Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Still Infected? Securepccleaner - Hijackthis Log


  • Please log in to reply
3 replies to this topic

#1 wezelvis

wezelvis

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 15 March 2008 - 08:39 PM

My PC was infected with SecurePCCleaner and others. Lot's of popup's and bogus windows error messages about spyware etc. I tried the suggestions in the 'Read this before posting' link above and my PC does seem better (no more popups and bogus windows errors). Does my HijackThis log look clean? Thanks for this great site!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:00 PM, on 16/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Administrator.PC900\Desktop\spyware stuff\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.3.8:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.16.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7bc121ac-f52c-479b-9312-ed9813b27255} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: (no name) - {B3ADDB7B-3DF5-4672-82DD-775FFF180134} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.penrithcity.nsw.gov.au
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.meadroid.com/scriptx/smsx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155597947343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155597933000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = penrith.local
O17 - HKLM\Software\..\Telephony: DomainName = penrith.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = penrith.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = penrith.local
O20 - Winlogon Notify: jkhhe - jkhhe.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9066 bytes

Edited by wezelvis, 15 March 2008 - 08:41 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:21 PM

Posted 02 April 2008 - 11:21 AM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them or include them codeboxes going forward.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts. If your anti-virus or firewall complains, please allow this script to run as it is not malicious. It is also possible that you may need to disable your Antivirus or Antimalware programs before this program can run properly A guide on how to temporarily disable many of the common protections programs can be found here.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.


#3 wezelvis

wezelvis
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 05 April 2008 - 01:04 AM

Thanks for the reply Grinler!! DSS logs below


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 59%
Physical Memory (total/avail): 1014.73 MiB / 407.5 MiB
Pagefile Memory (total/avail): 2440.08 MiB / 2081.38 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.06 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 39.07 GiB total, 22.53 GiB free.
D: is Fixed (NTFS) - 35.46 GiB total, 8.96 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800JD-00MSA1 - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 39.07 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 35.46 GiB - D:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

AV: Symantec AntiVirus Corporate Edition v9.0.2.1000 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
ANT_HOME=c:\progra~1\apache-ant-1.5.4
APPDATA=C:\Documents and Settings\Administrator.PC900\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PC-LIB-CC1-12
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator.PC900
JAVA_HOME=C:\Program Files\Java\jdk1.5.0_02
LOGONSERVER=\\PC-LIB-CC1-12
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\progra~1\apache-ant-1.5.4\bin;C:\Program Files\Java\jdk1.5.0_02\bin;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0409
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1.PC9\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1.PC9\LOCALS~1\Temp
USERDOMAIN=PC-LIB-CC1-12
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator.PC900
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

LSDominicB
P67644 (new local, net ready)
fred (new local, net ready)
P73601N (new local, net ready)
Administrator (admin)
lsdeanh (admin)
LSDominicB.PENRITH
lsgraemes (new local, net ready)
lsjoans (new local, net ready)
lspaulinag (new local, net ready)
lszhenghuip
workexpit (new local, net ready)
itsupport (admin)
Administrator.PC900 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\NuNInst.exe /UNINSTALL
--> C:\WINDOWS\unmrw.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.5 Language Support --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Ahead Nero BurnRights --> C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
ConvrtRTF --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\ConvrtRTF\ST6UNST.LOG"
CustomReports --> MsiExec.exe /I{C1EFD35C-08EE-4599-83E2-D86C8B74FD77}
Exponare - Proclaim One Link --> MsiExec.exe /I{941398C3-67AE-4F08-99BD-EAA5FBDB3993}
Finance One 10.2 Components --> C:\Program Files\T1\Common\t1menu.exe /UNINSTALL:[52]"C:\Program Files\T1\F110_02_00"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\Administrator.PC900\Desktop\spyware stuff\HiJackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
ieSpell 2.1.1 (build 325) --> "C:\Program Files\ieSpell\uninst.exe"
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
iTunes --> MsiExec.exe /I{553E56C3-7AA1-45FE-A2FC-2C43DC27F765}
J2SE Development Kit 5.0 Update 2 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150020}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E583ED6F-BD99-4066-A420-C815BF692B69}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash 8 --> MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash 8 Video Encoder --> MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash Player 8 --> MsiExec.exe /X{885A63EA-382B-4DD4-A755-14809B8557D6}
Macromedia Flash Player 8 Plugin --> MsiExec.exe /X{91057632-CA70-413C-B628-2D3CDBBB906B}
MapInfo Exponare Enquiry --> MsiExec.exe /X{7F520F3B-E1E0-4C90-AC8A-C961BDC7520A}
MapInfo Exponare Enquiry --> MsiExec.exe /X{C75E1A5A-7DFE-4C48-A29C-BAF7F22CBBC1}
Mascon --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\MASCON.INF, DefaultUninstall.ntx86
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual SourceSafe NetSetup --> "C:\Documents and Settings\LSDominicB.PENRITH\Desktop\Microsoft Visual Source Safe\Client Installer\setup\win32\1033\Setup.exe"
Moyea FLV Downloader version 1.13.0.10 --> "C:\Program Files\Moyea\FLV Downloader\unins000.exe"
Moyea FLV Player version 1.3.2.3 --> "C:\Program Files\Moyea\FLV Player\unins000.exe"
Moyea FLV to Video Converter Pro version 1.28.1.0 --> "C:\Program Files\Moyea\FLV to Video Pro\unins000.exe"
Mozilla Firefox (2.0.0.4) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
MyPhoneExplorer --> C:\Program Files\MyPhoneExplorer\uninstall.exe
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Proclaim One 9.07.00 --> MsiExec.exe /I{3F7C41AF-39A7-4BFF-892D-FA1A8F59CD7C}
Proclaim One 9.07.00/006 --> MsiExec.exe /I{B85E28EA-EF66-45B9-BF59-6CF3E1D8313F}
Proclaim Training 9.04.00 --> MsiExec.exe /I{9269BA61-2C08-4A5B-A7DE-6010EFC1E4C2}
Proclaim Training 9.04.00/005 --> MsiExec.exe /I{0189E0C0-18F1-4943-8552-56FB6A248119}
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Remote Administrator v2.2s --> C:\Program Files\Radmin\uninstal.exe
Safari --> MsiExec.exe /I{3F9EFA28-D2FE-44B7-8896-0B0FF8DF5517}
Sony Ericsson W800 Software --> C:\Program Files\Sony Ericsson\Sony Ericsson W800\W800Uninstall.exe
Symantec AntiVirus --> MsiExec.exe /I{848AC794-8B81-440A-81AE-6474337DB527}
Technology One ADF 5.40 Components --> C:\Program Files\T1\Common\t1menu.exe /UNINSTALL:[52]"C:\Program Files\T1\TB5_04_00"
Technology One ADF Base Components --> C:\Program Files\T1\Common\t1menu.exe /UNINSTALL:[52]"C:\Program Files\T1\Base"
Technology One Interactive SQL --> C:\Program Files\T1\Common\t1menu.exe /UNINSTALL:[52]"C:\Program Files\T1\TBSQL"
Technology One TB5_04_00 Runtime --> MsiExec.exe /I{33406756-60CA-4B04-A1F3-714A045E4B49}
TextPad 4.6 --> MsiExec.exe /X{E6969419-A1E8-4DF0-B145-858F8C0F29A1}
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
XML Paper Specification Shared Components Pack 1.0 -->
XMLinst --> MsiExec.exe /I{EA23971F-2CEE-48FC-B64D-7F74A6EF90F0}


-- Application Event Log -------------------------------------------------------

Event Record #/Type4396 / Error
Event Submitted/Written: 04/05/2008 02:00:32 PM
Event ID/Source: 0 / .NET Runtime
Event Description:
Unable to open shim database version registry key - v2.0.50727.00000

Event Record #/Type4394 / Warning
Event Submitted/Written: 04/05/2008 09:54:47 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Scan could not access path D:\System Volume Information

Event Record #/Type4393 / Warning
Event Submitted/Written: 04/05/2008 09:54:47 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Scan could not access path D:\RECYCLER\S-1-5-21-329068152-1078081533-1417001333-500

Event Record #/Type4392 / Warning
Event Submitted/Written: 04/05/2008 09:54:47 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Scan could not access path D:\RECYCLER\S-1-5-21-2122206202-853355329-945835055-5334

Event Record #/Type4391 / Warning
Event Submitted/Written: 04/05/2008 09:54:47 AM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Scan could not access path D:\RECYCLER\S-1-5-21-2122206202-853355329-945835055-500



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4934 / Error
Event Submitted/Written: 04/05/2008 01:58:09 PM
Event ID/Source: 10016 / DCOM
Event Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user PENRITH\LSDominicB SID (S-1-5-21-2122206202-853355329-945835055-5337). This security permission can be modified using the Component Services administrative tool.

Event Record #/Type4933 / Error
Event Submitted/Written: 04/05/2008 07:27:03 AM
Event ID/Source: 10016 / DCOM
Event Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user PENRITH\LSDominicB SID (S-1-5-21-2122206202-853355329-945835055-5337). This security permission can be modified using the Component Services administrative tool.

Event Record #/Type4913 / Error
Event Submitted/Written: 04/05/2008 07:26:42 AM
Event ID/Source: 10016 / DCOM
Event Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user PENRITH\LSDominicB SID (S-1-5-21-2122206202-853355329-945835055-5337). This security permission can be modified using the Component Services administrative tool.

Event Record #/Type4881 / Error
Event Submitted/Written: 04/04/2008 10:00:32 AM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Event Record #/Type4879 / Warning
Event Submitted/Written: 04/04/2008 09:59:18 AM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server cifs/sr-cc1-dc-02.penrith.local. No authentication protocol was available.



-- End of Deckard's System Scanner: finished at 2008-04-05 15:49:48 ------------







Deckard's System Scanner v20071014.68
Run by Administrator on 2008-04-05 15:47:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
49: 2008-04-05 05:47:41 UTC - RP247 - Deckard's System Scanner Restore Point
48: 2008-04-04 21:44:28 UTC - RP246 - System Checkpoint
47: 2008-03-31 05:52:23 UTC - RP245 - Installed Symantec AntiVirus
46: 2008-03-31 05:47:54 UTC - RP244 - Removed Symantec AntiVirus
45: 2008-03-31 05:12:24 UTC - RP243 - Removed Symantec AntiVirus


-- First Restore Point --
1: 2008-03-03 00:53:32 UTC - RP199 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:49:20 PM, on 5/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\LSDominicB.PENRITH\Desktop\dss.exe
C:\DOCUME~1\ADMINI~1.PC9\Desktop\SPYWAR~1\HIJACK~1\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.penrithcity.nsw.gov.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.3.8:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.16.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7bc121ac-f52c-479b-9312-ed9813b27255} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: (no name) - {B3ADDB7B-3DF5-4672-82DD-775FFF180134} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2122206202-853355329-945835055-5337\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LSDominicB')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.penrithcity.nsw.gov.au
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.meadroid.com/scriptx/smsx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155597947343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155597933000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = penrith.local
O17 - HKLM\Software\..\Telephony: DomainName = penrith.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = penrith.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = penrith.local
O20 - Winlogon Notify: jkhhe - jkhhe.dll (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8823 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 SMBios (Intel ® System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel ® System Management BIOS Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>

S2 InCDsrvR (InCD Helper (read only)) - c:\program files\ahead\incd\incdsrv.exe -r <Not Verified; Nero AG; Nero AG incdsrv>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&2D2D400&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&2D2D400&0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2007-11-22 12:45:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-05 and 2008-04-05 -----------------------------

2008-04-04 11:07:55 0 d-------- C:\Documents and Settings\lspaulinag\Application Data\Adobe
2008-04-04 10:00:33 0 d-------- C:\Documents and Settings\lspaulinag\Application Data\Identities
2008-04-04 10:00:00 0 dr------- C:\Documents and Settings\lspaulinag\Favorites
2008-04-04 10:00:00 0 d-------- C:\Documents and Settings\lspaulinag\Desktop
2008-04-04 10:00:00 0 d--hs---- C:\Documents and Settings\lspaulinag\Cookies
2008-04-04 10:00:00 0 dr-h----- C:\Documents and Settings\lspaulinag\Application Data
2008-04-04 10:00:00 0 d---s---- C:\Documents and Settings\lspaulinag\Application Data\Microsoft
2008-04-04 09:59:59 0 d--h----- C:\Documents and Settings\lspaulinag\Templates
2008-04-04 09:59:59 0 dr------- C:\Documents and Settings\lspaulinag\Start Menu
2008-04-04 09:59:59 0 dr-h----- C:\Documents and Settings\lspaulinag\SendTo
2008-04-04 09:59:59 0 dr-h----- C:\Documents and Settings\lspaulinag\Recent
2008-04-04 09:59:59 0 d--h----- C:\Documents and Settings\lspaulinag\PrintHood
2008-04-04 09:59:59 0 d--h----- C:\Documents and Settings\lspaulinag\NetHood
2008-04-04 09:59:59 0 dr------- C:\Documents and Settings\lspaulinag\My Documents
2008-04-04 09:59:59 0 d--h----- C:\Documents and Settings\lspaulinag\Local Settings
2008-04-04 09:59:58 1048576 --ah----- C:\Documents and Settings\lspaulinag\NTUSER.DAT
2008-03-16 10:23:49 0 d-------- C:\Documents and Settings\Administrator.PC900\Application Data\Sun
2008-03-15 15:00:06 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-15 08:36:42 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-15 08:36:42 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-15 08:36:42 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-15 08:36:42 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-10 14:34:42 3148 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-10 13:15:33 0 d-------- C:\WINDOWS\pss
2008-03-10 12:52:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-10 09:08:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft


-- Find3M Report ---------------------------------------------------------------

2008-04-05 07:25:49 0 d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 15:53:00 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 15:52:40 0 d-------- C:\Program Files\Symantec
2008-03-16 11:08:04 0 d-------- C:\Program Files\Common Files
2008-03-16 10:25:10 0 d-------- C:\Program Files\Java
2008-03-15 15:36:14 0 d-------- C:\Program Files\QuickTime
2008-03-15 15:31:52 0 d-------- C:\Program Files\iTunes
2008-03-15 15:30:09 0 d-------- C:\Program Files\Bonjour
2008-03-10 09:26:05 0 d-------- C:\Documents and Settings\Administrator.PC900\Application Data\Adobe
2008-03-03 11:04:38 0 d-------- C:\Program Files\Common Files\SourceTec
2008-03-03 11:04:37 0 d-------- C:\Program Files\SourceTec
2008-02-18 15:15:48 0 d-------- C:\Documents and Settings\Administrator.PC900\Application Data\Macromedia
2008-02-18 15:12:58 0 d-------- C:\Program Files\Macromedia
2008-02-18 15:12:28 0 d-------- C:\Program Files\Common Files\Macromedia
2008-02-11 11:28:01 0 d-------- C:\Documents and Settings\Administrator.PC900\Application Data\TextPad
2008-02-11 11:10:36 0 d-------- C:\Documents and Settings\Administrator.PC900\Application Data\WinRAR
2008-02-11 10:34:41 0 d-------- C:\Documents and Settings\Administrator.PC900\Application Data\Ahead
2008-02-11 10:28:46 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-11 10:01:51 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-10 14:41:19 0 d-------- C:\Program Files\Moyea
2008-02-10 14:41:13 0 d-------- C:\Documents and Settings\Administrator.PC900\Application Data\Moyea


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7bc121ac-f52c-479b-9312-ed9813b27255}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3ADDB7B-3DF5-4672-82DD-775FFF180134}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [06/06/2004 01:45 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [06/06/2004 01:41 PM]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [07/01/2005 05:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [12/01/2005 03:01 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50 AM]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [28/01/2005 03:17 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 03:25 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"RTHDCPL"="RTHDCPL.EXE" [21/07/2006 04:56 PM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [16/05/2006 06:04 PM C:\WINDOWS\SkyTel.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [27/04/2007 09:41 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/06/2007 04:51 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [09/06/2004 08:31 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [06/10/2004 05:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 10:00 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 10:05:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhhe]
jkhhe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\penrith.local\SysVol\penrith.local\scripts\CopyExponareConfig.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\penrith.local\SYSVOL\penrith.local\scripts\CopyProClaimAddOns.cmd




-- End of Deckard's System Scanner: finished at 2008-04-05 15:49:48 ------------

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:21 PM

Posted 05 April 2008 - 04:32 PM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When following the instructions please install the Windows XP Recovery Console if you are using XP.

After running ComboFix, please post the ComboFix log as well as a brand new HijackThis as a reply to this topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users