Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Plz Help Infected With Keylogger Help Plz


  • This topic is locked This topic is locked
15 replies to this topic

#1 sky770

sky770

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 03 May 2008 - 03:42 PM

my anti-virus program has detected a key logger but it wont let me remove it i terminated the process but every time i log on its back. i use Kaspersky. here are my HJT log files plz help me

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:38:22 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\windows\system32\schedullingagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SchedullingAgent] c:\windows\system32\schedullingagent.exe
O4 - HKLM\..\RunServices: [SchedullingAgent] c:\windows\system32\schedullingagent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v8.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.129
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.129
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.52 85.255.112.129
O21 - SSODL: amaranthaceous - {4fc003c3-87a0-489c-85cd-878246eb2d18} - (no file)
O22 - SharedTaskScheduler: amaranthaceous - {4fc003c3-87a0-489c-85cd-878246eb2d18} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9257 bytes

BC AdBot (Login to Remove)

 


m

#2 sky770

sky770
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 04 May 2008 - 04:51 PM

help anyone plz

#3 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 06 May 2008 - 03:18 PM

Welcoming to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

Let's chat a little, it appears you missed the instructions posted above and pinned to the top of the forum? You have also given me no information about this "keylogger" other than the fact Kaspersky finds it. What is the name of this trojan, where is it located on your computer?

You have a marker for being hacked by Ukrainians (017)
http://whois.domaintools.com/85.255.112.94 <<< see this

If you still need help, read the direction and then do this.

1) C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe <<< my suggestion would be to uninstall this, see this information:
http://free.grisoft.com/ww.download-avg-an...nd-anti-rootkit

2) C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/arch...4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

3) Provide me with more information about this "Keylogger".

4) Thanks to LonnyBJones and anyone else who helped with this fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to yourDesktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log using Add Reply.

Thanks

If your issues are resolved, post to let me know so I can close your topic.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#4 sky770

sky770
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 09 May 2008 - 04:19 PM

ok thank for finally getting back to me here is the text you wanted


C:\WINDOWS\system32\SchedullingAgent.exe thats all it info that it gives me where the keylogger is located






Username "Skyler" - 05/09/2008 17:09:18 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.114.52 85.255.112.129" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\isuspm.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"Zune Launcher"="\"c:\\Program Files\\Zune\\ZuneLauncher.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe\""
"SchedullingAgent"="c:\\windows\\system32\\schedullingagent.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Aim6"=""
"ISUSPM"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -scheduler"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

#5 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 09 May 2008 - 04:57 PM

Please read the directions carefully, I can not proceed until you post the HJT log I requested:

Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log using Add Reply.


A Google of this item: C:\windows\system32\schedullingagent.exe
Returned this: http://www.runscanner.net/files/exe/schedu...gagent.exe.aspx
Path found: c:\ windows\ system32\ schedullingagent.exe
Version: 1.06.0067
Company: Microsoft
Product: SchedullingAgent service for Windows
Description: SchedullingAgent

It may be a false positive from Kaspersky, let's find out like this.

1) Make sure you can see all files and folder:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

2) Use one or more of these free online scanners to find out what that is, post the results:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

3) When you get to that file, right click on it and choose properties. Post the information under properties.

Post those results and the HJT log I am waiting for.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#6 sky770

sky770
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 09 May 2008 - 06:39 PM

ok i followed the directions of this link [url="http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/" here are the files i got after following the instructions

Deckard's System Scanner v20071014.68
Run by Skyler on 2008-05-09 19:18:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
23: 2008-05-09 23:18:31 UTC - RP793 - Deckard's System Scanner Restore Point
22: 2008-05-08 16:35:50 UTC - RP792 - System Checkpoint
21: 2008-05-03 21:59:34 UTC - RP791 - System Checkpoint
20: 2008-04-30 02:54:11 UTC - RP790 - System Checkpoint
19: 2008-04-29 02:42:16 UTC - RP789 - System Checkpoint


-- First Restore Point --
1: 2008-04-02 23:12:56 UTC - RP771 - Installed KalOnlineEng


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Skyler.exe) ----------------------------------------------

.

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys
R1 ts_lb - c:\windows\system32\drivers\ts_lb.sys
R3 kbdcap - c:\windows\system32\drivers\kbdcap.sys
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys
R3 SMBios (Intel ® System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys
R4 AVG Anti-Spyware Driver - c:\program files\grisoft\avg anti-spyware 7.5\guard.sys (file missing)
R4 AvgAsCln (AVG Anti-Spyware Clean Driver) - c:\windows\system32\drivers\avgascln.sys (file missing)

S3 CV2K1 (CommView Network Monitor) - c:\windows\system32\drivers\cv2k1.sys
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys
S3 NPPTNT2 - c:\windows\system32\npptnt2.sys
S3 PSSdk23 - c:\windows\system32\drivers\pssdk23.drv (file missing)
S3 USB200M (Linksys USB 2.0 Network Adapter ver.2) - c:\windows\system32\drivers\usb200m2.sys
S3 xbreader (MaxDrive XBox Driver (xbreader.sys)) - c:\windows\system32\drivers\xbreader.sys
S3 XDva004 - c:\windows\system32\xdva004.sys (file missing)
S3 XDva005 - c:\windows\system32\xdva005.sys (file missing)
S3 XDva007 - c:\windows\system32\xdva007.sys (file missing)
S3 XDva025 - c:\windows\system32\xdva025.sys (file missing)
S3 XDva030 - c:\windows\system32\xdva030.sys (file missing)
S3 XDva068 - c:\windows\system32\xdva068.sys (file missing)
S3 XDva076 - c:\windows\system32\xdva076.sys (file missing)
S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe"
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe"

S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini"


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-09 19:27:00 422 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{774361FF-6EDD-4D59-824A-D7D39004D9CC}.job
2008-04-30 08:14:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-06-21 15:42:33 402 --ah----- C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job


-- Files created between 2008-04-09 and 2008-05-09 -----------------------------

2008-05-07 12:52:20 0 d-------- C:\Documents and Settings\Storm\Application Data\Uniblue
2008-04-27 16:42:08 0 d-------- C:\hjt
2008-04-25 22:22:22 319488 --a------ C:\WINDOWS\system32\SchedullingAgent.exe
2008-04-25 22:03:52 96645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-04-25 22:03:52 87941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-04-25 22:02:32 71968 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-25 22:02:32 8232480 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-25 22:02:32 0 d-------- C:\Program Files\Kaspersky Lab
2008-04-25 22:02:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 21:59:19 0 d-------- C:\kav
2008-04-14 19:49:02 0 d-------- C:\Documents and Settings\Storm\Application Data\LimeWire
2008-04-10 13:42:34 109440 --a------ C:\WINDOWS\system32\drivers\KbdCap.sys
2008-04-10 13:17:53 30 --a------ C:\WINDOWS\mtagree07011993t.dat
2008-04-09 11:46:26 0 d-------- C:\Documents and Settings\Iris\Application Data\U3
2008-04-09 08:57:53 0 d-------- C:\Documents and Settings\Storm\Application Data\InstallShield


-- Find3M Report ---------------------------------------------------------------

2008-04-30 19:21:04 0 d-------- C:\Program Files\KalOnlineEng
2008-04-12 21:02:37 0 d-------- C:\Documents and Settings\Skyler\Application Data\Azureus
2008-04-11 13:14:46 0 d-------- C:\Program Files\LimeWire
2008-04-08 19:38:18 0 d-------- C:\Documents and Settings\Skyler\Application Data\InstallShield
2008-04-08 18:45:18 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-07 14:41:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-06 23:59:55 0 d-------- C:\Documents and Settings\Skyler\Application Data\AVSMedia
2008-04-06 23:59:27 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-04-06 23:58:23 0 d-------- C:\Program Files\Common Files
2008-04-06 23:58:02 0 d-------- C:\Program Files\AVSMedia
2008-04-04 18:58:24 0 d-------- C:\Documents and Settings\Skyler\Application Data\Real
2008-04-04 14:56:25 0 d-------- C:\Program Files\iTunes
2008-04-04 14:56:04 0 d-------- C:\Program Files\iPod
2008-04-04 14:54:34 0 d-------- C:\Program Files\QuickTime
2008-04-02 17:31:34 0 d-------- C:\Program Files\Neffy
2008-03-20 18:56:50 21504 --a------ C:\WINDOWS\jestertb.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}]
C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 01:31 AM]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [03/31/2003 08:00 AM]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [03/31/2003 08:00 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [05/29/2003 04:28 PM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [05/30/2003 09:42 AM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [04/07/2003 03:19 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/07/2003 03:07 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [09/10/2006 10:56 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [09/10/2006 10:56 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/08/2007 04:24 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/2005 12:46 AM]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [11/15/2007 10:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [02/08/2008 06:36 PM]
"SchedullingAgent"="c:\windows\system32\schedullingagent.exe" [04/25/2008 10:22 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"Aim6"="" []
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [09/10/2006 10:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedullingAgent"=c:\windows\system32\schedullingagent.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 5:21:22 AM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2/10/2006 8:56:20 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-05-09 19:30:10 ------------




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
CPU 1: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 750.73 MiB / 363.66 MiB
Pagefile Memory (total/avail): 1072.31 MiB / 753.79 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.07 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.27 GiB total, 6.62 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST340014A - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.27 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: Kaspersky Anti-Virus v7.0.1.325 (Kaspersky Lab)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\1130555619\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1130555619\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1131059131\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1131059131\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1132266747\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1132266747\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe:*:Enabled:Halo"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\MAIET\\Gunz\\Gunz.exe"="C:\\Program Files\\MAIET\\Gunz\\Gunz.exe:*:Enabled:Gunz"
"C:\\Program Files\\XBC\\XBC_NS.exe"="C:\\Program Files\\XBC\\XBC_NS.exe:*:Disabled:XBConnect"
"C:\\Program Files\\Common Files\\AOL\\1130555619\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1130555619\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1131059131\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1131059131\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Ubisoft\\Demo\\Gearbox Software\\BrothersInArmsEiB\\System\\EiB.exe"="C:\\Program Files\\Ubisoft\\Demo\\Gearbox Software\\BrothersInArmsEiB\\System\\EiB.exe:*:Enabled:Brothers In Arms Earned In Blood"
"C:\\Program Files\\Steam\\SteamApps\\b_baller32800\\half-life\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\b_baller32800\\half-life\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Steam\\SteamApps\\b_baller32800\\team fortress classic\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\b_baller32800\\team fortress classic\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1132266747\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1132266747\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"="C:\\Program Files\\SmartFTP\\SmartFTP.exe:*:Enabled:SmartFTP Client"
"C:\\Documents and Settings\\Storm\\My Documents\\Xfire\\Xfire.exe"="C:\\Documents and Settings\\Storm\\My Documents\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Documents and Settings\\Skyler\\Local Settings\\Temp\\Rar$EX00.359\\FlashFXP.v3.4.1.Build.1149.exe"="C:\\Documents and Settings\\Skyler\\Local Settings\\Temp\\Rar$EX00.359\\FlashFXP.v3.4.1.Build.1149.exe:*:Enabled:FlashFXP"
"C:\\Documents and Settings\\Skyler\\Local Settings\\Temp\\Rar$EX01.969\\FlashFXP.v3.4.1.Build.1149.exe"="C:\\Documents and Settings\\Skyler\\Local Settings\\Temp\\Rar$EX01.969\\FlashFXP.v3.4.1.Build.1149.exe:*:Enabled:FlashFXP"
"C:\\Documents and Settings\\Skyler\\Local Settings\\Temp\\Rar$EX00.110\\FlashFXP.v3.4.1.Build.1149.exe"="C:\\Documents and Settings\\Skyler\\Local Settings\\Temp\\Rar$EX00.110\\FlashFXP.v3.4.1.Build.1149.exe:*:Enabled:FlashFXP"
"C:\\Documents and Settings\\Skyler\\Local Settings\\Temp\\Rar$EX00.939\\FlashFXP.v3.4.1.Build.1149.exe"="C:\\Documents and Settings\\Skyler\\Local Settings\\Temp\\Rar$EX00.939\\FlashFXP.v3.4.1.Build.1149.exe:*:Enabled:FlashFXP"
"C:\\Documents and Settings\\Skyler\\Local Settings\\Temp\\Rar$EX00.766\\FlashFXP.v3.4.1.Build.1149.exe"="C:\\Documents and Settings\\Skyler\\Local Settings\\Temp\\Rar$EX00.766\\FlashFXP.v3.4.1.Build.1149.exe:*:Enabled:FlashFXP"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Documents and Settings\\Skyler\\My Documents\\mvf\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-patch.exe"="C:\\Documents and Settings\\Skyler\\My Documents\\mvf\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-patch.exe:*:Enabled:WoW-2.0.10.6448-to-2.0.12.6546-enUS-patch"
"C:\\Documents and Settings\\Skyler\\My Documents\\mvf\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"="C:\\Documents and Settings\\Skyler\\My Documents\\mvf\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe:*:Enabled:WoW-2.0.3-enUS-downloader"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Documents and Settings\\Storm\\My Documents\\ares\\Ares.exe"="C:\\Documents and Settings\\Storm\\My Documents\\ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\Documents and Settings\\Storm\\Local Settings\\Temp\\solidnm.exe"="C:\\Documents and Settings\\Storm\\Local Settings\\Temp\\solidnm.exe:*:Enabled:Solid State Networks Browser Plugin"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Documents and Settings\\Storm\\My Documents\\My Received Files\\Bit torrent\\BitTorrent\\bittorrent.exe"="C:\\Documents and Settings\\Storm\\My Documents\\My Received Files\\Bit torrent\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Documents and Settings\\Skyler\\My Documents\\Azureus Downloads\\Azureus\\Azureus.exe"="C:\\Documents and Settings\\Skyler\\My Documents\\Azureus Downloads\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\\Documents and Settings\\Skyler\\My Documents\\My eBooks\\rohanclient.exe"="C:\\Documents and Settings\\Skyler\\My Documents\\My eBooks\\rohanclient.exe:*:Enabled:Rohan Online Game"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\kav\\kav7\\setup.exe"="C:\\kav\\kav7\\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup"
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe:*:Enabled:Kaspersky Anti-Virus"
"C:\\Documents and Settings\\Storm\\My Documents\\LimeWire\\New lime wire\\LimeWire\\LimeWire.exe"="C:\\Documents and Settings\\Storm\\My Documents\\LimeWire\\New lime wire\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Skyler\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DESKTOP-SYSTEM1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Skyler
LOGONSERVER=\\DESKTOP-SYSTEM1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Documents and Settings\Storm\My Documents\My Received Files\QuickTime\QTSystem\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Skyler\LOCALS~1\Temp
TMP=C:\DOCUME~1\Skyler\LOCALS~1\Temp
USERDOMAIN=DESKTOP-SYSTEM1
USERNAME=Skyler
USERPROFILE=C:\Documents and Settings\Skyler
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Iris (admin)
Storm (admin)
Skyler (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{D6160F37-7638-4E56-9774-F3C88F30A4A9}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-0019-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.5 Language Support --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Aspell English Dictionary-0.50-2 --> "C:\Program Files\Aspell\Aspell\unins000.exe"
AVS DVDMenu Editor 1.2.1.19 --> "C:\Program Files\Common Files\AVSMedia\AVS DVDMenu Editor\unins000.exe"
AVS Video Tools 5.6 --> "C:\Program Files\AVSMedia\VideoTools\unins000.exe"
BellSouth Internet Services --> "C:\Program Files\BellSouth\UninstallerData\Uninstall BellSouth Registration.exe"
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Fellowes NEATO MediaFACE II --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MediaFACE II\Uninstall.isu"
GNU Aspell 0.50-3 --> "C:\Program Files\Aspell\unins000.exe"
GTK+ Runtime 2.10.13 rev a (remove only) --> C:\Program Files\Common Files\GTK\2.0\uninst.exe
Hero_Online --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{41D5A562-2FE2-4CF2-AB03-62803FD7049F}\setup.exe"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\hjt\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
HP Document Viewer 7.0 --> C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Premier Software 6.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Photosmart, Officejet and Deskjet 7.0.A --> C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
HP Solution Center 7.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{25F6C900-C138-4888-A56C-91D3D063023A}
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
K-Lite Codec Pack 3.1.5 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
KalOnline --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D23E60C-BBAF-44D1-9809-979F4234C018}\Setup.exe" -l0x9
KalOnlineEng --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2D7F824B-6744-4C30-B78B-0966E9BD461D}\Setup.exe" -l0x9
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
LimeWire 4.17.6 --> "C:\Documents and Settings\Storm\My Documents\LimeWire\New lime wire\LimeWire\uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher 2007 --> MsiExec.exe /X{91120000-0019-0000-0000-0000000FF1CE}
Microsoft Office Publisher 2007 Trial --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PUBLISHERR /dll OSETUP.DLL
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Publisher 2000 --> MsiExec.exe /I{00140409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Mouse Tamer --> C:\DOCUME~1\Storm\MYDOCU~1\MOUSET~1\UNWISE.EXE C:\DOCUME~1\Storm\MYDOCU~1\MOUSET~1\INSTALL.LOG
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MPlugin --> "C:\Program Files\InstallShield Installation Information\{6102D63A-9387-4FC8-98E4-181121F8C0BA}\setup.exe" -runfromtemp -l0x0009 -removeonly
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
Neffy 1,2,0,12 --> C:\Program Files\Neffy\uninst.exe
NTI DVD-Maker Gold --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{357CDCF4-EC34-464E-9425-61E1B0909FC4} AnyText
OCR Software by I.R.I.S 7.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
OneTouch Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D521C206-C457-4AE3-A0E0-072D37E2A580}\Setup.exe" -l0x9
OneTouch USB Driver --> MsiExec.exe /X{E08EC542-BC5F-4F26-BBB9-E426BA007A31}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
REXplorer Component Upgrade --> C:\Program Files\InstallShield Installation Information\{A639BD63-8CE6-11D5-B4CC-00105A07274A}\setup.exe -u
Solid State ION Internet Explorer Plugin --> C:\WINDOWS\system32\SolidStateNetworks\SolidStateION\soliduninstall.exe /Uninstall activex
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Steam™ --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Update for Office 2007 (KB946691) --> msiexec /package {91120000-0019-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
VideoLAN VLC media player 0.8.2 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Wal-Mart Music Downloads Store --> MsiExec.exe /I{7EE454FB-531E-47F9-BA45-ED65496EEB09}
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinPcap 3.1 --> "C:\Program Files\WinPcap\Uninstall.exe" "C:\Program Files\WinPcap\install.log"
WinRAR archiver --> C:\Documents and Settings\Storm\My Documents\My Games\uninstall.exe
World Book 2005 (Deluxe) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A6B4635-6843-40FC-AB16-7918BE6D8D8E}\setup.exe" -l0x9
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft (2)\Uninstall.exe
Zune --> MsiExec.exe /X{FE0256DB-509C-40AC-B888-2543AD4298E6}
Zune Language Pack (ES) --> MsiExec.exe /I{EE4ACABF-531E-419A-9225-B8E0FA4955AF}
Zune Language Pack (FR) --> MsiExec.exe /I{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}


-- Application Event Log -------------------------------------------------------

Event Record #/Type3450 / Error
Event Submitted/Written: 05/05/2008 03:32:46 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application regedit.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type3449 / Error
Event Submitted/Written: 05/05/2008 03:32:31 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application regedit.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type3448 / Error
Event Submitted/Written: 05/05/2008 03:31:52 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application regedit.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type3435 / Error
Event Submitted/Written: 05/03/2008 04:07:36 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.3156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type3429 / Error
Event Submitted/Written: 05/03/2008 01:45:30 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application mmc.exe, version 5.1.2600.2180, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Processing media-specific event for [mmc.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

No Errors/Warnings found.


-- End of Deckard's System Scanner: finished at 2008-05-09 19:30:10 ------------







when i used the online scanner i got these results

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - HEUR/Malware
Authentium - - Possibly a new variant of W32/VB-EMU:VB-Backdoor-PEK-based!Maximus
Avast - - -
AVG - - PSW.VB.DO
BitDefender - - BehavesLike:Trojan.TaskDisabler
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - BACKDOOR.Trojan
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - W32/VB-EMU:VB-Backdoor-PEK-based!Maximus
F-Secure - - -
FileAdvisor - - -
Fortinet - - -
Ikarus - - BehavesLikeTrojan.TaskDisabler
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - probably unknown NewHeur_PE virus
Norman - - -
Panda - - Suspicious file
Prevx1 - - Heuristic: Suspicious File With Covert Attributes
Rising - - -
Sophos - - Mal/Emogen-K
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Heuristic.Malware

#7 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 09 May 2008 - 06:55 PM

What I need to see is a HijackThis log, NOT a Deckard's System Scan.
Look at the first log you posted on May 3, 2008, 04:42 PM

Post a new log like that.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#8 sky770

sky770
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 09 May 2008 - 06:58 PM

o i am sorry about that here is the HJT log sorry if i wasted you time


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:25 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SchedullingAgent] c:\windows\system32\schedullingagent.exe
O4 - HKLM\..\RunServices: [SchedullingAgent] c:\windows\system32\schedullingagent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O21 - SSODL: amaranthaceous - {4fc003c3-87a0-489c-85cd-878246eb2d18} - (no file)
O22 - SharedTaskScheduler: amaranthaceous - {4fc003c3-87a0-489c-85cd-878246eb2d18} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8464 bytes

#9 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 09 May 2008 - 07:12 PM

Thanks for returning your information, let's proceed like this. Read and follow the directions carefully and in the numbered order.

1) See this: http://forums.spybot.info/showpost.php?p=1...amp;postcount=2
C:\Program Files\Java\jre1.6.0_03\ <<< update your Java program

2) C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/arch...4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL (file missing)
O4 - HKLM\..\Run: [SchedullingAgent] c:\windows\system32\schedullingagent.exe
O4 - HKLM\..\RunServices: [SchedullingAgent] c:\windows\system32\schedullingagent.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.25 85.255.112.94
O21 - SSODL: amaranthaceous - {4fc003c3-87a0-489c-85cd-878246eb2d18} - (no file)
O22 - SharedTaskScheduler: amaranthaceous - {4fc003c3-87a0-489c-85cd-878246eb2d18} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Right click Start > Explore and navigate to these files/folders and delete them if there.

c:\windows\system32\schedullingagent.exe <<< delete that file

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log and tell me how the computer is running now.

Thanks...Phil

(it will be morning EST before I see any response)
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#10 sky770

sky770
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 09 May 2008 - 08:27 PM

ok i followed the directions but my kaspersky says
5/9/2008 9:23:05 PM \Driver\kbdcap Keylogger detected. Process is trying to redirect keyboard input.

dont know what that means but here are the HJT logs


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:39 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hjt\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7613 bytes

#11 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 10 May 2008 - 05:49 AM

http://www.google.com/search?hl=en&q=k...G=Google+Search

I would like to see the results of a Kaspersky Online Scan. You may have to turn off the resident Kaspersky while you scan? Use these instructions:

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#12 sky770

sky770
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 11 May 2008 - 03:04 PM

had to split the results in two

ASPERSKY ONLINE SCANNER REPORT
Saturday, May 10, 2008 5:57:27 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/05/2008
Kaspersky Anti-Virus database records: 674961
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 124774
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 02:23:43

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\8fde6f2109aa45372937689f5fe00d45_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\001630fef3423481fc5697dcc21cb264_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\00494450ce1abee66b2f816eede9a06c_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\00c25645f102cc95fa7686e2ce935891_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\00d39378ac3625a63fde0163a35bd9c2_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\016ab72673d1ef7b57c71761268e79c3_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\018153554450924b39ae97b69bbdd162_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0236ff30af2fcdebb88e6e17c5180ea0_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\02669b0c4d4dc08256f56a44d9995868_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\02a4d45e5a27ce2fad4fdfc70c486a63_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\02db6fe1732be156a71f0a85f23a3ad8_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\031270dab3350c5b1b51cb6bb5713905_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0365609ccecefd0d21ec3f9fcb16c4e6_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\03ab53b757eaa8a729618f6bbc591490_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\03ae79d2bcb09863a8515e7094099021_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\03dcb2977cee3688790f643e649905fa_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\04ed8bb6f6512287d2377c7122e0834e_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\04f8a52d6168ba5f135622d3a51bb477_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\051d371e05d15b22b90bcbfe738d67ad_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\05aad42b04cf26a3908c1f13c94c871b_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\05ca92646d34b9bcfeac6a4fecee65f3_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\05d773e9048c1f5c806bfbfc8b6e8ded_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\06284744a7a3e5df13c342c2041116c6_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\06392e4f08c708350096fe02d514edc7_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\06c21db70ec50275fccd1633cd85a9b4_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\06e051045d8240f1ac41077ab7518b1a_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\06fe80ebb07030c74ab677eb734e6bcb_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0713faf92ce1affb12bfdf4b9301bd3d_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0727b701a81f1236c8d514c5832a2cdf_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\07b275beac16d9e1a55399b430d9381e_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\08076e222d94c3fd7cb2ba201fee9e8a_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\08565b2e1b8742733fe7234fafacd757_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\08a019ab73a9d1e6315eabdfdfd438ff_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\08a04422abbbd445ea72efb4499fd358_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\08eb91b64f879077b824649e96bccede_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\092acdddf3e4011a26dabc1fb1fa04d4_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\09628b119bbbedfb0600a51958562396_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0a161258820bbe3c8fea982c24fee574_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0a9287d9f14a69945478ee57021a0eab_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0afee6939f6b3297c451518b7abe7516_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0b121f109d25d7241e6ba87228a3f1cf_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0b6d6973b3576d45738660e097fb9eee_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0bccd8b577b62cdf3cf3e82d8ab1705e_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0bf206ed195a8f8b78db871a81ad8b55_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0c2f09f2665c93f1c4f623e1630befe9_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0c53798037b7da7e743a8954b7246eec_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0cf8780e0c0edda38a6edf25ad078d93_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0deb75b603049aac9f87752f90a9b91c_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0e2ee813bb529d1a03740d292d4954dc_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0e690e26151420b6894dfdebb7207531_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0f01411dd5cc3d9a4f7bca4f385617d6_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0f1e58a317b52a2edbc291dc1bbdcce5_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0fa8a2db6726bdd4f52b7b8fbff8e594_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0fad2cf173b46f59454d569fdae6ba1f_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0fc51100c912533ab6d7337140697b86_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\10135469145b48424a69cc2686333571_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\104e10cce776b89e3e28391476a10f2b_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\107a16022d354e70dcdced6b29794f3a_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\108172bc304f2d05c740e090bc91f0c8_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\10a7ecac277105a57016f1836e105416_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\10aebc1118f2167186eebd37da22ef33_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\10eb453e1e03aa8a376c8416bca62d7a_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\112018d917eb613c58ee07dedfb05bd4_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\11280789b521d4e7527a89c29ab516b7_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1185c3efa71aaff28ccb6c0ca0c62359_79f15701-487d-4d57-9dcb-6393cb55684f Object is locked skipped

#13 sky770

sky770
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 11 May 2008 - 03:06 PM

i dont know why but alot of objects in my brothers doc got skipped

#14 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 11 May 2008 - 03:24 PM

No reason to post that Kaspersky Online Scan:
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0

I am trying to figure out why Kaspersky is finding this "keylogger"
and the Kaspersky Online Scan is not. I would like to know exactly where your resident antivirus says the item is located. That information should be provided.

according to runscanner see this:
http://www.runscanner.net/files/sys/kbdcap/kbdcap.sys.aspx
A driver is used by windows to control your hardware. Each hardware component in your computer must have a driver, otherwise it cannot be used by windows

C:\WINDOWS\system32\drivers\kbdcap.sys <<< navigate to that file and scan it with one more more of these free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

post the results. While there, right click and choose Properties. Click the Version Tab, the Copyright: should be Microsoft Corporation, post the Description so I can see what it is.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#15 sky770

sky770
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 13 May 2008 - 01:27 PM

when i got to the kbdcap file it does not say anything about Microsoft it was created on april 10 and modified on the same date when you go to properties there is no version tab just general and summary. its 106kb and opens with an unknown application


also when i scan the file with the online scanners they all come back clean

Edited by sky770, 13 May 2008 - 01:28 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users