Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Removal Help


  • This topic is locked This topic is locked
15 replies to this topic

#1 chocabout

chocabout

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:59 PM

Posted 25 March 2008 - 01:32 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:31 AM, on 26/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dodo.com.au/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: qvdntlmw - {18744937-6095-410E-84B9-B9CA888327E7} - C:\WINDOWS\qvdntlmw.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: KernelDrive - {a0fe052c-ae9b-4064-b391-0ceea928b2f5} - C:\WINDOWS\Installer\{a0fe052c-ae9b-4064-b391-0ceea928b2f5}\KernelDrive.dll
O21 - SSODL: vbgtorfd - {6450C9B2-0DDA-441E-ACC5-3FE0303809AD} - C:\WINDOWS\vbgtorfd.dll
O21 - SSODL: dwnrpofk - {A887C9D4-D535-4E7A-9A49-8408A2079B35} - C:\WINDOWS\dwnrpofk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 6165 bytes

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:59 PM

Posted 25 March 2008 - 05:08 PM

Hello and welcome to BleepingComputer :thumbsup:

Please print these instructions out, or write them down, as you can't read them during the fix.

Download SDFix and save it to your desktop.
  • Double-click on SDFix.exe to extract the files to C:\SDFix
  • DO NOT use it just yet.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer.
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear.
4) Select the first option, to run Windows in Safe Mode.
5) Login to your usual account.
  • Once in Safe Mode, open the SDFix folder & double-click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt in your next reply along with a fresh HijackThis log. :blink:
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

Hi there, stranger!

#3 chocabout

chocabout
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:59 PM

Posted 28 March 2008 - 11:57 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:06 PM, on 29/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dodo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 6391 bytes

Thanks for your help I did what you said,I noticed the Hijack File went from 12.7kb toi 12.4kb so some bad files must of been removed.When I run the spyware doctor scan,Adware.Agent.BN was not there,so does mean it is gone forever?.

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:59 PM

Posted 29 March 2008 - 04:40 AM

Hello again. :thumbsup:

Thanks for your help I did what you said,I noticed the Hijack File went from 12.7kb toi 12.4kb so some bad files must of been removed.When I run the spyware doctor scan,Adware.Agent.BN was not there,so does mean it is gone forever?.

Yup, the HijackThis log looks clean now, however that does NOT mean the system is completely clean yet.

I also need to see the SDFix log. It should be found in the SDFix folder on your desktop. Please copy/paste it's contents here.

---

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 5 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. They should have next icon next to it: Posted Image
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.
Now to clean out the Java cache:

Go into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Settings button.
  • Then click Delete Files...
  • There are two options in the window to clear the cache - Leave BOTH checked
Applications and Applets
Trace and Log Files

  • Click OK on Delete Temporary Files window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
----

With the SDFix log, please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Hi there, stranger!

#5 chocabout

chocabout
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:59 PM

Posted 29 March 2008 - 06:55 AM

SDFix: Version 1.164

Run by User on Sat 29/03/2008 at 10:33 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 22:42:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:00003b85
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:ed,52,d8,6a,04,fd,81,f5,28,46,14,e6,e0,ba,1e,2a,ed,00,5c,51,63,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,a1,fb,ba,7d,ce,d5,b4,5e,01,b0,c2,06,bf,50,87,d3,27,..
"khjeh"=hex:2d,29,45,6d,0f,d3,fd,02,14,67,d8,87,69,87,63,e2,b3,e4,02,98,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:bd,0c,61,15,d4,20,db,0b,65,4b,2b,a9,6f,60,39,89,ca,3f,70,bd,53,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:32,92,e8,f9,96,57,c3,f9,e7,3b,83,d2,77,02,8e,6c,95,bf,4b,42,41,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:ed,52,d8,6a,04,fd,81,f5,28,46,14,e6,e0,ba,1e,2a,ed,00,5c,51,63,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,a1,fb,ba,7d,ce,d5,b4,5e,01,b0,c2,06,bf,50,87,d3,27,..
"khjeh"=hex:2d,29,45,6d,0f,d3,fd,02,14,67,d8,87,69,87,63,e2,b3,e4,02,98,7d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:bd,0c,61,15,d4,20,db,0b,65,4b,2b,a9,6f,60,39,89,ca,3f,70,bd,53,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:32,92,e8,f9,96,57,c3,f9,e7,3b,83,d2,77,02,8e,6c,95,bf,4b,42,41,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 13 Dec 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 6 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Fri 18 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6b636582f273e0b4cae6f62415c52d81\BIT1.tmp"

Finished!

Deckard's System Scanner v20071014.68
Run by User on 2008-03-29 22:46:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
26: 2008-03-29 11:46:30 UTC - RP26 - Deckard's System Scanner Restore Point
25: 2008-03-29 10:58:04 UTC - RP25 - Installed Java™ 6 Update 5
24: 2008-03-29 10:54:55 UTC - RP24 - Installed Java™ SE Development Kit 6 Update 5
23: 2008-03-29 10:47:11 UTC - RP23 - Removed Java™ 6 Update 3
22: 2008-03-29 04:03:38 UTC - RP22 - Made by Registry Mechanic O


-- First Restore Point --
1: 2008-03-25 20:18:45 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:07 PM, on 29/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dodo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 6480 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>
R0 sfsync04 (StarForce Protection Synchronization Driver (version 4.x)) - c:\windows\system32\drivers\sfsync04.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R3 catchme - c:\docume~1\user\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-29 22:44:37 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-02-29 and 2008-03-29 -----------------------------

2008-03-29 22:31:45 0 d-------- C:\WINDOWS\ERUNT
2008-03-29 21:58:54 0 d-------- C:\Program Files\Sun
2008-03-29 21:55:04 0 d-------- C:\Program Files\Java
2008-03-29 21:54:57 0 d-------- C:\Program Files\Common Files\Java
2008-03-29 15:10:49 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-03-29 15:02:11 0 dr-h----- C:\Documents and Settings\User\Recent
2008-03-26 10:54:01 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-26 07:04:16 2870 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-26 07:03:34 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-26 07:03:34 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-26 07:03:34 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-26 07:03:34 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-26 07:03:34 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-26 07:03:34 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-26 07:03:34 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-26 06:56:09 0 d-------- C:\Documents and Settings\NetworkService\Start Menu
2008-03-26 06:06:19 0 d-------- C:\Program Files\Windows Defender
2008-03-26 04:57:33 0 d-------- C:\Program Files\Trend Micro
2008-03-26 00:02:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\PCToolsFirewallPlus
2008-03-25 23:55:45 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-03-25 23:55:45 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-03-25 23:55:45 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-03-25 23:55:45 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-03-25 23:55:44 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-03-25 23:55:44 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-03-25 23:55:44 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-03-25 23:55:44 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-03-25 23:55:44 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-03-25 23:55:44 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-03-25 23:55:44 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-03-25 23:55:44 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-03-25 23:55:43 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-03-25 20:22:09 0 d-------- C:\Program Files\ThreatFire
2008-03-25 19:45:31 7340032 --a------ C:\Documents and Settings\User\ntuser.dat
2008-03-25 16:49:18 0 d-------- C:\Documents and Settings\All Users\Application Data\mzabyfcr
2008-03-04 21:27:26 0 d-------- C:\Program Files\IrfanView
2008-03-01 19:45:04 0 d-------- C:\WINDOWS\Sun
2008-03-01 19:45:04 0 d-------- C:\Documents and Settings\User\Application Data\Sun
2008-03-01 16:10:21 188960 --a------ C:\WINDOWS\system\WINGDE.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-03-01 16:10:21 12800 --a------ C:\WINDOWS\system\WING32.DLL <Not Verified; Microsoft Corporation; WinG>
2008-03-01 16:10:20 92208 --a------ C:\WINDOWS\system\WING.DLL <Not Verified; Microsoft Corporation; WinG>
2008-03-01 16:09:06 245504 --a------ C:\WINDOWS\PI.EXE


-- Find3M Report ---------------------------------------------------------------

2008-03-29 22:20:00 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-03-29 21:54:57 0 d-------- C:\Program Files\Common Files
2008-03-29 15:00:53 0 d-------- C:\Program Files\Privacy Guardian
2008-03-28 21:17:37 0 d-------- C:\Program Files\Spyware Doctor
2008-03-24 15:30:55 0 d-------- C:\Documents and Settings\User\Application Data\dvdcss
2008-02-28 10:20:01 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-02-24 13:09:20 30823 --a------ C:\WINDOWS\DIIUnin.dat
2008-02-24 12:59:53 21840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2008-02-24 12:59:53 17212 --a------ C:\WINDOWS\system32\SIntf32.dll
2008-02-24 12:59:53 12067 --a------ C:\WINDOWS\system32\SIntf16.dll
2008-02-24 12:54:35 2829 --a------ C:\WINDOWS\DIIUnin.pif
2008-02-24 12:54:35 94208 --a------ C:\WINDOWS\DIIUnin.exe <Not Verified; Blizzard Entertainment; Diablo II Uninstaller>
2008-02-24 11:27:25 0 d-------- C:\Program Files\Free Naruto Screensaver
2008-02-24 11:24:41 0 d-------- C:\Program Files\Desktop XP
2008-02-24 11:17:29 0 d-------- C:\Documents and Settings\User\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [12/04/2007 08:33 PM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [03/05/2005 09:43 PM C:\WINDOWS\Alcmtr.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [17/09/2007 01:07 AM]
"nwiz"="nwiz.exe" [17/09/2007 01:07 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [17/09/2007 01:07 AM]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [19/09/2007 03:27 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/03/2007 03:57 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/11/2007 10:27 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [10/12/2007 02:53 PM]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [15/02/2008 10:20 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 06:20 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [27/06/2007 07:03 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 11:00 PM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [19/09/2007 01:16 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59d4b414-88df-11dc-9632-a60acd385c16}]
Auto\command- I:\Cn911.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{917093c2-8e90-11dc-944d-000000000000}]
AutoRun\command- J:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be6eadb8-890a-11dc-9424-001a4d5354ec}]
Auto\command- Cn911.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe




-- End of Deckard's System Scanner: finished at 2008-03-29 22:47:41 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU E6750 @ 2.66GHz
CPU 1: Intel® Core™2 Duo CPU E6750 @ 2.66GHz
Percentage of Memory in Use: 28%
Physical Memory (total/avail): 2046.42 MiB / 1466.37 MiB
Pagefile Memory (total/avail): 3938.7 MiB / 3341.53 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1941.87 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 39.06 GiB total, 29.23 GiB free.
D: is Fixed (NTFS) - 372.61 GiB total, 254.89 GiB free.
E: is Fixed (NTFS) - 259.02 GiB total, 238.8 GiB free.
F: is Fixed (NTFS) - 186.31 GiB total, 60.42 GiB free.
G: is CDROM (No Media)
H: is CDROM (No Media)
I: is CDROM (No Media)
J: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG HD403LJ - 372.61 GiB - 1 partition
\PARTITION0 - Installable File System - 372.61 GiB - D:

\\.\PHYSICALDRIVE1 - ST3320620AS - 298.09 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 39.06 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 259.02 GiB - E:

\\.\PHYSICALDRIVE2 - ST320082 0A SCSI Disk Device - 186.31 GiB - 1 partition
\PARTITION0 - Installable File System - 186.31 GiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: PC Tools Firewall Plus v2.0.0 (PC Tools)
AV: ThreatFire v3.0.14.16 (PC Tools)
AV: Spyware Doctor with AntiVirus v (PC Tools)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=STEPHEN-B8B6889
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User
LOGONSERVER=\\STEPHEN-B8B6889
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft SQL Server\90\Tools\binn\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
TMP=C:\DOCUME~1\User\LOCALS~1\Temp
USERDOMAIN=STEPHEN-B8B6889
USERNAME=User
USERPROFILE=C:\Documents and Settings\User
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

User (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0A053D60-9267-11D5-8A2B-0050DA8B7D89}\setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Baldur's Gate™ II - Shadows of Amn™ Bonus CD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{014585C8-7557-11D4-9ABA-006067325E47}\setup.exe"
Baldur's Gate™ II - Throne of Bhaal ™ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8C3B479-1716-11D5-968A-0050BA84F5F7}\Setup.exe"
BitLord 1.1 --> D:\Program Files\BitLord\uninst.exe
Business Contact Manager for Outlook 2007 SP1 --> "C:\Program Files\Microsoft Small Business\Business Contact Manager\SetupBootstrap\Setup.exe" /remove {B32C4059-6E7A-41EF-AD20-56DF1872B923}
Business Contact Manager for Outlook 2007 SP1 --> MsiExec.exe /X{B32C4059-6E7A-41EF-AD20-56DF1872B923}
Combined Community Codec Pack 2007-07-22 --> "C:\Program Files\Combined Community Codec Pack\unins000.exe"
Desktop XP Screensaver Manager 1.2 Powered by AdVantage --> "C:\Program Files\Desktop XP\Screensaver Manager\unins000.exe"
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
Dragonshard --> MsiExec.exe /I{29A3B8CB-593A-4EA9-8BAB-9AEBF1C3EDFA}
Dungeon Keeper 2 --> C:\WINDOWS\IsUninst.exe -f"e:\games\dungeon keeper 2\Uninst.isu" -c"e:\games\dungeon keeper 2\uninst.dll"
FLV SPLITTER --> "C:\Program Files\GNU\FLVSPLITTER\Uninstall.exe"
Free Naruto Screensaver --> "C:\Program Files\Free Naruto Screensaver\unins000.exe"
Heroes of Might & Magic V: Hammers of Fate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66FF4C48-0083-4E60-8556-B883AB200091}\setup.exe" -l0x9
Heroes of Might and Magic V --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{20071984-5EB1-4881-8EDB-082532ACEC6D}\setup.exe" -l0x9
Heroes of Might and Magic V - Tribes of the East --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66FF4C48-0083-4E60-8556-B883AB200092}\setup.exe" -l0x9
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Icewind Dale II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{588C135F-0B15-4A02-8F2D-04697BE2904E}\setup.exe" -l0x9
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java DB 10.3.1.4 --> MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Development Kit 6 Update 5 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160050}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office 2007 Primary Interop Assemblies --> MsiExec.exe /X{50120000-1105-0000-0000-0000000FF1CE}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROR /dll OSETUP.DLL
Microsoft Office Professional 2007 --> MsiExec.exe /X{91120000-0014-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Small Business Connectivity Components --> MsiExec.exe /X{A939D341-5A04-4E0A-BB55-3E65B386432D}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 --> "C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Might and Magic® VI --> C:\WINDOWS\IsUninst.exe -f"E:\Games\Might and Magic VI\Uninst.isu"
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.12) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MYOB FirstAccounts v3.1 --> C:\WINDOWS\IsUninst.exe -fC:\FirstAc3\Uninst.isu
Nero 7 Premium --> MsiExec.exe /X{CF097717-F174-4144-954A-FBC4BF301033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Oblivion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
Oblivion - Horse Armor Pack --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3ABEBD00-299D-4DCA-967F-B912163AB5EA}\setup.exe" -l0x9 -removeonly
Oblivion - Knights of the Nine --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14C87AA7-08E6-419F-A165-998EBE5023D7}\setup.exe" -l0x9 -removeonly
Oblivion - Mehrunes Razor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF295F5C-7B57-47AA-8889-6B3E8E214E89}\setup.exe" -l0x9 -removeonly
Oblivion - Orrery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC425CFC-EE78-4A91-AA25-3BFA65B75364}\setup.exe" -l0x9 -removeonly
Oblivion - Spell Tomes --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16D919E6-F019-4E15-BFBE-4A85EF19DA57}\setup.exe" -l0x9 -removeonly
Oblivion - Thieves Den --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FFFFFD17-B460-41EB-93F1-C48ABAD63828}\setup.exe" -l0x9 -removeonly
Oblivion - Vile Lair --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{520F4B09-3A51-47A2-82B0-9FF1DC2D20FA}\setup.exe" -l0x9 -removeonly
Oblivion - Wizard's Tower --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F2E3D62-8B8C-448F-8900-451325E50948}\setup.exe" -l0x9 -removeonly
PC Tools Firewall Plus 3.0 --> "C:\Program Files\PC Tools Firewall Plus\unins000.exe"
Planescape - Torment --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0A053D60-9267-11D5-8A2B-0050DA8B7D89}\setup.exe"
Privacy Guardian 4.1 --> "C:\Program Files\Privacy Guardian\unins000.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
REALTEK GbE & FE Ethernet PCI-E NIC Driver --> C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
Registry Mechanic 7.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
ThreatFire 3.0 --> "C:\Program Files\ThreatFire\unins000.exe"
Update for Outlook 2007 Junk Email Filter (kb947945) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {E397056B-7AE5-4FF1-8B13-276BF8201847}
VideoLAN VLC media player 0.8.6b --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XviD MPEG-4 Video Codec --> "C:\Program Files\XviD\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type15944 / Warning
Event Submitted/Written: 03/29/2008 10:41:43 PM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance MSSMLBIZ is not valid.

Event Record #/Type15939 / Warning
Event Submitted/Written: 03/29/2008 10:16:54 PM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance MSSMLBIZ is not valid.

Event Record #/Type15938 / Error
Event Submitted/Written: 03/29/2008 10:14:53 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application nvcplui.exe, version 1.4.900.10, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type15929 / Warning
Event Submitted/Written: 03/29/2008 09:50:57 PM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance MSSMLBIZ is not valid.

Event Record #/Type15923 / Warning
Event Submitted/Written: 03/29/2008 06:45:55 PM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance MSSMLBIZ is not valid.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type16072 / Warning
Event Submitted/Written: 03/29/2008 10:47:18 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%STEPHEN-B8B688927 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %STEPHEN-B8B688927 can't undo changes that you allow.

For more information please see the following:
%STEPHEN-B8B6889275

Scan ID: {B908CB44-22A7-423E-90AE-A109270C41DC}

User: STEPHEN-B8B6889\User

Name: %STEPHEN-B8B6889271

ID: %STEPHEN-B8B6889272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %STEPHEN-B8B6889276

Alert Type: %STEPHEN-B8B6889278

Detection Type: 1.1.1593.02

Event Record #/Type16071 / Warning
Event Submitted/Written: 03/29/2008 10:47:18 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%STEPHEN-B8B688927 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %STEPHEN-B8B688927 can't undo changes that you allow.

For more information please see the following:
%STEPHEN-B8B6889275

Scan ID: {742EFA50-464A-4A3B-A89F-C135ACF79C7F}

User: STEPHEN-B8B6889\User

Name: %STEPHEN-B8B6889271

ID: %STEPHEN-B8B6889272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %STEPHEN-B8B6889276

Alert Type: %STEPHEN-B8B6889278

Detection Type: 1.1.1593.02

Event Record #/Type16070 / Warning
Event Submitted/Written: 03/29/2008 10:47:18 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%STEPHEN-B8B688927 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %STEPHEN-B8B688927 can't undo changes that you allow.

For more information please see the following:
%STEPHEN-B8B6889275

Scan ID: {6EEBB736-F822-4DDE-B34B-F8D861687E02}

User: STEPHEN-B8B6889\User

Name: %STEPHEN-B8B6889271

ID: %STEPHEN-B8B6889272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %STEPHEN-B8B6889276

Alert Type: %STEPHEN-B8B6889278

Detection Type: 1.1.1593.02

Event Record #/Type16069 / Warning
Event Submitted/Written: 03/29/2008 10:47:16 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%STEPHEN-B8B688927 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %STEPHEN-B8B688927 can't undo changes that you allow.

For more information please see the following:
%STEPHEN-B8B6889275

Scan ID: {3D40E045-D42D-4E10-9195-D98C66297C30}

User: STEPHEN-B8B6889\User

Name: %STEPHEN-B8B6889271

ID: %STEPHEN-B8B6889272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %STEPHEN-B8B6889276

Alert Type: %STEPHEN-B8B6889278

Detection Type: 1.1.1593.02

Event Record #/Type16068 / Warning
Event Submitted/Written: 03/29/2008 10:47:16 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%STEPHEN-B8B688927 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %STEPHEN-B8B688927 can't undo changes that you allow.

For more information please see the following:
%STEPHEN-B8B6889275

Scan ID: {5EDDBDCD-E991-4C45-B1A2-813CA6A5705C}

User: STEPHEN-B8B6889\User

Name: %STEPHEN-B8B6889271

ID: %STEPHEN-B8B6889272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %STEPHEN-B8B6889276

Alert Type: %STEPHEN-B8B6889278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-03-29 22:47:41 ------------

I hve the SDfix logfile,main.txt and extra.txt you asked for.

#6 chocabout

chocabout
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:59 PM

Posted 29 March 2008 - 07:07 AM

Hi again

I just ran a spyware doctor scan and found Application.NirCmd infection twenty three times,I placed it in quarantine.Is that anything to worry about?,or is it just the SDFix running its scan?.

Thanks again

#7 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:59 PM

Posted 29 March 2008 - 09:08 AM

Please go to Start » Run » type in: regedit » OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to File » Export
    Make sure in that window there is a tick next to "All" under Export Branch.
    Leave the "Save As Type" as "Registration Files".
    Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click Save and then go to File » Exit.
This is so the registry can be restored to this point if we need it. It may take a minute.

Next, please copy the following text in the quotebox below to a blank notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg on your desktop.

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59d4b414-88df-11dc-9632-a60acd385c16}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be6eadb8-890a-11dc-9424-001a4d5354ec}]

Now double-click on the Fixit.reg on your desktop and allow it to merge with registry by clicking YES on the prompt.

Navigate to, and look inside the following folder:

C:\Documents and Settings\All Users\Application Data\mzabyfcr

Is there anything inside? Let me know...
Hi there, stranger!

#8 chocabout

chocabout
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:59 PM

Posted 29 March 2008 - 03:38 PM

Hi again

I did exactly what you told me to do,the mzabyfcr folder had nothing in it when I checked it.

Thanks

#9 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:59 PM

Posted 29 March 2008 - 04:32 PM

Alrighty, go ahead and delete that folder also. :thumbsup:

How does the system appear to be running at this point?
Hi there, stranger!

#10 chocabout

chocabout
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:59 PM

Posted 29 March 2008 - 05:08 PM

Hi Rawe

There is one thing I am worried about there is a file on my C drive that is called MSOCache,it was on my F drive also it is 408mb in size.It just showed up on my F drive,so i deleted it,but I left the same file on my C drive.Is there anything to worry about with this MSOCache folder?.Everything else is working fine,even my registry mechanic is not finding any problems.

Thanks

#11 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:59 PM

Posted 29 March 2008 - 05:45 PM

Folder or file?

Folder:

http://www.theeldergeek.com/msocache_folder.htm
http://support.microsoft.com/kb/896866/

Nothing to worry about. :thumbsup:

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to reboot during the cleanup, select YES.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware:

Detect and Remove Programs:Prevention Programs:
  • Comodo BOClean <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • SpywareBlaster <= SpywareBlaster will prevent spyware from being installed. Detailed installation guide provided.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known adsites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Other necessary Programs:
  • Antivirus Program <= An antivirus program is a must! Whether it is a free version like Avast! or Anti-Vir, or a shareware version like NOD32 this is a must have. (Note to only use 1 at-the-time)
  • Firewall <= A firewall is definitely a must have. Two good free versions are Comodo and Online Armor. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice:
So how did I get infected in the first place?

Setup guide for Comodo Firewall
Setup guide for Avast! 4 Free
Setup guide for AVG Free Antivirus
Hi there, stranger!

#12 chocabout

chocabout
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:59 PM

Posted 30 March 2008 - 04:29 AM

Hi Rawe

I did a CHDSK and Defag on all my hardrives,then did a full system scan with Spyware Doctor finding two infections called "Application.NirCmd",which I removed.But the real problem is when I always scan my registry with Registry Mechanic this high priority alert always appears "HKEY_CURRENT_USER\Gabest|VSFilter\DefTextPatches".I did have a trojan media player called "GOM Player" which I removed,do you think that this HKEY alert has anything to do with one of my media players?.By the MSOCache was a folder on my C drive not a file,my mistake,should I just leave be or delete it?.

PS : Just to let you know how I ended up with this Adware.Agent.BN mess in the first place,there was a site which had a streaming video I wanted to see and under it was the evil codecs which they said I needed to view it.Then stupid me downloaded them,then installed the Adware.Agent.BN on my computer.

#13 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:59 PM

Posted 30 March 2008 - 08:33 AM

I did a CHDSK and Defag on all my hardrives,then did a full system scan with Spyware Doctor finding two infections called "Application.NirCmd",which I removed.But the real problem is when I always scan my registry with Registry Mechanic this high priority alert always appears "HKEY_CURRENT_USER\Gabest|VSFilter\DefTextPatches".I did have a trojan media player called "GOM Player" which I removed,do you think that this HKEY alert has anything to do with one of my media players?.By the MSOCache was a folder on my C drive not a file,my mistake,should I just leave be or delete it?.

NirCmd is clean. MSOClean folder is clean -- see here http://www.theeldergeek.com/msocache_folder.htm

Do you have this tool installed? http://en.wikipedia.org/wiki/VSFilter

GOM Player is also NOT a trojan. It's a popular media player: http://www.download.com/GOM-Media-Player/3...4-10551786.html

Spyware Doctor is known for it's insane amount of false positives. Was it the one that found GOM Player as a trojan?
Hi there, stranger!

#14 chocabout

chocabout
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:59 PM

Posted 30 March 2008 - 05:27 PM

Hi Rawe

The product that said Gom player was bad was called ThreatFire by Pc Tools,have you heard of it?.I am only using the freeware version,but when I go into Control Panel/Security Center it says that I have two antivirus programs running.Do you think Spyware Doctor and Threatfire are clashing?.

My main hardisk is three hundred gig I had a partition done on it, forty gig of it is my C:hardisk for windows and main programs.The other two hundred and sixty gig is my E:Hardisk for games,is it safe to store programs on my E:Hardisk that I do not have a backup of?.I mean If the C:Hardisk is infected with a trojan that damages it,because it is the one hardisk wont the E:Harddisk also be damaged?.

Thanks

#15 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:59 PM

Posted 31 March 2008 - 06:32 AM

FW: PC Tools Firewall Plus v2.0.0 (PC Tools)
AV: ThreatFire v3.0.14.16 (PC Tools)
AV: Spyware Doctor with AntiVirus v (PC Tools)

Hmm. What's the antivirus on your Spyware Doctor? Did SpywareDoctor install ThreatFire?

Make sure Spyware Doctor isn't running any other AV apart from ThreatFire.

As for the hard disk question.. Should be fine. As long as you make sure you have proper protection in place. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users