Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dialog Crashes Any Programs


  • Please log in to reply
9 replies to this topic

#1 sync0s

sync0s

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 27 October 2007 - 05:58 PM

Hi. I've searched all over and can't find an answer to this question. I have Windows Vista Home Premium and it was running good until recently. I don't know what exactly happened but when ever I use File > Open File or Save File the dialog will pop up and attempt to load the files in the directory, and then the dialog and the whole program will no longer respond and eventually crashes. I've tested this on IE, Firefox, Microsoft Word and Works, notepad.exe and it does the same for them all. Please help me!

Thanks very much!

System:
Manufacturer: Hewlett-Packard Company
Model: SR5130NX
Processor: AMD Athlon™ 64 X2 Dual Core Processor 3800+ 2.00 GHz
Memory(RAM): 894MB
System Type: 32-bit Operating System


The program WINWORD.EXE version 12.0.4518.1014 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel. Process ID: 850 Start Time: 01c8181cb624cdba Termination Time: 10


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:11 PM, on 10/27/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\wpcumi.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\Program Files\Microsoft Works\WkDStore.exe
c:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2557063472-3044314221-3181451314-1003\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Tony')
O4 - S-1-5-21-2557063472-3044314221-3181451314-1003 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Tony')
O4 - S-1-5-21-2557063472-3044314221-3181451314-1003 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Tony')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resou...NPUplden-us.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Stardock WindowBlinds (WindowBlinds) - Stardock Corporation - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\VistaSrv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7539 bytes



BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 AM

Posted 19 November 2007 - 05:52 AM

Hi sync0s, :thumbsup:

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

Thanks for your patience. :blink:

P.S. Please copy/paste the log into this thread using the Add Reply button.

#3 sync0s

sync0s
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 15 December 2007 - 07:01 PM

Sorry about the late response. I hope you can still help me because I still am having this problem. Here's a fresh HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:02 PM, on 12/15/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\System32\wpcumi.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\CSS\Steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\CSS\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resou...NPUplden-us.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7364 bytes


Edited by sync0s, 15 December 2007 - 07:02 PM.


#4 sync0s

sync0s
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 17 December 2007 - 07:15 PM

Just to add to this information, I was testing something yesterday and made a discovery on the problem (yet still haven't solved it). I currently have 3 users that have administrative login access to the computer and two of them have this problem but as I discovered yesterday the 3rd doesn't. This user was created second in line after mine and before the 3rd user and my user name and the 3rd one don't experience this. I don't know if this helps at all but I wondered if it may point someone in the right direction. Thanks for all the help :thumbsup:

#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 AM

Posted 19 December 2007 - 04:13 AM

Hi sync0s, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

Reached my final destination so can/will respond much quicker from now on.

By the way just use the Add Reply button to post a log here.

1. We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

2. Run HijackThis, click Scan and checkmark the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - (no file)


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

3. Download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

4. Download Deckard's System Scanner and save it to your Desktop.

* Double click dss.exe and follow the prompts.
* When finished, it will produce a log for you.
* Post the contents of that log in your next reply.
* Using Windows Explorer (to get there right-click your Start button and go to "Explore"), navigate to the C:\Deckard\System Scanner folder. You will find two logs in the folder, main.txt and extra.txt.
* Open the main.txt log in Notepad
* Also Copy and Paste its contents in a reply.

5. Finally run the F-Secure Online Scanner; scroll for the beta version which works with Vista.
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

6. Are you using an antivirus and a firewall? I see nothing in your log that would indicate that you have. I urge you to install one of each since it's your first defense against malware.

> Firewall: there are several good but for free programmes available like:

Comodo Firewall Pro
Kerio
Zone alarm

For a tutorial on Firewalls click: Understanding and Using Firewalls!

> AntiVirus: Several good ones and for free like AVG and AntiVir Personal Edition and Avast!

Please post the F-Secure report along with DSS main/extra logs.

#6 sync0s

sync0s
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 21 December 2007 - 12:04 AM

Hi thank you so much for the reply! Here are the logs I got from the programs you told me to run:

Deckard's System Scanner v20071014.68
Run by owner on 2007-12-20 21:08:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
16: 2007-12-20 20:20:24 UTC - RP160 - Scheduled Checkpoint
15: 2007-12-20 07:46:49 UTC - RP159 - Scheduled Checkpoint
14: 2007-12-19 09:04:51 UTC - RP158 - Windows Update
13: 2007-12-18 18:34:06 UTC - RP157 - Scheduled Checkpoint
12: 2007-12-17 21:27:13 UTC - RP156 - Scheduled Checkpoint


-- First Restore Point --
1: 2007-12-08 09:48:20 UTC - RP145 - Scheduled Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:02 PM, on 12/20/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CSS\Steam.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\owner\Desktop\dss.exe
C:\Users\owner\Desktop\owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\CSS\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resou...NPUplden-us.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6325 bytes

-- HijackThis Fixed Entries (C:\Users\owner\Desktop\backups\) ------------------

backup-20071220-210524-627 O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - (no file)
backup-20071220-210524-657 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20071220-210524-805 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20071220-210524-878 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
backup-20071220-210524-961 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
backup-20071220-210524-990 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {36fc9e60-c465-11cf-8056-444553540000}
Description: USB Mass Storage Device
Device ID: USB\VID_0BDA&PID_0111\20021111153705700
Manufacturer: Compatible USB storage device
Name: USB Mass Storage Device
PNP Device ID: USB\VID_0BDA&PID_0111\20021111153705700
Service: USBSTOR


-- Scheduled Tasks -------------------------------------------------------------

2007-11-28 03:21:02 338 --a------ C:\Windows\Tasks\Uniblue SpyEraser.job


-- Files created between 2007-11-20 and 2007-12-20 -----------------------------

2007-12-16 16:01:53 0 d-------- C:\Program Files\Any to Icon
2007-12-16 01:45:54 0 d-------- C:\Users\owner\mIRC
2007-12-15 16:10:13 0 d-------- C:\Program Files\Microsoft Virtual PC
2007-12-11 15:16:58 0 d-------- C:\cygwin
2007-12-10 02:41:12 33 --a------ C:\Program1
2007-12-10 02:18:15 0 d-------- C:\Users\owner\mIRC63
2007-12-10 01:25:19 128712 --ah----- C:\Windows\system32\mlfcache.dat
2007-12-10 01:03:27 0 d-------- C:\Users\owner\mtsloader171
2007-12-09 21:00:20 0 d-------- C:\Program Files\OLYMPUS
2007-12-08 15:06:33 0 d-------- C:\Program Files\XDCC Catcher
2007-11-24 15:00:00 0 d-------- C:\Program Files\QuickTime
2007-11-23 14:58:01 0 d-------- C:\Program Files\iTunes


-- Find3M Report ---------------------------------------------------------------

2007-12-20 21:02:27 0 d-------- C:\Program Files\CSS
2007-12-17 03:32:30 0 d-------- C:\Users\owner\AppData\Roaming\.purple
2007-12-16 22:12:32 0 d-------- C:\Program Files\mIRC
2007-12-15 20:04:33 0 d-------- C:\Users\owner\AppData\Roaming\U3
2007-12-14 22:06:35 0 d-------- C:\Program Files\Common Files\Steam
2007-12-11 15:39:15 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2007-12-10 02:23:53 0 d-------- C:\Users\owner\AppData\Roaming\mIRC
2007-12-08 14:58:25 0 d-------- C:\Users\owner\AppData\Roaming\LimeWire
2007-12-05 20:10:25 0 d-------- C:\Users\owner\AppData\Roaming\Help
2007-11-29 12:59:20 0 d-------- C:\Program Files\Messenger Plus! Live
2007-11-29 12:59:19 0 d-------- C:\Program Files\MSN Messenger
2007-11-23 19:36:56 0 d-------- C:\Program Files\Rhapsody
2007-11-23 17:30:26 0 d-------- C:\Program Files\Roxio
2007-11-23 17:30:24 0 d-------- C:\Program Files\Common Files\Roxio Shared
2007-11-23 17:30:22 0 d-------- C:\Program Files\Common Files
2007-11-23 17:21:04 0 d-------- C:\Program Files\Real
2007-11-23 17:21:04 0 d-------- C:\Program Files\Common Files\Real
2007-11-23 17:20:54 0 d-------- C:\Users\owner\AppData\Roaming\Real
2007-11-23 17:19:44 0 d-------- C:\Program Files\Yahoo!
2007-11-23 14:58:18 0 d-------- C:\Program Files\iPod
2007-11-18 23:29:22 0 d-------- C:\Users\owner\AppData\Roaming\Yahoo!
2007-11-18 21:30:26 0 d-------- C:\Users\owner\AppData\Roaming\WinRAR
2007-11-18 19:58:55 0 d-------- C:\Program Files\Windows Live
2007-11-15 14:07:49 0 d-------- C:\Program Files\Windows Mail
2007-11-08 20:25:11 0 d-------- C:\Program Files\MySpace
2007-11-06 01:56:47 27503 --a------ C:\Users\owner\AppData\Roaming\UserTile.png
2007-11-06 01:56:47 0 d-------- C:\Users\owner\AppData\Roaming\PeerNetworking
2007-11-05 22:00:40 0 d-------- C:\Users\owner\AppData\Roaming\MySpace
2007-11-02 19:05:22 0 d-------- C:\Program Files\NCH Swift Sound
2007-10-31 22:46:13 0 d-------- C:\Program Files\Pidgin
2007-10-31 22:44:37 0 d-------- C:\Program Files\Gaim
2007-10-27 23:51:35 0 d-------- C:\Users\owner\AppData\Roaming\Winamp
2007-10-27 23:48:29 0 d-------- C:\Program Files\Winamp
2007-10-27 23:48:20 0 d-------- C:\Program Files\Winamp Remote
2007-10-27 19:09:56 2560 --a------ C:\Windows\_MSRSTRT.EXE
2007-10-27 19:08:01 0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-10-27 18:24:57 0 d-------- C:\Program Files\Microsoft Network Monitor 3
2007-10-27 18:01:15 0 d-------- C:\Program Files\Google
2007-10-27 16:45:26 0 d-------- C:\Program Files\PC Registry Cleaner
2007-10-27 16:43:05 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-25 19:55:37 0 d-------- C:\Program Files\Java
2007-10-25 19:54:26 0 d-------- C:\Program Files\Common Files\Java
2007-10-25 02:29:11 0 d-------- C:\Program Files\HP
2007-10-25 02:16:02 0 d-------- C:\Program Files\Microsoft Works
2007-10-24 23:27:58 0 d-------- C:\Users\owner\AppData\Roaming\Google
2007-10-24 23:18:29 0 d-------- C:\Users\owner\AppData\Roaming\Template
2007-10-24 23:18:28 0 --a------ C:\Users\owner\AppData\Roaming\wklnhst.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"MSConfig"="C:\Windows\system32\msconfig.exe" [11/02/2006 03:45 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [10/22/2007 06:47 PM]
"Steam"="C:\Program Files\CSS\Steam.exe" [11/29/2007 06:01 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"=2 (0x2)
"DontDisplayLogonHoursWarnings"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PalTalk.lnk]
backup=C:\Windows\pss\PalTalk.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2007-12-20 21:12:00 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 3800+
Percentage of Memory in Use: 35%
Physical Memory (total/avail): 1917.94 MiB / 1243.54 MiB
Pagefile Memory (total/avail): 4058.34 MiB / 3266.41 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.28 MiB

C: is Fixed (NTFS) - 177.55 GiB total, 122.31 GiB free.
D: is Fixed (NTFS) - 8.76 GiB total, 1.01 GiB free.
E: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - WDC WD20 00JS-60NCB1 SCSI Disk Device - 186.31 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 177.55 GiB - C:
\PARTITION1 - Installable File System - 8.76 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\owner\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OWNER-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\owner
LOCALAPPDATA=C:\Users\owner\AppData\Local
LOGONSERVER=\\OWNER-PC
NUMBER_OF_PROCESSORS=2
OnlineServices=Online Services
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\hp\bin\Python;c:\Program Files\Common Files\Roxio Shared\DLLShared\;c:\Program Files\Common Files\Roxio Shared\DLLShared\;c:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\Microsoft Network Monitor 3\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PCBRAND=Presario
PLATFORM=HPD
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4b02
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\owner\AppData\Local\Temp
TMP=C:\Users\owner\AppData\Local\Temp
USERDOMAIN=owner-PC
USERNAME=owner
USERPROFILE=C:\Users\owner
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

owner
Yakeata
Visitor
Tony
Guest (new local, guest, net ready)


-- Add/Remove Programs ---------------------------------------------------------

-->
-->
--> "C:\Program Files\HP Games\Bejeweled 2 Deluxe\Uninstall.exe"
--> "C:\Program Files\HP Games\Blackhawk Striker 2\Uninstall.exe"
--> "C:\Program Files\HP Games\Blasterball 3\Uninstall.exe"
--> "C:\Program Files\HP Games\Bookworm Deluxe\Uninstall.exe"
--> "C:\Program Files\HP Games\Bounce Symphony\Uninstall.exe"
--> "C:\Program Files\HP Games\Cake Mania\Uninstall.exe"
--> "C:\Program Files\HP Games\Chuzzle Deluxe\Uninstall.exe"
--> "C:\Program Files\HP Games\Crystal Maze\Uninstall.exe"
--> "C:\Program Files\HP Games\Cue Master\Uninstall.exe"
--> "C:\Program Files\HP Games\Diner Dash\Uninstall.exe"
--> "C:\Program Files\HP Games\Family Feud\Uninstall.exe"
--> "C:\Program Files\HP Games\FATE\Uninstall.exe"
--> "C:\Program Files\HP Games\Final Drive Nitro\Uninstall.exe"
--> "C:\Program Files\HP Games\Flip Words\Uninstall.exe"
--> "C:\Program Files\HP Games\Insaniquarium Deluxe\Uninstall.exe"
--> "C:\Program Files\HP Games\JEOPARDY\Uninstall.exe"
--> "C:\Program Files\HP Games\Jewel Quest\Uninstall.exe"
--> "C:\Program Files\HP Games\Mah Jong Quest\Uninstall.exe"
--> "C:\Program Files\HP Games\My HP Game Console\Uninstall.exe"
--> "C:\Program Files\HP Games\Otto\Uninstall.exe"
--> "C:\Program Files\HP Games\Overball\Uninstall.exe"
--> "C:\Program Files\HP Games\Penguins!\Uninstall.exe"
--> "C:\Program Files\HP Games\Phoenix Assault\Uninstall.exe"
--> "C:\Program Files\HP Games\Polar Bowler\Uninstall.exe"
--> "C:\Program Files\HP Games\Polar Golfer\Uninstall.exe"
--> "C:\Program Files\HP Games\Polar Tubing\Uninstall.exe"
--> "C:\Program Files\HP Games\Ricochet Lost Worlds\Uninstall.exe"
--> "C:\Program Files\HP Games\SCRABBLE\Uninstall.exe"
--> "C:\Program Files\HP Games\Super Granny\Uninstall.exe"
--> "C:\Program Files\HP Games\Tradewinds\Uninstall.exe"
--> "C:\Program Files\HP Games\Wheel of Fortune\Uninstall.exe"
--> "C:\Program Files\HP Games\Zuma Deluxe\Uninstall.exe"
Activation Assistant for the 2007 Microsoft Office suites --> "C:\ProgramData\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Any to Icon --> "C:\Program Files\Any to Icon\uninstall.exe"
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Counter-Strike: Source --> MsiExec.exe /I{9580813D-94B1-4C28-9426-A441E2BB29A5}
Debugging Tools for Windows --> MsiExec.exe /I{D459A7BB-F85E-4C0E-8AEC-3D90C4549740}
Desktop Doctor --> MsiExec.exe /I{D87149B3-7A1D-4548-9CBF-032B791E5908}
Express Burn --> C:\Program Files\NCH Swift Sound\ExpressBurn\uninst.exe
GTK+ Runtime 2.12.1 rev a (remove only) --> C:\Program Files\Gaim\uninst.exe
Hardware Diagnostic Tools --> C:\Program Files\PC-Doctor 5 for Windows\uninst.exe
HijackThis 2.0.2 --> "C:\Users\owner\Desktop\HijackThis.exe" /uninstall
HP Customer Experience Enhancements --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB5E289E-76BF-4251-9F3F-9B763F681AE0}\setup.exe" -l0x9 -removeonly
HP Customer Feedback --> MsiExec.exe /I{9DBA770F-BF73-4D39-B1DF-6035D95268FC}
HP Easy Setup - Frontend --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40F7AED3-0C7D-4582-99F6-484A515C73F2}\setup.exe" -l0x9 -removeonly
HP On-Screen Cap/Num/Scroll Lock Indicator --> C:\Windows\system32\OsdRemove.exe
HP Photosmart Essential 2.0 --> C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Total Care Advisor --> MsiExec.exe /X{2990BC81-3B19-4E53-A53E-30DE3F1BFFA8}
HP Update --> MsiExec.exe /X{25F6C900-C138-4888-A56C-91D3D063023A}
iPod for Windows 2006-06-28 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BD57EA4D-026E-4F08-9B93-080E282B81FE} /l1033
iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LimeWire 4.14.8 --> "C:\Program Files\LimeWire\uninstall.exe"
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Network Monitor 3.1 --> MsiExec.exe /I{BDF820F3-79A6-4ACF-B910-43B26BB894CC}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Virtual PC 2007 --> MsiExec.exe /X{8A7CAA24-7B23-410B-A7C3-F994B0944160}
Microsoft Visual Basic 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Basic 2005 Express Edition - ENU\setup.exe
Microsoft Visual Basic 2005 Express Edition - ENU --> MsiExec.exe /X{577AD794-8B34-40B4-9E7A-BE4CFFE396E6}
Microsoft Visual C# 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C# 2005 Express Edition - ENU\setup.exe
Microsoft Visual C# 2005 Express Edition - ENU --> MsiExec.exe /X{7E7D7935-B0C8-4032-80BA-2CDC9E43C3B8}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
mIRC --> "C:\Users\owner\mIRC\mirc.exe" -uninstall
Monopoly Here & Now Edition --> C:\PROGRA~1\YAHOO!~1\MONOPO~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!~1\MONOPO~1\INSTALL.LOG
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 Parser and SDK --> MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
muvee autoProducer 6.0 --> C:\Program Files\InstallShield Installation Information\{6AF49698-949A-4C89-9B31-041D2CCB5FBD}\setup.exe -runfromtemp -l0x0009 -removeonly
My HP Games --> "C:\Program Files\HP Games\Uninstall.exe"
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
OLYMPUS Master 2 --> MsiExec.exe /X{CBC85F2E-1981-4C55-9418-908D08D2C6E8}
PC Registry Cleaner --> MsiExec.exe /X{610E6187-2D1F-4B80-BC9F-B13D8585415A}
Pidgin --> C:\Program Files\Pidgin\pidgin-uninst.exe
Python 2.4.3 --> MsiExec.exe /I{75E71ADD-042C-4F30-BFAC-A9EC42351313}
QuickTime --> MsiExec.exe /I{9763E36A-08E9-4228-BBCE-12989A4EB1A8}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Roxio Activation Module --> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Roxio Creator Copy --> MsiExec.exe /X{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data --> MsiExec.exe /X{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator EasyArchive --> MsiExec.exe /X{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
Roxio Creator Tools --> MsiExec.exe /X{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Express Labeler 3 --> MsiExec.exe /X{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sandlot Games Client Services --> "C:\Program Files\Common Files\Sandlot Shared\unins000.exe"
Scientific-Atlanta WebSTAR 2000 series Cable Modem --> UNDPX2A.EXE
SmartFTP Client --> MsiExec.exe /I{C169D3BB-9A27-43F5-9979-09A0D65FE95C}
SmartFTP FTP Library (remove only) --> "C:\Program Files\SmartFTP FTP Library\uninst-sftplib.exe"
Snapfish Media Detector --> MsiExec.exe /X{4EF6FDB0-3B11-4820-9860-8E08E9965195}
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\UIU32m.exe -U -ITrx200Cz.inf
Steam™ --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Uniblue SpyEraser --> "C:\Program Files\Uniblue\SpyEraser\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Winamp Remote --> "C:\Program Files\Winamp Remote\uninstall.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
XDCC Catcher Basic --> MsiExec.exe /I{4B8AA99D-9295-4B0D-AF7F-FF63D666D0C4}


-- Application Event Log -------------------------------------------------------

Event Record #/Type11744 / Warning
Event Submitted/Written: 12/20/2007 11:30:21 AM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
7 user registry handles leaked from \Registry\User\S-1-5-21-2557063472-3044314221-3181451314-1001:
Process 1016 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2557063472-3044314221-3181451314-1001
Process 1016 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2557063472-3044314221-3181451314-1001
Process 1016 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2557063472-3044314221-3181451314-1001\Software\Policies\Microsoft\SystemCertificates
Process 1016 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2557063472-3044314221-3181451314-1001\Software\Microsoft\SystemCertificates\trust
Process 1016 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2557063472-3044314221-3181451314-1001\Software\Microsoft\SystemCertificates\CA
Process 1016 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2557063472-3044314221-3181451314-1001\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1016 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2557063472-3044314221-3181451314-1001\Software\Microsoft\SystemCertificates\Root

Event Record #/Type11740 / Error
Event Submitted/Written: 12/20/2007 11:18:01 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application FIREFOX.EXE, version 1.8.20071.12718, time stamp 0x474cd9ce, faulting module FIREFOX.EXE, version 1.8.20071.12718, time stamp 0x474cd9ce, exception code 0xc0000005, fault offset 0x0001c2bc,
process id 0xe14, application start time 0xFIREFOX.EXE0.

Event Record #/Type11732 / Success
Event Submitted/Written: 12/20/2007 10:20:56 AM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type11730 / Success
Event Submitted/Written: 12/20/2007 10:20:54 AM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type11726 / Success
Event Submitted/Written: 12/20/2007 10:20:25 AM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type42684 / Warning
Event Submitted/Written: 12/20/2007 09:00:06 PM
Event ID/Source: 129 / nvstor32
Event Description:
Reset to device, \Device\RaidPort0, was issued.

Event Record #/Type42683 / Error
Event Submitted/Written: 12/20/2007 08:33:46 PM
Event ID/Source: 55 / Ntfs
Event Description:
The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume COMPAQ.

Event Record #/Type42668 / Warning
Event Submitted/Written: 12/20/2007 07:08:15 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type42643 / Warning
Event Submitted/Written: 12/20/2007 10:53:57 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type42641 / Error
Event Submitted/Written: 12/20/2007 10:27:25 AM
Event ID/Source: 55 / Ntfs
Event Description:
The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume COMPAQ.



-- End of Deckard's System Scanner: finished at 2007-12-20 21:12:00 ------------


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<html>
<font style="COLOR: black; FONT: 10pt verdana">
<head>
<title>F-Secure Online Scanner 3.2.3 - Scanning Report - Thursday, December 20, 2007 23:03:19</title>
</head>

<body>
<h1><font face="Arial">Scanning Report</font></h1>
<h2><font face="Arial">Thursday, December 20, 2007 22:03:10 - 23:03:19</font></h2>
<p>
Computer name: OWNER-PC
<br>Scanning type: Scan system for viruses, rootkits, spyware
<br>Target: C:\ D:\ 
</p>
<hr noshade>
<h2><font face="Arial" color="#5A6ED2">Result: 1 malware found</font></h2>
<a href="http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=Trojan-Downloader.Win32.Agent.dzm&orig='disk'" target="_blank"><nobr>Trojan-Downloader.Win32.Agent.dzm</nobr></a> (virus)
<ul>
<li>
C:\USERS\TONY\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\32T3CSB1\PLAY[1].EXE (Renamed & Submitted)
</ul>
<hr noshade>
<h2><font face="Arial" color="#5A6ED2">Statistics</font></h2>
Scanned:<ul>
<li>Files: 47782
<li>System: 0
<li>Not scanned: 0
</ul>
Actions:<ul>
<li>Disinfected: 0
<li>Renamed: 1
<li>Deleted: 0
<li>None: 0
<li>Submitted: 1
</ul>
Files not scanned:<ul>

</ul>
<hr noshade>
<h2><font face="Arial" color="#5A6ED2">Options</font></h2>
Scanning engines:<ul>
<li>F-Secure Libra: 2.4.2, 2007-12-20
<li>F-Secure AVP: 7.0.171, 2007-12-20
<li>F-Secure Orion: 1.2.37, 2007-12-21
<li>F-Secure Blacklight: 1.0.64
<li>F-Secure Pegasus: 1.19.0, 2007-11-18

</ul>
Scanning options:<ul>
<li>Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD LSP MAP MHT MIF PHP POT SWF WMF NWS TAR 
<li>
Use Advanced heuristics
</ul>
<hr noshade>
<ul><h6>Copyright &copy; 1998-2007 <a href="http://support.f-secure.com/">Product support</a> |<a href="http://support.f-secure.com/enu/home/virusproblem/sample/">Send virus sample to F-Secure</a></h6><h6>F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.</h6></ul>
</body>
</font>
</html>


#7 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 AM

Posted 23 December 2007 - 04:01 AM

Hi sync0s, :thumbsup:

To begin with, please don't place the logs you post in quotes/code.

Hi thank you so much for the reply!


You're very welcome.

1. Go to Start>Run, type in cmd > Enter

Note: I assume that the c: drive is your hard drive were you keep all your software. If it's another drive replace c: with that drive.

When the Command Prompt window comes up, type: chkdsk c: /f and press ENTER << See the spaces between chkdsk and c: and between c: and /f?

2. Follow the instructions to run TCP Optimizer.

3. Okay Limewire 4.14.8 may be a legitimate version but take a look at these articles:

ID THIEVES' NEW HANGOUT: FILE-SHARING SOFTWARE and
Risks of File-Sharing Technology

and be warned. It's up to you of course but if you want to get rid of it:

Click on Start, Settings, Control Panel and double-click on Add or Remove Programs. From within Add or Remove Programs uninstall the following program if listed:

LimeWire 4.14.8

Viewpoint is classed as Foistware and a Potentially unwanted program as its sometimes installed without the users consent, There maybe some indications that they will move into tracking users at some stage which you can read more about Here. If you value the service they provide then it can be left on the system but if not then it can be removed using the Add/Remove screen. More info.

Viewpoint Media Player

4. Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

5. It's probably best to safe/print those instructions for use in safe mode, since you will not have access to this site at that time.

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
5) Select your normal user account.

6. We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

7. Run HijackThis, click Scan and checkmark the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

8. Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
9. Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\Windows\_MSRSTRT.EXE

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

10. We have to research two folders:

> Open Notepad and copy/paste the following text in code into it, and save it as listmirc.bat and make sure the "Save as type" field says "All files".

@echo off
dir C:\Users\owner\mIRC63 /a h > files.txt
notepad files.txt
exit

Locate listmirc.bat on your Desktop and double-click on it. Post the info in your next reply.

> Open Notepad and copy/paste the following text in code into it, and save it as listmts.bat and make sure the "Save as type" field says "All files".

@echo off
dir C:\Users\owner\mtsloader171 /a h > files.txt
notepad files.txt
exit

Locate listmts.bat on your Desktop and double-click on it. Post the info in your next reply.

11. In the attachment you see a fixs.reg; right-click it to download it to your desktop. Next doubleclick the file to run it.

12. You still don't have an AntiVirus installed!!!

Furthermore I only see Windows internal firewall enabled, which unfortunarely only blocks incoming traffic and not outgoing. I therefore recommned to install one of the free firewalls I suggested in post 5n sep 6.

Please post DrWeb.cvs report along with a fresh HijackThis log, post the information asked and let me know how things are running now.

Attached Files

  • Attached File  fixs.reg   189bytes   2 downloads


#8 sync0s

sync0s
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 23 December 2007 - 07:16 PM

Thank you again for replying but there was a few problems with this last post.

1) When I ran the chkdsk cmd it said that I have insufficient permissions to run the command. So I ran cmd as an administrator and then it said I couldn't run the command because the disk was in use but it asked me to run it on the next restart and I entered y.

2) Ran it. Went fine

7) Ran and performed commands

8) Ran the program and did the whole scan without Hueristic Analysis checked and it said I have no viruses found. However, remember the reason I am here is because I am unable to use the save file/open dialogs and that is necessary to save the report.

9) Went to the page and again the browse button wouldn't work. However I typed in the directory myself and it scanned the uploaded file and it said that it was not a virus

10) [Don't take me wrong in this] I don't think you need to research these folders as every file in these folders was created by myself. I don't know if you know what mIRC is or not but it is just a IRC client that has built in scripting. However, if you really want me to I will.

#9 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 AM

Posted 24 December 2007 - 05:26 AM

Hi sync0s, :thumbsup:

[Don't take me wrong in this] I don't think you need to research these folders as every file in these folders was created by myself. I don't know if you know what mIRC is or not but it is just a IRC client that has built in scripting. However, if you really want me to I will.


I don't take you wrong and I know what mIRC is but couldn't find info on: C:\Users\owner\mIRC63, C:\Users\owner\mtsloader171 and C:\Windows\_MSRSTRT.EXE (with the specified path). So I would like you to follow instructions.

#10 sync0s

sync0s
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 25 December 2007 - 05:06 AM

Ok well as I said before _MSRSTRT.EXE was already scanned (on the previous site you sent me to) and it had said it wasn't a virus. Here's the bat files:

Volume in drive C is COMPAQ
Volume Serial Number is 24AF-B727

Directory of C:\Users\owner\mIRC63

12/15/2007 10:02 PM <DIR> .
12/15/2007 10:02 PM <DIR> ..
12/10/2007 02:18 AM <DIR> channels
12/10/2007 02:18 AM <DIR> defaults
12/10/2007 02:18 AM <DIR> downloads
11/01/2007 02:06 PM 76,099 ircintro.chm
12/15/2007 07:04 PM <DIR> logs
11/01/2007 07:21 AM 366,485 mirc.chm
12/10/2007 02:43 AM 95,657 mirc.chw
11/01/2007 01:57 PM 2,756,096 mirc.exe
12/15/2007 10:02 PM 5,667 mirc.ini
12/15/2007 07:05 PM Volume in drive C is COMPAQ
Volume Serial Number is 24AF-B727

Directory of c:\users\owner\mtsloader171

12/14/2007 12:10 PM <DIR> .
12/14/2007 12:10 PM <DIR> ..
06/06/2005 07:44 PM 5,803 contents.htm
08/21/2001 03:52 AM 3,880 country.ini
12/10/2007 01:15 AM 5,971 current.mts
12/10/2007 01:04 AM <DIR> large
01/17/2005 04:28 PM <DIR> luminosity
05/24/2005 06:19 PM <DIR> MDX
12/23/2007 02:36 PM 785 mts.ah
12/10/2007 01:15 AM 442 mts.ini
06/22/2005 06:20 PM 66,186 mts.mrc
12/10/2007 01:15 AM 53 mts.tl
06/03/2004 11:29 PM 3,059 namecolors.tl
07/29/2000 11:05 PM 22,528 POPUPS.DLL
06/22/2005 06:19 PM 7,230 readme.txt
12/12/2007 09:49 PM 4,368 script1.mrc
12/12/2007 01:24 AM 57 script2.mrc
12/15/2007 07:05 PM 95 script3.mrc
12/10/2007 01:15 AM <DIR> small
13 File(s) 120,457 bytes

Directory of C:\Users\owner\Desktop <DIR> scripts
12/15/2007 09:52 PM 28,123 servers.ini
12/10/2007 02:18 AM <DIR> sounds
12/10/2007 03:26 AM <DIR> Themes
12/10/2007 02:18 AM 125,230 uninstall.exe
12/15/2007 10:02 PM 225 urls.ini
8 File(s) 3,453,582 bytes

Directory of C:\Users\owner\Desktop

and




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users