Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud Activity Still Present - Hjt Log


  • Please log in to reply
10 replies to this topic

#1 lightpanther

lightpanther

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 06 March 2008 - 07:52 PM

Below is my HJT log after recovery from my boot issue (in another thread) partly caused by smitfraud. There are still some issues on the system. System restore points still seem frozen by the virus. Haven't seen the fake anti-spyware popups for a little while, but am not completely faithful that they are gone. AOL broswer not working. Each time windows starts get "windows has recovered from a serious error" message. I also get this error message from time to time

Windows - No Disk

Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c"

Anyway, here is the HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:48:40 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\AOL\1140034058\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1140034058\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\HP Optical 4 Button USB Mouse\KMaestro.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\hi1.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
c:\program files\common files\aol\1140034058\ee\aolsoftware.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.1.17.0\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.iands.org/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {AECC0B23-48EF-4BFA-9498-ADFB732D5643} - c:\windows\system32\cmpropsv.dll
O2 - BHO: (no name) - {BFC53DA5-C5C9-4DA4-A98C-3956BC67CB2D} - C:\WINDOWS\system32\cnbjmonb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140034058\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FIREBOX] C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [BtcMouseMaestro] "C:\Program Files\HP Optical 4 Button USB Mouse\KMaestro.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [hi1] C:\WINDOWS\system32\hi1.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.1.17.0\GoogleUpdate.exe" /lang en
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [hi1] C:\WINDOWS\system32\hi1.exe
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Owner\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\office2000\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - https://support.gateway.com/eSupport/static.../weblaunch2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ymsxizcz - C:\WINDOWS\SYSTEM32\cmpropsv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Alias Wavefront Help Server (AWHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya5.0\docs\Wrapper.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12036 bytes

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 07 March 2008 - 12:26 PM

Hi again lightpanther,

Just for reference, your other topic is here: http://www.bleepingcomputer.com/forums/t/134660/serious-boot-problem/

As I mentioned there, though some of the backdoor trojans have been identified and can be killed, because of it's backdoor functionality, your PC is so badly compromised that there is no way to be sure your computer can ever again be trusted to be completely clean. We simply can't guarantee that or that all the damage that may have been caused will be corrected--it is essentially like searching for a needle in a haystack.

Please read these articles:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Help: I Got Hacked. Now What Do I Do? Part II

I need to know what your decision is before we proceed with fixing what we can find. That way we don't spend a lot of time on something that will be useless if you reformat anyway and the reformat will be time consuming in itself. One important factor to consider is if you conduct any type of financial transactions on this computer, such as online banking, ebay, online shopping--anything where you might give credit card or other sensitive information--you should change all your passwords from a known clean computer and then apprise those institutions that your accounts may have been compromised. Then back up your important data and reformat would be my suggestion. You should back up your data in any event.

If you use your computer mostly for gaming, then reformatting is not as critical. I know you have decided once to go ahead and try to clean, perhaps not having your original Windows CD played a big part in that decision. Let me know if that is your choice, and if so, before we get into cleaning with special removal tools, we need for you to get an antivirus (AV) installed and running so that you have some protection while on the net, and will help to keep malware from coming back while we are in the middle of cleanup. Also to make sure you have at least Windows firewall enabled and will suggest some good free ones to install once your system is more stable.

So here are the preliminary steps if you want to continue:

1. Install one of these free AV's:

Antivir
Avast Free
AVG Free

My first choice would be Antivir, AVG second, but any of them will do. Once installed run a full system scan and let me know what was found. If you use Antivir, post it's report.

2. START> Control Panel> Security Center. Toward the bottom, click on the Windows Firewall link and put a dot next to On under the General tab> OK then reboot.

3. Let me know if you are still unable to get into safe mode and describe the System Restore problem as I asked earlier. Why do you say it is frozen or locked? Did you try to run it? If you were looking at the folder where Restore points are stored, then yes, it is normal to be denied access as Windows protects that folder.

We'll deal with the No Disk error if it is still present after cleanup.

4. Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts. If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.

The thing about people

is they change

when they walk away.--Mipso


#3 lightpanther

lightpanther
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 07 March 2008 - 04:25 PM

Hello there.

At this point I think I would like to try to clean it up. I have so many programs, some in download form, that I am not sure I would get them back on again. At the very least I have to back up important data to CDs before I can proceed with anything substantial. I will do that and then follow the initial steps you suggested. After that I will come back here, but this will take a little while.

#4 lightpanther

lightpanther
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 09 March 2008 - 09:31 PM

Just a note to say I haven't disappeared. I'm still offloading data onto disks. I have 600 gig of Hard Drive, much of it full, so it is not a swift process. Wil return here once done and when I have donwloaded the above anti-viral etc software as advised.

Edited by lightpanther, 09 March 2008 - 09:31 PM.


#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 09 March 2008 - 10:22 PM

I'm subscribed to this thread so will know when you post back, don't worry about that.

The first priority, after changing passwords from a clean computer, would be to get an AV installed at least if you are going to be connected to the internet. The longer you have an unprotected system that is online, the more that can be downloaded and the more that will need to be cleaned up. If you want to do your backups first, be sure to do them while offline.

The thing about people

is they change

when they walk away.--Mipso


#6 lightpanther

lightpanther
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 15 March 2008 - 05:12 PM

Hi.

I have downloaded antivir, and am running a "complete system scan". It has already found a couple of things and asked me what I want to do with them. I have chosen "ignore" for now, until I can post the report. Is that the wise action?

#7 lightpanther

lightpanther
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 16 March 2008 - 12:25 AM

Here is the ANTIVIR report. Hopefully this is the right thing you requested. Please note as I said above, I haven't had the antivir program DO anything with any of these found items yet. I just had it search them out and then clicked "ignore" when it asked me to do anything.



AntiVir PersonalEdition Classic
Report file date: Saturday, March 15, 2008 15:01

Scanning for 1147670 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: YOUR-A3C925D1F2

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 21:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 20:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 23:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 20:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 22:27:15
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 21:59:20
ANTIVIR2.VDF : 7.0.3.3 2048 Bytes 3/7/2008 21:59:20
ANTIVIR3.VDF : 7.0.3.31 158208 Bytes 3/14/2008 21:59:20
AVEWIN32.DLL : 7.6.0.73 3334656 Bytes 3/15/2008 21:59:21
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 18:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 15:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 21:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 3/15/2008 21:59:22
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 15:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 20:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 15:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 19:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 20:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 20:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 17:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: K:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Saturday, March 15, 2008 15:01

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'aoltpspd.exe' - '1' Module(s) have been scanned
Scan process 'shellmon.exe' - '1' Module(s) have been scanned
Scan process 'waol.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'AOLSP Scheduler.exe' - '1' Module(s) have been scanned
Scan process 'youtubeuploader.exe' - '1' Module(s) have been scanned
Scan process 'EasyShare.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'PlaxoHelper.exe' - '1' Module(s) have been scanned
Scan process 'avgas.exe' - '1' Module(s) have been scanned
Scan process 'hi1.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\hi1.exe'
Scan process 'PWRISOVM.EXE' - '1' Module(s) have been scanned
Scan process 'FxSvr2.exe' - '1' Module(s) have been scanned
Scan process 'Kmaestro.exe' - '1' Module(s) have been scanned
Scan process 'cledx.exe' - '1' Module(s) have been scanned
Scan process 'FIREBOX Control.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'ViewMgr.exe' - '1' Module(s) have been scanned
Scan process 'LogiTray.exe' - '1' Module(s) have been scanned
Scan process 'LVCOMSX.EXE' - '1' Module(s) have been scanned
Scan process 'realplay.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'opwareSE2.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ALCWZRD.EXE' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'zHotkey.exe' - '1' Module(s) have been scanned
Scan process 'shwiconEM.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spnsrvnt.exe' - '1' Module(s) have been scanned
Scan process 'PRISMXL.SYS' - '1' Module(s) have been scanned
Scan process 'MA_CMIDI_Inst.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehRecvr.exe' - '1' Module(s) have been scanned
Scan process 'CDANTSRV.EXE' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '0' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

67 processes with 67 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!
Boot sector 'K:\'
[NOTE] No virus was found!

Starting to scan the registry.
C:\WINDOWS\system32\hi1.exe
[DETECTION] Is the Trojan horse TR/Crypt.Morphine.Gen
[WARNING] The file was ignored!
C:\WINDOWS\system32\hi1.exe
[DETECTION] Is the Trojan horse TR/Crypt.Morphine.Gen

The registry was scanned ( '51' files ).


Starting the file scan:

Begin scan in 'C:\' <DRIVE_C>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe
[DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.54
[WARNING] The file was ignored!
C:\Documents and Settings\Owner\Desktop\mIRC\Vue.Desprit4.iso.-.us.-.RoussD.ace
[0] Archive type: ACE
--> vue d'esprit4\Objects\Vehicles\rouill‚.jpg
[WARNING] Error creating the file
--> vue d'esprit4\Objects\Vehicles\rstmetl.jpg
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Owner\Desktop\Thumbs5\ThumbsL.exe.exe
[DETECTION] Is the Trojan horse TR/Spy.Ayolog.IY.2
[WARNING] The file was ignored!
C:\Documents and Settings\Owner\Desktop\Thumbs5\ThumbsPlus_v5[1].01_build_2064.zip
[0] Archive type: ZIP
--> ThumbsL.exe
[DETECTION] Is the Trojan horse TR/Spy.Ayolog.IY.2
[WARNING] The file was ignored!
C:\RECYCLER\S-1-5-21-337917423-1240587571-3229445189-1006\Dc1425\SpyShredder.exe
[DETECTION] Contains detection pattern of the Phish-File/Email PHISH/FraudTool.Bravesentry.J
[WARNING] The file was ignored!
C:\RECYCLER\S-1-5-21-337917423-1240587571-3229445189-1006\Dc1425\SpyShredder1.dll
[DETECTION] Is the Trojan horse TR/Agent.121856.D
[WARNING] The file was ignored!
C:\WINDOWS\system32\hi1.exe
[DETECTION] Is the Trojan horse TR/Crypt.Morphine.Gen
[WARNING] The file was ignored!
Begin scan in 'D:\' <DRIVE_D>
Begin scan in 'K:\' <New Volume>


End of the scan: Saturday, March 15, 2008 21:56
Used time: 6:54:38 min

The scan has been done completely.

16091 Scanning directories
751228 Files were scanned
8 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
751220 Files not concerned
10327 Archives were scanned
12 Warnings
127 Notes

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 16 March 2008 - 09:04 AM

Well, it would have been OK to allow Antivir to move those files detected to the Quarantine. Files can be deleted or restored from there after they have been checked for false positives. We can still clean this up without Antivir's help, the main thing was to get you some minimal protection so that removal doesn't get more complicated.

Please post the logs from DSS as asked above so we can get started on cleanup. I need some information that is in those logs first.

The thing about people

is they change

when they walk away.--Mipso


#9 lightpanther

lightpanther
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 16 March 2008 - 04:56 PM

DSS Main.txt:


Deckard's System Scanner v20071014.68
Run by Owner on 2008-03-16 14:42:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 6.13 GiB (less than 15%) free.


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:45:32 PM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\AOL\1140034058\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\HP Optical 4 Button USB Mouse\KMaestro.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
c:\program files\common files\aol\1140034058\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1140034058\ee\aolsoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Owner.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.iands.org/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {AECC0B23-48EF-4BFA-9498-ADFB732D5643} - c:\windows\system32\cmpropsv.dll
O2 - BHO: (no name) - {BFC53DA5-C5C9-4DA4-A98C-3956BC67CB2D} - C:\WINDOWS\system32\cnbjmonb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140034058\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FIREBOX] C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [BtcMouseMaestro] "C:\Program Files\HP Optical 4 Button USB Mouse\KMaestro.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [hi1] C:\WINDOWS\system32\hi1.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [hi1] C:\WINDOWS\system32\hi1.exe
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Owner\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\office2000\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - https://support.gateway.com/eSupport/static.../weblaunch2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ymsxizcz - C:\WINDOWS\SYSTEM32\cmpropsv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Alias Wavefront Help Server (AWHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya5.0\docs\Wrapper.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12593 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20080304-153835-303 O4 - HKCU\..\Run: [SpyShredder] C:\Program Files\SpyShredder\SpyShredder.exe

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 qltmbjpy - c:\windows\system32\drivers\bqgqcycq.dat
R1 Asapi - c:\windows\system32\drivers\asapi.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R1 ATMhelpr - c:\windows\system32\drivers\atmhelpr.sys <Not Verified; Adobe Systems Incorporated; Adobe Type Manager Deluxe>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>
R3 CLEDX (Team H2O CLEDX service) - c:\windows\system32\drivers\cledx.sys <Not Verified; Team H2O; CLEDX>
R3 MA_CMIDI (%EVOL_USB.SvcDesc%) - c:\windows\system32\drivers\ma_cmidi.sys <Not Verified; M-Audio; M-Audio USB MIDI Keyboard Interface>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 ps_1394 - c:\windows\system32\drivers\ps_1394.sys <Not Verified; BridgeCo AG; BridgeCo 1394 Audio Drivers>
R3 ps_avs - c:\windows\system32\drivers\ps_avs.sys <Not Verified; BridgeCo AG; BridgeCo 1394 Audio Drivers>
R3 SunkFilt (Alcor Micro Corp Reader) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>

S2 DS1410D - c:\windows\system32\drivers\ds1410d.sys (file missing)
S3 C-Dilla - c:\windows\system32\drivers\cdant.sys <Not Verified; Macrovision; Licence Management System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>
R2 C-DillaSrv - c:\windows\system32\drivers\cdantsrv.exe <Not Verified; C-Dilla Ltd; CD-Secure/CD-Compress Windows NT>
R2 MA_CMIDI_InstallerService (M-Audio CMIDI Installer) - c:\program files\m-audio ma_cmidi\ma_cmidi_inst.exe <Not Verified; ; MA_CMIDI USB MIDI Installer Service>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 AWHelpServer (Alias Wavefront Help Server) - "c:\program files\aliaswavefront\maya5.0\docs\wrapper.exe" -s "c:\program files\aliaswavefront\maya5.0\docs/wrapper.conf"


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
Description: USB Human Interface Device
Device ID: USB\VID_05AC&PID_921E\6&24587CA&0&2
Manufacturer: (Standard system devices)
Name: USB Human Interface Device
PNP Device ID: USB\VID_05AC&PID_921E\6&24587CA&0&2
Service: HidUsb


-- Files created between 2008-02-16 and 2008-03-16 -----------------------------

2008-03-15 14:56:11 0 d-------- C:\Program Files\Avira
2008-03-15 14:56:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-03 22:32:48 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-03-03 22:32:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-03 22:24:21 0 d-------- C:\Program Files\RogueRemover FREE
2008-03-03 16:03:58 5350 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-03 06:39:35 0 d-------- C:\Program Files\Enigma Software Group
2008-03-03 06:19:01 35072 --a------ C:\WINDOWS\system32\xmmznksy.dat
2008-03-03 06:19:01 246545 --a------ C:\WINDOWS\system32\libssl32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2008-03-03 06:19:01 1188375 --a------ C:\WINDOWS\system32\libeay32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2008-03-03 06:19:01 741632 --a------ C:\WINDOWS\system32\dswweimn.dat
2008-03-03 06:19:01 19712 --a------ C:\WINDOWS\system32\drivers\bqgqcycq.dat
2008-03-03 06:18:59 36608 --a------ C:\WINDOWS\system32\jpuwucou.dat
2008-03-03 06:18:59 42752 --a------ C:\WINDOWS\system32\cyreiezm.dat
2008-03-02 02:41:50 120576 --a------ C:\WINDOWS\system32\ecleattz.dat
2008-03-02 02:34:33 86528 --a------ C:\WINDOWS\system32\cmpropsv.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-02 02:34:09 0 d-------- C:\WINDOWS\system32\AppCert
2008-03-02 02:33:54 98048 --a------ C:\WINDOWS\system32\cnbjmonb.dll
2008-02-29 01:53:29 1158 --a------ C:\WINDOWS\mozver.dat


-- Find3M Report ---------------------------------------------------------------

2008-03-16 14:34:44 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-03-16 14:33:50 0 d-------- C:\Documents and Settings\Owner\Application Data\skypePM
2008-03-16 14:32:55 0 d-------- C:\Program Files\Plaxo
2008-02-29 13:57:28 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-21 08:30:54 0 d-------- C:\Program Files\Google
2008-02-20 15:03:25 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-02-08 11:46:42 0 d-------- C:\Program Files\Skype
2008-02-08 11:46:39 0 d-------- C:\Program Files\Common Files
2008-02-08 11:46:39 0 d-------- C:\Program Files\Common Files\Skype
2008-02-08 11:21:52 0 d-------- C:\Documents and Settings\Owner\Application Data\ArcSoft
2008-02-08 11:12:01 103437 --a------ C:\WINDOWS\hpqins13.dat
2008-02-08 11:11:35 0 d-------- C:\Program Files\Common Files\HP
2008-02-08 11:11:34 0 d-------- C:\Program Files\HP
2008-02-08 11:09:10 0 d-------- C:\Program Files\Common Files\ArcSoft
2008-02-08 11:08:53 0 d-------- C:\Program Files\ArcSoft
2008-02-08 11:08:48 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-08 11:08:16 0 d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-02-08 10:53:55 0 d-------- C:\Program Files\DIFX
2008-01-08 21:51:53 356352 --a------ C:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AECC0B23-48EF-4BFA-9498-ADFB732D5643}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFC53DA5-C5C9-4DA4-A98C-3956BC67CB2D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 11:04 AM]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [11/15/2004 03:04 PM]
"@"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"CHotkey"="zHotkey.exe" [05/17/2004 06:30 PM C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [09/19/2003 09:09 AM C:\WINDOWS\ShowWnd.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 08:24 PM]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [08/12/2004 05:45 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"Mixersel"="C:\Program Files\Realtek\InstallShield\mixersel.exe" [11/10/2003 06:23 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [12/01/2004 12:00 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [12/01/2004 11:55 AM]
"SoundMan"="SOUNDMAN.EXE" [10/21/2004 03:20 PM C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [10/21/2004 06:44 PM C:\WINDOWS\ALCWZRD.EXE]
"Alcmtr"="ALCMTR.EXE" [10/13/2004 05:00 PM C:\WINDOWS\ALCMTR.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [11/03/2004 09:10 PM]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [06/30/2004 09:49 AM]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [05/08/2003 12:00 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [05/20/2005 03:38 AM]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [07/19/2005 06:32 PM]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [06/08/2005 04:24 PM]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [06/08/2005 04:14 PM]
"HostManager"="C:\Program Files\Common Files\AOL\1140034058\ee\AOLSoftware.exe" [03/10/2006 03:22 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/08/2006 03:03 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/20/2006 08:19 PM]
"FIREBOX"="C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe" [01/28/2005 03:04 PM]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [10/23/2005 12:00 AM]
"BtcMouseMaestro"="C:\Program Files\HP Optical 4 Button USB Mouse\KMaestro.exe" [02/05/2007 04:30 AM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [08/06/2007 05:05 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"hi1"="C:\WINDOWS\system32\hi1.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:25 AM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [03/15/2008 02:59 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [06/08/2005 03:44 PM]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [12/11/2007 06:21 PM]
"Aim6"="" []
"Google Update"="C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" [03/13/2008 09:54 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [02/01/2008 06:22 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 12:00 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [02/20/2008 11:21 PM]
"hi1"="C:\WINDOWS\system32\hi1.exe" []
"MSI Configuration"="msiconf.exe" []

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]
YouTube Uploader.lnk - C:\Documents and Settings\Owner\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [11/9/2007 2:33:08 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [11/4/2005 4:04:48 PM]
Microsoft Office.lnk - C:\Program Files\office2000\Office\OSA9.EXE [2/17/1999 12:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ymsxizcz]
cmpropsv.dll 03/07/2008 10:56 PM 86528 C:\WINDOWS\system32\cmpropsv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
otiircel


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0143afe1-c919-11d9-8c27-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - ATWPKT2
*Newly Created Service* - SSMDRV



-- End of Deckard's System Scanner: finished at 2008-03-16 14:47:15 ------------











DSS Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 19%
Physical Memory (total/avail): 3055.28 MiB / 2471.11 MiB
Pagefile Memory (total/avail): 4939.83 MiB / 4379.9 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.12 MiB

C: is Fixed (NTFS) - 228.64 GiB total, 6.13 GiB free.
D: is Fixed (FAT32) - 4.23 GiB total, 0.99 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Fixed (NTFS) - 372.61 GiB total, 364.46 GiB free.
L: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - WDC WD2500JD-22HBC0 - 232.88 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 228.64 GiB - C:
\PARTITION1 - Unknown - 4.24 GiB - D:

\\.\PHYSICALDRIVE0 - HDS72404 0KLAT80 SCSI Disk Device - 372.61 GiB - 1 partition
\PARTITION0 - Installable File System - 372.61 GiB - K:

\\.\PHYSICALDRIVE3 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE5 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE2 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: Avira AntiVir PersonalEdition v 7.0.3.31
(Avira GmbH)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Documents and Settings\\Owner\\Desktop\\Vueultimateprotry\\Vue4Pro.eon"="C:\\Documents and Settings\\Owner\\Desktop\\Vueultimateprotry\\Vue4Pro.eon:*:Disabled:Vue4Pro"
"C:\\Program Files\\AliasWavefront\\Maya5.0\\bin\\maya.exe"="C:\\Program Files\\AliasWavefront\\Maya5.0\\bin\\maya.exe:*:Disabled:Maya"
"C:\\Documents and Settings\\Owner\\Desktop\\mIRC\\mirc.exe"="C:\\Documents and Settings\\Owner\\Desktop\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1140034058\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1140034058\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1140034058\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1140034058\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"="C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe:*:Enabled:Sentinel Protection Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\utorrent\\utorrent.exe"="C:\\Program Files\\utorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=C:\Program Files\PhotoDeluxe 2.0\AdobeConnectables
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-A3C925D1F2
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\YOUR-A3C925D1F2
MAYA_SHADER_LIBRARY_PATH=C:\Program Files\AliasWavefront\Maya Shader Library\shaders
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\Program Files\AliasWavefront\Maya5.0\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Autodesk Shared\;K:\3dsmax5\backburner2\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=YOUR-A3C925D1F2
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\UninstIPP.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3ds max 5.1 --> MsiExec.exe /I{7A001E33-CA55-4013-BFCE-5BDD056EF0BA}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Digital Editions --> C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\digitaleditions2x0\digitaleditions2x0.exe -uninstall
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe PhotoDeluxe 2.0 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\PhotoDeluxe 2.0\DeIsL1.isu"
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Premiere Pro --> RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{084709F7-38C5-4609-B55F-2417939315EB}\setup.exe"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe Type Manager 4.0 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Adobe Type Manager\DeIsL1.isu" -c"C:\Program Files\Adobe Type Manager\UNINST.DLL"
AfterWorld Alpha 8 --> "C:\Program Files\AfterWorld DG\AfterWorld\unins000.exe"
Anfy --> C:\PROGRA~1\AnfyTeam\UNWISE.EXE C:\PROGRA~1\AnfyTeam\INSTALL.LOG
AOL Coach Version 1.0(Build:20040229.1 en) --> C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe
AOL Connectivity Services --> C:\PROGRA~1\COMMON~1\AOL\ACS\AcsUninstall.exe /c
AOL Toolbar --> "C:\Program Files\AOL Toolbar\UNWISE.EXE" /u "C:\Program Files\AOL Toolbar\INSTALL.LOG"
AOL Uninstaller --> C:\Program Files\Common Files\AOL\uninstaller.exe
AOL You've Got Pictures Screensaver --> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
Apophysis 2.0 --> "C:\Program Files\Apophysis 2.0\uninstall.exe"
ArcSoft VideoImpression 2 --> C:\Program Files\InstallShield Installation Information\{E5F27DA8-48D3-4A46-AD83-26F42F5DA54D}\setup.exe -runfromtemp -l0x0009 -removeonly
ARP2600 V --> C:\WINDOWS\unvise32.exe C:\PROGRAM FILES\Arturia\ARP2600 V\uninstal.log
ASAPI Update --> C:\WINDOWS\system32\IWUNIN~1.EXE -uninstall C:\WINDOWS\ISUNINST.EXE -fC:\PROGRA~1\VOB\ASAPIU~1\ASAPI.isu
ASIO4ALL v2 --> C:\Program Files\ASIO4ALL v2\uninstall.exe
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Atmosphere --> "C:\Program Files\Spectrasonics\Atmosphere\unins000.exe"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Avira AntiVir PersonalEdition Classic --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
backburner 2.1 --> C:\WINDOWS\unvise32.exe K:\3dsmax5\backburner2\uninstal.log
Batch Mp3 Wav Converter V1.82 --> "C:\Program Files\Batch Mp3 Wav Converter\unins000.exe"
Bink and Smacker --> C:\PROGRA~1\RADVideo\UNWISE.EXE C:\PROGRA~1\RADVideo\INSTALL.LOG
C-Dilla Licence Management System --> C:\C_DILLA\setup\cdunin16.exe
Canon MP Drivers 6.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FF3DD04-F386-46B0-97FC-B86238B65487}\Setup.exe" -l0x9 -Uninstall
Canon MP Navigator 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109AB81D-9732-40B3-9C1F-113A86CE6F93}\setup.exe" /SUUninstall
Canon ScanGear Starter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{18A5DFF2-8A95-49F3-873F-743CB5549F3D}\setup.exe" -l0x9 anything
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe C:\Program Files\Canon\Easy-PhotoPrint\uninst.ini
CardRd81 --> MsiExec.exe /I{54C8FE84-89C4-40E8-976C-439EB0729BD6}
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Collab --> C:\Program Files\Image-Line\Collab\uninstall.exe
CR2 --> MsiExec.exe /I{432C3720-37BF-4BD7-8E49-F38E090246D0}
DEMO Name It - Notes - v1.0.0 --> "C:\Program Files\KeyPiano\unins000.exe"
Digital Media Converter 2.78 --> "C:\Program Files\Deskshare\Digital Media Converter\unins000.exe"
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
Entropia Universe --> C:\Program Files\MindArk\Entropia Universe\Uninstall.exe
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSCT --> MsiExec.exe /I{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
ESSTUTOR --> MsiExec.exe /I{CA60320D-6A16-49C8-A34F-84EEF4799567}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
exPressit S.E. 2.2 --> "C:\Program Files\exPressit S.E. 2.2\UninstallerData\Uninstall exPressit S.E. 2.2.exe"
FL Studio 6 --> C:\Program Files\Image-Line\FL Studio 6\uninstall.exe
FlexiMusic Composer --> "C:\Program Files\FlexiMusic Composer\FmUninst.exe" C:\WINDOWS\st6unst.exe -n "C:\Program Files\FlexiMusic Composer\ST6UNST.LOG" /s "C:\Program Files\FlexiMusic Composer\Uninstal.log"
FLV Player --> "C:\WINDOWS\FLV Player\uninstall.exe" "/U:C:\Program Files\FLV Player\Uninstall\uninstall.xml"
Functional Ear Trainer - Advanced --> MsiExec.exe /I{C079FC85-D6D5-428E-A2B1-B2DC60865FDE}
GoldWave v5.12 --> "C:\Program Files\GoldWave\unstall.exe" "GoldWave v5.12" "C:\Program Files\GoldWave\unstall.log"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\HijackThis\HijackThis.exe" /uninstall
HLPIndex --> MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPPDOCK --> MsiExec.exe /I{154508C0-07C5-4659-A7A0-E49968750D21}
HLPRFO --> MsiExec.exe /I{AADAC983-FDE9-42FA-8FD9-7BB324155593}
HP Optical 4 Button USB Mouse Driver V1.12 --> C:\WINDOWS\system32\MmRemove.exe
HP Photosmart Essential 2.0 --> C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Webcam --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B2BC4969-2DE3-499A-9A3D-1B7C34ED12C3}\setup.exe" -l0x9 -removeonly
HP Webcam User’s Guide --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D31612BB-C6D7-4142-96AE-16DB062354CF}\setup.exe" -l0x9
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{1E8CF57A-24E8-4A97-9564-A8F1956C447B} /l1033
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140007_2315cdc\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Living 3D Dolphins Full Screen Saver --> "C:\PROGRA~1\ScreenSaver.com\Living 3D Dolphins Full\UNINSTAL.EXE"
Logitech Print Service --> C:\PROGRA~1\Logitech\PRINTS~1\UNWISE.EXE C:\PROGRA~1\Logitech\PRINTS~1\INSTALL.LOG
Logitech QuickCam Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C43048A9-742C-4DAD-90D2-E3B53C9DB825}\setup.exe" -l0x9
Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
MA_CMIDI --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{379BD39E-F13E-458F-96D8-56BD7F2CC516}\setup.exe" -l0x9 -removeonly
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Malwarebytes' RogueRemover --> "C:\Program Files\RogueRemover FREE\unins000.exe"
Maya 5.0 --> MsiExec.exe /I{23FF9E63-A8E3-43A7-8AA0-D714F475299F}
Maya 5.0 Documentation Server --> "C:\Program Files\AliasWavefront\Maya5.0\docs\UninstallerData\Uninstall Maya 5.0 Documentation Server.exe"
Maya 5.0 en_US documentation --> "C:\Program Files\AliasWavefront\Maya5.0\docs\Documents\UninstallerData\Uninstall en_US_docs.exe"
Maya Shader Library for Maya --> MsiExec.exe /I{40BB3EDE-56CB-467E-ADEE-F6C57552F528}
MemoryLifter --> MsiExec.exe /X{58492510-7A30-42D1-B99D-DD710A4E585A}
Microsoft Money 2005 --> C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Picture It! Premium 10 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=PREM
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
minimoog V --> C:\WINDOWS\unvise32.exe C:\PROGRAM FILES\Arturia\minimoog V\uninstal.log
mIRC --> "C:\Documents and Settings\Owner\Desktop\mIRC\mirc.exe" -uninstall
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP3 CD Converter Professional 5.01 --> "C:\Program Files\MP3 CD Converter Professional\unins000.exe"
Mpeg2Decoder 1.3 --> "C:\Program Files\Mpeg2Decoder\unins000.exe"
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Multimedia Keyboard Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}\Setup.exe" -l0x9
Music MasterWorks v3.82 --> "C:\Program Files\MusicMasterWorks\unins000.exe"
Napster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\setup.exe" -l0x9
Napster Burn Engine --> MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
Native Instruments Absynth 4 --> C:\PROGRA~1\NATIVE~1\ABSYNT~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\ABSYNT~1\INSTALL.LOG
Native Instruments Komplete 4 --> C:\PROGRA~1\NATIVE~1\KOMPLE~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\KOMPLE~1\INSTALL.LOG
Native Instruments Komplete 4 DXi --> C:\PROGRA~1\NATIVE~1\AMPLiFY\KOMPLE~2\UNWISE.EXE C:\PROGRA~1\NATIVE~1\AMPLiFY\KOMPLE~2\INSTALL.LOG
Native Instruments Komplete 4 Patch --> C:\PROGRA~1\NATIVE~1\AMPLiFY\KOMPLE~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\AMPLiFY\KOMPLE~1\INSTALL.LOG
Native Instruments Komplete 4 RTAS --> C:\PROGRA~1\NATIVE~1\AMPLiFY\KOMPLE~3\UNWISE.EXE C:\PROGRA~1\NATIVE~1\AMPLiFY\KOMPLE~3\INSTALL.LOG
Native Instruments Massive v1.0.1.008 VSTi DXi RTAS --> C:\PROGRA~1\NATIVE~1\Massive\UNWISE.EXE C:\PROGRA~1\NATIVE~1\Massive\INSTALL.LOG
Native Instruments Pro-53 Demo --> C:\PROGRA~1\NATIVE~1\PRO-53~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\PRO-53~1\INSTALL.LOG
Native Instruments Vokator DEMO --> C:\PROGRA~1\NATIVE~1\VOKATO~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\VOKATO~1\INSTALL.LOG
Nero BurnRights --> C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NewTek LightWave 3D [8] --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F2DC77C0-7999-4FF6-B74D-4E25667356DF}\setup.exe" -l0x9 -removeonly
NI Service Center --> C:\PROGRA~1\NATIVE~1\NISERV~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\NISERV~1\INSTALL.LOG
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OmniPage SE 2.0 --> MsiExec.exe /I{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
Plaxo Toolbar for Outlook and Outlook Express --> C:\Program Files\Plaxo\2.13.1.3\uninstall.exe
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
PreSonus 1394 Audio Driver V1.20.0 (FIREBox) --> C:\Program Files\PreSonus\1394AudioDriver_FIREBox\uninst.exe Software\PreSonus\1394AudioDriver_FIREBox\Setup
Presto! PageManager 6.03 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5BE42A03-E7B8-42A9-B1BB-FC48B03D58B8}\SETUP.EXE" -l0x9 anything
PSP Toolkit 1.1 --> "C:\Program Files\PSP ToolKit\unins000.exe"
Pure Networks Port Magic --> C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe -Uninstall -ShowUI
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
Reason 3.0.4 --> "C:\Program Files\Propellerhead\Reason\Uninstall Reason\unins000.exe"
Reason Demo 3.0.4 --> "C:\Program Files\Propellerhead\Reason Demo\Uninstall Reason Demo\unins000.exe"
Recovery Software Suite Gateway --> MsiExec.exe /I{15377C3E-9655-400F-B441-E69F0A6BEAFE}
SecondLife (remove only) --> "C:\Program Files\SecondLife\uninst.exe" /P="SecondLife"
Sentinel Protection Installer 7.1.1 --> MsiExec.exe /I{D2E7A6EA-5853-426A-920D-12F4F250927E}
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
Sibelius Demo --> C:\PROGRA~1\SIBELI~1\SIBELI~1\UNWISE.EXE C:\PROGRA~1\SIBELI~1\SIBELI~1\INSTALL.LOG
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IURSLST5K.inf
SONAR 4 Producer Edition Demo --> C:\PROGRA~1\Cakewalk\SONAR4~1\UNWISE.EXE C:\PROGRA~1\Cakewalk\SONAR4~1\INSTALL.LOG
SONY USB CAMERA Installer --> MsiExec.exe /I{B1D97610-98C9-4C87-8314-888D1DDA3669}
Steinberg Cubase SX v3.1.1.944 --> C:\PROGRA~1\STEINB~1\CUBASE~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\CUBASE~1\INSTALL.LOG
Steinberg WaveLab 5.01a --> C:\PROGRA~1\STEINB~1\WaveLab\UNWISE.EXE C:\PROGRA~1\STEINB~1\WaveLab\INSTALL.LOG
Syncrosoft's License Control --> C:\PROGRA~1\SYNCRO~1\UNWISE.EXE C:\PROGRA~1\SYNCRO~1\INSTALL.LOG
SyncroSoft Emu (Remove only) --> C:\Program Files\SyncroSoft\Pos\H2O\Uninst.exe
Total Video Converter 3.10 --> "C:\Program Files\Total Video Converter\unins000.exe"
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369) -->
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VOCALOID Demo Miriam --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6DC889F-CA26-4CB9-8A52-6D188A97696A}\Setup.exe" -l0x9 UNINSTALLFLAG
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Vue 5 Esprit --> C:\Program Files\e-on software\Vue 5 Esprit\Uninstall.exe
Vue 5 Infinite --> C:\Program Files\e-on software\Vue 5 Infinite\Uninstall.exe
Waves Diamond Bundle v5.0 --> C:\PROGRA~1\Waves\UNINST~1\UNWISE.EXE C:\PROGRA~1\Waves\UNINST~1\INSTALL.LOG
Windows Driver Package - usbvm326 (usbvm328) Image (10/12/2006 326.1.061012.07) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\usbvm326_B3B8E60236EEFD3ED17E69EF6BBE5C38F2C4B420\usbvm326.inf
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB890629 -->
Windows XP Media Center Edition 2005 KB890760 -->
Windows XP Media Center Edition 2005 KB895198 -->
Windows XP Media Center Edition 2005 KB895678 -->
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->
Xpand Rally Xtreme Demo --> "C:\Program Files\Techland\Xpand Rally Xtreme Demo\unins000.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! SiteBuilder --> "C:\Program Files\Yahoo SiteBuilder\uninstall.exe"
YouTube Uploader --> MsiExec.exe /X{171818BA-E0AD-313D-B45A-1BC9D77ADA86}


-- Application Event Log -------------------------------------------------------

Event Record #/Type8837 / Warning
Event Submitted/Written: 03/16/2008 02:22:53 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'DR/Tool.Reboot.F.54'
in the file
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe

Event Record #/Type8836 / Warning
Event Submitted/Written: 03/16/2008 02:21:45 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Crypt.Morphine.Gen'
in the file
C:\WINDOWS\system32\hi1.exe

Event Record #/Type8829 / Warning
Event Submitted/Written: 03/16/2008 02:26:50 AM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Crypt.Morphine.Gen'
in the file
C:\WINDOWS\system32\hi1.exe

Event Record #/Type8828 / Warning
Event Submitted/Written: 03/15/2008 11:49:58 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Crypt.Morphine.Gen'
in the file
C:\WINDOWS\system32\hi1.exe

Event Record #/Type8827 / Warning
Event Submitted/Written: 03/15/2008 11:43:47 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Crypt.Morphine.Gen'
in the file
C:\WINDOWS\system32\hi1.exe



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type11040 / Error
Event Submitted/Written: 03/16/2008 02:21:20 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The DS1410D service failed to start due to the following error:
%%2

Event Record #/Type11033 / Error
Event Submitted/Written: 03/16/2008 01:57:34 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {A286DE21-9642-11D0-A6BE-88EE00C10000} did not register with DCOM within the required timeout.

Event Record #/Type11025 / Error
Event Submitted/Written: 03/16/2008 00:25:07 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {A286DE21-9642-11D0-A6BE-88EE00C10000} did not register with DCOM within the required timeout.

Event Record #/Type11022 / Error
Event Submitted/Written: 03/16/2008 00:20:41 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {A286DE21-9642-11D0-A6BE-88EE00C10000} did not register with DCOM within the required timeout.

Event Record #/Type11021 / Error
Event Submitted/Written: 03/16/2008 00:10:21 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {A286DE21-9642-11D0-A6BE-88EE00C10000} did not register with DCOM within the required timeout.



-- End of Deckard's System Scanner: finished at 2008-03-16 14:47:15 ------------

#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 18 March 2008 - 11:37 AM

Apologies for the delayed response.

One thing that shows in your DSS log is that the hard drive that Windows is installed on is almost full. You need a certain amount of free space, 15% or more, on your drive for everything to work correctly and for removal of malware to go more smoothly. I strongly suggest you free up some space by uninstalling any programs that you don't use and if you have a large number of files that do take up quite a bit of space, such as music, video and photos, etc., move the ones you want to keep to another drive or removable media (such as CD/DVD) and then delete those files from your C: drive.

You've already mentioned that you have backed up files to CD. It would be wise to make some backups to your backups if you don't have other writable drives (such as USB flash or external hard drives) to store the types of files I've mentioned. I can tell by the programs installed that you must have many music and video files so I would assume that if those are being stored on your C drive, then that is what is taking up a lot of hard drive space.

You mentioned earlier being concerned about your programs, but you can't really back up installations unless you use an imagining backup system such as Acronis to make a clone of the hard drive. It's better to save the setup files and make backups of those--they can always be reinstalled and most can be re-downloaded if need be.

System Restore is also shown to be disabled on your system. Contrary to what antivirus companies recommend, we much prefer to have a functioning SR before beginning removal. Have you disabled SR intentionally? It may be that SR has disabled itself because of the lack of disk space. This is another reason why you should free up some space before proceeding further.

Refer to the following articles for more information:
http://www.microsoft.com/windowsxp/using/h...ew_03may19.mspx
http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/

By default, SR will use 200 MB, which isn't really a lot. When you have 200MB plus 15% of other free space, follow the instructions in those articles for running SR--Restore your system to the most recent restore point to test that it is now enabled and running.

If SR still does not work, do the following:

START >Run, type services.msc in the Run bax ad hit Enter.
Double-click System Restore Services.
Does it show as started and running? If not, under Service status, click Start and change the startup type to Automatic.
Click OK, close the services console, reboot, then test SR again.

Let me know if there are any problems. There are other backups we can use now to recover from disaster (if needed), so if this doesn't work, still proceed with the next steps. Freeing up disk space is essential tho.

1. Run DSS again, using these instructions:

Click START> Run - then copy the following bold blue text and paste it into the Run box & click OK

"%userprofile%\desktop\dss.exe" /daft

Read the disclaimer and click OK.

Click on Scan.

Place a checkmark next to the entries displayed when the scan is finished then Click on Fix.

Repeat the scan; you should get a message "All Associations OK!"

Next, click Save Log, and post this log in your next reply.

2. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log. Please be sure to install the recovery Console.

3. Once ComboFix has run, see if you can boot into safe mode now and let me know.

4. The Windows Firewall still shows as disabled. Did you try turning it on? If not, go to START>Control Panel> Security Center. Click the Windows Firewall link toward the bottom, make sure there is a dot next to On, click OK, then reboot. Let me know of any problems with this as well.

The thing about people

is they change

when they walk away.--Mipso


#11 lightpanther

lightpanther
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 24 March 2008 - 10:22 PM

I'm on the case. It's taking me a while, alongside work, to identify and clear up space on the machine. Will be back when I have done this (2-3 days likely)

Edited by lightpanther, 24 March 2008 - 10:22 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users