************


Deckard's System Scanner v20070711.54
Run by Administrator on 2007-07-28 at 11:37:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:59 AM, on 7/28/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\DW6DB9.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gmail.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll (file missing)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1184420468546
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A560E42-3723-42A2-8002-BCC93E084696}: NameServer = 203.153.34.190,203.153.41.28
O17 - HKLM\System\CS1\Services\Tcpip\..\{7A560E42-3723-42A2-8002-BCC93E084696}: NameServer = 203.153.34.190,203.153.41.28
O17 - HKLM\System\CS2\Services\Tcpip\..\{7A560E42-3723-42A2-8002-BCC93E084696}: NameServer = 203.153.34.190,203.153.41.28
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 6593 bytes

-- Files created between 2007-06-28 and 2007-07-28 -----------------------------

2007-07-27 15:32:30 0 d-------- C:\WINDOWS\pss
2007-07-26 20:55:36 1880 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-26 20:55:23 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-07-26 20:55:23 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-07-26 20:55:23 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-26 00:38:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-07-26 00:14:29 0 d-------- C:\Program Files\Java
2007-07-26 00:01:28 0 d-------- C:\Program Files\Common Files\Java
2007-07-26 00:00:24 671 --a------ C:\WINDOWS\mozver.dat
2007-07-25 23:54:22 0 d-------- C:\Program Files\Lavasoft
2007-07-25 23:54:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-07-25 23:53:34 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-25 11:37:00 0 d-------- C:\Program Files\CyberLink
2007-07-25 09:12:06 0 d-------- C:\Program Files\MSXML 4.0
2007-07-25 00:24:34 0 d-------- C:\My Web Sites
2007-07-25 00:23:50 0 d-------- C:\Program Files\WinHTTrack
2007-07-24 23:34:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-07-24 23:13:27 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-07-24 14:41:21 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-07-24 12:40:25 0 d-------- C:\Program Files\InstallShield Installation Information
2007-07-24 12:36:25 0 d-------- C:\WINDOWS\system32\DirectX
2007-07-24 12:22:29 0 d-------- C:\WINDOWS\system32\appmgmt
2007-07-24 12:22:27 0 d-------- C:\WINDOWS\SxsCaPendDel
2007-07-22 18:41:54 0 d-------- C:\Documents and Settings\All Users\Application Data\SMSI
2007-07-21 15:42:20 0 d-------- C:\Program Files\Microsoft Games
2007-07-21 15:39:57 86016 --a------ C:\WINDOWS\unvise32qt.exe <Not Verified; MindVision Software; Installer VISE>
2007-07-17 13:35:47 0 d-------- C:\Documents and Settings\Administrator\Application Data\FarStone
2007-07-17 13:34:42 65536 --a------ C:\WINDOWS\system32\VDPersns.dat
2007-07-17 13:34:11 37409 --a------ C:\WINDOWS\system32\drivers\fsRamDsk.sys <Not Verified; FarStone; FarStone RamDisk>
2007-07-17 13:33:42 69632 --a------ C:\WINDOWS\VPlay801.exe <Not Verified; Far Stone Technology Inc.; CDPLAY Application>
2007-07-17 13:33:42 14496 --a------ C:\WINDOWS\system32\VDI08X.dat
2007-07-17 13:33:42 72478 --a------ C:\WINDOWS\system32\drivers\fvdscsi.sys <Not Verified; FarStone Inc.; FarStone VirtualDrive>
2007-07-17 13:33:42 10899 --a------ C:\WINDOWS\system32\drivers\fcdabus.sys <Not Verified; FarStone Inc.; >
2007-07-17 13:33:09 0 d-------- C:\Program Files\FarStone
2007-07-17 13:32:49 36864 -----n--- C:\WINDOWS\system32\unVHDDrvExe.exe
2007-07-17 13:32:49 53248 -----n--- C:\WINDOWS\system32\RDrvNTInterface.dll <Not Verified; ; RDrv2KInterface Dynamic Link Library>
2007-07-17 13:32:49 28672 -----n--- C:\WINDOWS\system32\RDrvInterface.dll <Not Verified; ; RDrvInterface Dynamic Link Library>
2007-07-17 13:32:49 32768 -----n--- C:\WINDOWS\system32\RDrv9xInterface.dll <Not Verified; ; RDrv9XInterface Dynamic Link Library>
2007-07-17 13:32:49 77824 -----n--- C:\WINDOWS\system32\RDrv2KInterface.dll <Not Verified; ; RDrv2KInterface Dynamic Link Library>
2007-07-17 13:32:49 36864 -----n--- C:\WINDOWS\system32\inVHDDrvExe.exe
2007-07-17 13:32:48 81920 --a------ C:\WINDOWS\system32\Dversion.dll <Not Verified; FarStone; Farstone Dversion>
2007-07-17 13:32:48 122880 --a------ C:\WINDOWS\system32\DVC.dll <Not Verified; Farstone; Farstone DVC>
2007-07-17 13:29:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\DivX
2007-07-17 13:20:07 0 d-------- C:\Program Files\MagicISO
2007-07-17 13:03:43 0 d-------- C:\Program Files\LD-Anime
2007-07-16 16:12:05 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-07-16 15:47:34 0 d-------- C:\Downloads
2007-07-16 15:42:00 0 d-------- C:\Program Files\FlashGet
2007-07-16 02:52:57 0 dr-h----- C:\Documents and Settings\Administrator\Application Data\yahoo!
2007-07-15 22:49:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-07-15 22:32:12 0 d-------- C:\Program Files\Yahoo!
2007-07-15 20:16:22 0 d-------- C:\Working Folder
2007-07-14 23:01:56 0 d-------- C:\WINDOWS\system32\lls
2007-07-14 22:54:34 0 d--hs---- C:\WINDOWS\Installer
2007-07-14 22:54:33 0 d-------- C:\Program Files\Common Files\ODBC
2007-07-14 22:54:28 0 d-------- C:\Program Files
2007-07-14 22:54:28 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-07-14 22:53:50 0 d--h----- C:\Documents and Settings\Default User\Templates
2007-07-14 22:53:50 0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-07-14 22:53:50 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-07-14 22:53:50 0 d--h----- C:\Documents and Settings\Default User\Recent
2007-07-14 22:53:50 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2007-07-14 22:53:50 0 d--h----- C:\Documents and Settings\Default User\NetHood
2007-07-14 22:53:50 0 d-------- C:\Documents and Settings\Default User\My Documents
2007-07-14 22:53:50 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2007-07-14 22:53:50 0 d-------- C:\Documents and Settings\Default User\Favorites
2007-07-14 22:53:50 0 d-------- C:\Documents and Settings\Default User\Desktop
2007-07-14 22:53:50 0 d---s---- C:\Documents and Settings\Default User\Cookies
2007-07-14 22:53:50 0 d--h----- C:\Documents and Settings\All Users\Templates
2007-07-14 22:53:50 0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-07-14 22:53:50 0 d-------- C:\Documents and Settings\All Users\Favorites
2007-07-14 22:53:50 0 dr------- C:\Documents and Settings\All Users\Documents
2007-07-14 22:53:50 0 dr------- C:\Documents and Settings\All Users\Desktop
2007-07-14 22:51:54 0 d-------- C:\WINDOWS\system32\CatRoot2
2007-07-14 22:51:54 0 d-------- C:\WINDOWS\system32\CatRoot
2007-07-14 22:51:54 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-07-14 22:51:54 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-07-14 22:51:47 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-07-14 22:51:47 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-07-14 22:51:36 0 d-------- C:\Documents and Settings
2007-07-14 22:51:35 0 d--hs---- C:\System Volume Information
2007-07-14 22:46:18 0 d-------- C:\WINDOWS
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\WinSxS
2007-07-14 22:46:18 0 dr------- C:\WINDOWS\Web
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\twain_32
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\TAPI
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\wins
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\wbem
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\spool
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\ShellExt
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\Setup
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\ras
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\oobe
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\npp
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\mui
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\LogFiles
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\inetsrv
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\IME
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\icsxml
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\ias
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\export
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\en
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\drivers
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\drivers\etc
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-07-14 22:46:18 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\dhcp
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\config
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\clients
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\administration
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\3com_dmi
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\3076
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\2052
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\1054
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\1042
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\1041
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\1037
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\1033
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\1031
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\1028
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system32\1025
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\system
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\security
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\Resources
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\repair
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\Provisioning
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\mui
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\msapps
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\msagent
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\Media
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\java
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\inf
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\ime
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\Help
2007-07-14 22:46:18 0 dr--s---- C:\WINDOWS\Fonts
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\Driver Cache
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\Debug
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\Cursors
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\Connection Wizard
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\Config
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\AppPatch
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\ADFS
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\addins
2007-07-14 22:46:18 0 d-------- C:\WINDOWS\ADAM
2007-07-14 20:43:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Kana Solution
2007-07-14 20:42:53 0 d-------- C:\Program Files\DynDNS Updater
2007-07-14 19:51:51 0 d-------- C:\Program Files\MSDN
2007-07-14 19:42:33 0 d-------- C:\Program Files\Microsoft SQL Server
2007-07-14 19:40:44 0 d-------- C:\Program Files\Microsoft Device Emulator
2007-07-14 19:40:27 0 d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2007-07-14 19:21:45 0 d-------- C:\WINDOWS\Symbols
2007-07-14 19:21:45 0 d-------- C:\Program Files\HTML Help Workshop
2007-07-14 19:21:45 0 d-------- C:\Program Files\Common Files\Merge Modules
2007-07-14 19:21:45 0 d-------- C:\Program Files\Common Files\Business Objects
2007-07-14 19:21:45 0 d-------- C:\Program Files\CE Remote Tools
2007-07-14 19:21:45 0 d-------- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2007-07-14 19:21:10 0 d--h----- C:\WINDOWS\$hf_mig$
2007-07-14 19:20:28 0 d-------- C:\WINDOWS\IIS Temporary Compressed Files
2007-07-14 19:20:04 0 d-------- C:\WINDOWS\system32\Cache
2007-07-14 19:18:15 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2007-07-14 19:17:10 0 d-------- C:\Inetpub
2007-07-14 19:14:30 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-07-14 19:12:20 0 d-------- C:\WINDOWS\RegisteredPackages
2007-07-14 19:07:16 0 d--hs---- C:\Documents and Settings\Administrator\UserData
2007-07-14 18:54:25 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-07-14 18:54:18 0 d-------- C:\Program Files\MSN Messenger
2007-07-14 18:52:00 0 d-------- C:\Program Files\WinUHA
2007-07-14 18:51:40 0 d-------- C:\Program Files\DivX
2007-07-14 18:50:15 0 d-------- C:\Documents and Settings\Administrator\Contacts
2007-07-14 18:50:11 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-07-14 18:40:36 36484 --a------ C:\WINDOWS\system32\drivers\SMBios.sys <Not Verified; Intel Corporation; Intel ® System Management BIOS Driver>
2007-07-14 18:37:28 0 d-------- C:\Program Files\Winamp
2007-07-14 18:36:48 0 d-------- C:\Program Files\AVI Codec Pack
2007-07-14 18:29:10 0 d-------- C:\WINDOWS\system32\QuickTime
2007-07-14 18:21:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2007-07-14 18:17:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Macromedia
2007-07-14 18:17:29 0 d-------- C:\WINDOWS\system32\Macromed
2007-07-14 18:17:15 0 d-------- C:\Program Files\Macromedia
2007-07-14 18:17:15 0 d-------- C:\Program Files\Common Files\Macromedia
2007-07-14 18:16:55 0 d-------- C:\Program Files\Common Files\InstallShield
2007-07-14 18:16:44 0 d-------- C:\WINDOWS\Downloaded Installations
2007-07-14 18:13:21 0 d-------- C:\Program Files\Microsoft Works
2007-07-14 18:13:07 0 d-------- C:\Program Files\MSBuild
2007-07-14 18:11:11 0 d-------- C:\Program Files\Microsoft.NET
2007-07-14 18:07:36 0 d-------- C:\Program Files\xampp
2007-07-14 18:06:03 106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2007-07-14 18:05:49 38912 --a------ C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS>
2007-07-14 18:05:40 544768 --a------ C:\WINDOWS\system32\imagx5.dll <Not Verified; Pegasus Software, LLC; ImagXpress>
2007-07-14 18:05:39 569344 --a------ C:\WINDOWS\system32\imagr5.dll <Not Verified; Pegasus Software,LLC; ImagXpress>
2007-07-14 18:05:33 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2007-07-14 18:05:33 0 d-------- C:\Program Files\Common Files\Ahead
2007-07-14 18:05:25 0 d-------- C:\Program Files\Ahead
2007-07-14 18:04:18 0 d-------- C:\WINDOWS\SHELLNEW
2007-07-14 18:04:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\FlashFXP
2007-07-14 18:04:06 0 d-------- C:\Program Files\FlashFXP
2007-07-14 18:03:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-07-14 18:03:14 0 dr-h----- C:\MSOCache
2007-07-14 18:01:19 0 d-------- C:\Program Files\Trend Micro
2007-07-14 18:01:15 304128 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2007-07-14 18:00:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-07-14 18:00:10 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-14 18:00:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-07-14 17:53:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-07-14 17:53:32 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-07-14 17:53:32 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-07-14 17:53:32 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-07-14 17:53:32 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-07-14 17:53:32 2883584 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-07-14 17:53:32 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-07-14 17:53:32 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-07-14 17:53:32 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-07-14 17:53:32 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-07-14 17:53:32 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-07-14 17:53:32 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-07-14 17:53:32 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-07-14 17:52:58 0 d-------- C:\WINDOWS\SoftwareDistribution
2007-07-14 17:51:49 0 d-------- C:\WINDOWS\Prefetch
2007-07-14 17:51:43 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2007-07-14 17:51:43 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-07-14 17:51:43 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2007-07-14 17:51:43 0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-07-14 17:51:43 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-07-14 17:51:42 262144 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-07-14 17:51:42 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-07-14 17:51:42 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2007-07-14 17:51:42 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-07-14 17:51:42 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-07-14 17:45:48 0 d-------- C:\wmpub
2007-07-14 17:45:48 0 d-------- C:\WINDOWS\system32\windows media
2007-07-14 17:45:48 0 d-------- C:\WINDOWS\system32\rpcproxy
2007-07-14 17:45:48 0 d-------- C:\WINDOWS\system32\reminst
2007-07-14 17:45:48 0 d-------- C:\WINDOWS\system32\pop3server
2007-07-14 17:45:48 0 d-------- C:\WINDOWS\system32\netmon
2007-07-14 17:45:48 0 d-------- C:\WINDOWS\system32\certsrv
2007-07-14 17:45:18 208896 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-07-14 17:45:02 0 -rahs---- C:\MSDOS.SYS
2007-07-14 17:45:02 0 -rahs---- C:\IO.SYS
2007-07-14 17:45:02 0 --a------ C:\CONFIG.SYS
2007-07-14 17:45:02 0 --a------ C:\AUTOEXEC.BAT
2007-07-14 17:44:29 0 d-------- C:\WINDOWS\system32\MicrosoftPassport
2007-07-14 17:44:29 0 d---s---- C:\WINDOWS\system32\Microsoft
2007-07-14 17:43:07 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-07-14 17:42:48 0 dr------- C:\WINDOWS\Offline Web Pages
2007-07-14 17:42:48 0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-07-14 17:42:28 0 d--h----- C:\Program Files\WindowsUpdate
2007-07-14 17:42:27 0 d-------- C:\Program Files\Online Services
2007-07-14 17:42:10 0 d-------- C:\WINDOWS\system32\ServerAppliance
2007-07-14 17:41:43 0 d---s---- C:\WINDOWS\Tasks
2007-07-14 17:41:39 0 d-------- C:\WINDOWS\srchasst
2007-07-14 17:41:28 0 d-------- C:\WINDOWS\PCHealth
2007-07-14 17:40:01 21160 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-07-14 17:39:42 0 d-------- C:\WINDOWS\Registration
2007-07-14 17:38:44 0 d-------- C:\WINDOWS\Application Compatibility Scripts
2007-07-14 17:38:42 0 d-------- C:\WINDOWS\system32\MsDtc
2007-07-14 17:38:26 0 d-------- C:\Program Files\Windows NT
2007-07-14 17:38:21 0 d-------- C:\WINDOWS\Cluster
2007-07-14 17:38:12 0 d-------- C:\WINDOWS\system32\Com


-- Find3M Report ---------------------------------------------------------------

2007-07-14 22:53:50 62 --ahs---- C:\Documents and Settings\Administrator\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7} C:\Program Files\FlashGet\jccatch.dll
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
{86C510E9-97EF-4749-914F-0280247BE3A6} C:\WINDOWS\VirtualDNS.dll [x]
{E5A1691B-D188-4419-AD02-90002030B8EE} C:\PROGRA~1\FlashFXP\IEFlash.dll
{F156768E-81EF-470C-9057-481BA8380DBA} C:\Program Files\FlashGet\getflash.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"OfficeScanNT Monitor"="\"C:\\Program Files\\Trend Micro\\OfficeScan Client\\pccntmon.exe\" -HideWindow"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=dword:00000000
"scforceoption"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Notification Packages REG_MULTI_SZ RASSFM\0KDCSVC\0WDIGEST\0scecli\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sacsvr
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\wd.sys

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="flashget"
"hkey"="HKLM"
"command"="C:\\Program Files\\FlashGet\\flashget.exe /min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GrooveMonitor"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Language"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pccntmon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Trend Micro\\OfficeScan Client\\pccntmon.exe\" -HideWindow"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMDrive]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RDTask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\FarStone\\VirtualDrive\\VHD\\RDTask.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualDrive]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VDTask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\FarStone\\VirtualDrive\\VDTask.exe\" /AutoRestore"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0W32Time\0WinHttpAutoProxySvc\0\0
NetworkService REG_MULTI_SZ 6to4\0DHCP\0DnsCache\0\0
WinErr REG_MULTI_SZ ERsvc\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0\0
tapisrv REG_MULTI_SZ Tapisrv\0\0
regsvc REG_MULTI_SZ RemoteRegistry\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
swprv REG_MULTI_SZ swprv\0\0
iissvcs REG_MULTI_SZ w3svc\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
AeLookupSvc


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cbaa1a1-3379-11dc-af8d-000021016ccd}]
Shell\Auto\command G:\MicrosoftPowerPoint.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b67619ee-39d6-11dc-bb17-000021016ccd}]
Shell\Auto\command H:\MicrosoftPowerPoint.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe


-- End of Deckard's System Scanner: finished at 2007-07-28 at 11:38:49 ---------

#7 ricox

ricox

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 29 July 2007 - 12:20 PM

Hi again :thumbsup:

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

************************************

Please download ATF Cleaner by Atribune to your desktop

************************************[

Download FIX.REG (right click HERE and select Save As to download it) attached to my post and save it to your desktop.
Do not run it yet !

************************************

Reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup and just before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
************************************

Run ATF-CleanerDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

************************************

Run FIX.REG
Double click FIX.REG. It will ask you if you want to merge it to the registry, click Yes.

************************************

after that, reboot your computer

************************************

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
************************************

Post a fresh Deckard's System Scanner (DSS) log along with kaspersky online report.

Attached Files

  • Attached File  FIX.REG   443bytes   13 downloads

Edited by ricox, 29 July 2007 - 12:25 PM.

Let's play a little game ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users