Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Explorer.exe And Superjuan.bdb


  • This topic is locked This topic is locked
4 replies to this topic

#1 peterlu84

peterlu84

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 17 May 2008 - 12:02 AM

Hello everyone, I had a virus that no antivirus and spyware can clean, and i finally found that the virus is in my C:\Windows\Explorer.EXE. but then non antivirus can remove it. they said they can't find the object.
whenever i open my IE, it will not load anywebsite or it will crash with few new IE open.
and now when ever I start windows, IE will connect to some website that i don't know. by itself and keep opening IE never stop to (http://83.149.75.33/info.png?cmp=ghrnc_return&uid=3944DE5E172211DD9CB0152726CFFFFF&guid=1F664DDBB66A4DDBBB898D5AF3DCEE36&affid=152290&lid=http&z=us)
i also know there is a (adware.win32.superjuan.bdb) in my computer too. i didn't know if it has been removed.
First of all its not that serious, the IE would just miss words when i type, like if i type fast, it won't come out some of the words which it never happen in my other pc. and then IE will not load another website, it will only load the home page. So mostly, When I open IE, information will Transfer out to others.
I have used Kaspersky to scan it, it found that the Explorer.EXE have problem but can't remove it.

I really Don't want to Format My computer. Hope You Guys Can Help... Thanks SO MUCH!
I'm Using Windows Vista 32 bit Ultimate.thanks
here i will pose my Kaspersky Log and will foll by DSS Log

Kaspersky Log
Detected:
deleted: adware not-a-virus:AdWare.Win32.SuperJuan.bdb File: C:\Users\Hang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R812H5DT\query[1]
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\Users\Hang\AppData\Local\Temp\ttoixonb.dll//PE_Patch
deleted: Trojan program Trojan.Win32.Monder.gen File: C:\Users\Hang\Downloads\KASPERSKY INTERNET SECURITY v7.0.1.325 + GENUINE KEYS.rar/KASPERSKY INTERNET SECURITY v7.0.1.325 + GENUINE KEYS\kis_7.0.1.325_eng.EXE//data0000.cab/1508~1.EXE//PE_Patch
detected: riskware Hidden data sending Running process: C:\Windows\Explorer.EXE
detected: riskware Hidden data sending Running process: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe



Events:
5/16/2008 12:59:29 AM You are advised to perform a full computer scan as soon as possible.
5/16/2008 12:59:33 AM Database is out of date, leaving your computer at risk of infection. Please update your database.
5/16/2008 12:59:33 AM Protection of your computer is enabled.
5/16/2008 1:04:28 AM Please restart your computer to complete the installation of new or updated protection components.
5/16/2008 1:04:34 AM Update completed successfully
5/16/2008 1:04:53 AM Protection of your computer is not running. You are advised to resume protection.
5/16/2008 1:06:30 AM You are advised to perform a full computer scan as soon as possible.
5/16/2008 1:06:31 AM Protection of your computer is enabled.
5/16/2008 1:07:49 AM Databases are up to date
5/16/2008 1:08:51 AM Databases are up to date
5/16/2008 2:56:15 AM File C:\Users\Hang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R812H5DT\query[1]: detected: adware 'not-a-virus:AdWare.Win32.SuperJuan.bdb'.
5/16/2008 2:56:15 AM File C:\Users\Hang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R812H5DT\query[1]: detected: adware 'not-a-virus:AdWare.Win32.SuperJuan.bdb'.
5/16/2008 2:56:15 AM Security threats have been detected. You are advised to neutralize them immediately.
5/16/2008 2:56:15 AM File C:\Users\Hang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R812H5DT\query[1]: is still infected, postponed.
5/16/2008 2:56:15 AM File C:\Users\Hang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R812H5DT\query[1]: is still infected, postponed.
5/16/2008 2:59:53 AM File C:\Users\Hang\AppData\Local\Temp\ttoixonb.dll//PE_Patch: detected: Trojan program 'Trojan.Win32.Monder.gen'.
5/16/2008 2:59:53 AM File C:\Users\Hang\AppData\Local\Temp\ttoixonb.dll//PE_Patch: detected: Trojan program 'Trojan.Win32.Monder.gen'.
5/16/2008 2:59:53 AM File C:\Users\Hang\AppData\Local\Temp\ttoixonb.dll//PE_Patch: is still infected, postponed.
5/16/2008 2:59:54 AM File C:\Users\Hang\AppData\Local\Temp\ttoixonb.dll//PE_Patch: is still infected, postponed.
5/16/2008 3:19:54 AM File C:\Users\Hang\Downloads\KASPERSKY INTERNET SECURITY v7.0.1.325 + GENUINE KEYS.rar/KASPERSKY INTERNET SECURITY v7.0.1.325 + GENUINE KEYS\kis_7.0.1.325_eng.EXE//data0000.cab/1508~1.EXE//PE_Patch: detected: Trojan program 'Trojan.Win32.Monder.gen'.
5/16/2008 3:19:54 AM File C:\Users\Hang\Downloads\KASPERSKY INTERNET SECURITY v7.0.1.325 + GENUINE KEYS.rar/KASPERSKY INTERNET SECURITY v7.0.1.325 + GENUINE KEYS\kis_7.0.1.325_eng.EXE//data0000.cab/1508~1.EXE//PE_Patch: is still infected, postponed.
5/16/2008 3:20:07 AM File C:\Users\Hang\Downloads\KASPERSKY INTERNET SECURITY v7.0.1.325 + GENUINE KEYS.rar/KASPERSKY INTERNET SECURITY v7.0.1.325 + GENUINE KEYS\kis_7.0.1.325_eng.EXE//data0000.cab/1508~1.EXE//PE_Patch: detected: Trojan program 'Trojan.Win32.Monder.gen'.
5/16/2008 3:20:07 AM File C:\Users\Hang\Downloads\KASPERSKY INTERNET SECURITY v7.0.1.325 + GENUINE KEYS.rar/KASPERSKY INTERNET SECURITY v7.0.1.325 + GENUINE KEYS\kis_7.0.1.325_eng.EXE//data0000.cab/1508~1.EXE//PE_Patch: is still infected, postponed.
5/16/2008 3:23:03 AM Update completed successfully
5/16/2008 3:30:20 AM Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 220.163.85.203. Protocol/service: UDP on local port 1434. Time: 5/16/2008 3:30:20 AM
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\00-gwen_stefani_-_love_angel_music_baby-2004-back-lis.jpg: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\00-gwen_stefani_-_love_angel_music_baby-2004-back-lis.jpg: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\00-gwen_stefani_-_love_angel_music_baby-2004-lis.m3u: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\00-gwen_stefani_-_love_angel_music_baby-2004-lis.m3u: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\01-what_you_waiting_for-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\01-what_you_waiting_for-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\02-rich_girl_feat_eve-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\02-rich_girl_feat_eve-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\03-hollandback_girl-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\03-hollandback_girl-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\04-cool-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\04-cool-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\05-bubble_pop_electrinic_feat_johnny_vulture-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\05-bubble_pop_electrinic_feat_johnny_vulture-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\06-luxurious-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\06-luxurious-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\07-harajuku_girls-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\07-harajuku_girls-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\08-crash-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\08-crash-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\09-the_real_thing-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\09-the_real_thing-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\10-serious-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\10-serious-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\11-danger_zone-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\11-danger_zone-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\12-long_way_to_go-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\12-long_way_to_go-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\13-the_real_thing_bonus-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\13-the_real_thing_bonus-lis.mp3: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\GoldEsel_-_visit_us_for_more_brandnew_stuff.url: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\GoldEsel_-_visit_us_for_more_brandnew_stuff.url: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\Tracklist.txt: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\Tracklist.txt: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\Wichtig_Lesen_Goldesel_Adressen.txt: is password protected.
5/16/2008 4:24:11 AM File D:\Movies\New CDs\Gwen_Stefani_-_Love_Angel_Music_Baby.rar/Gwen_Stefani_-_Love_Angel_Music_Baby_www.goldesel.to\Wichtig_Lesen_Goldesel_Adressen.txt: is password protected.
5/16/2008 4:34:03 AM File D:\MP3s\Destop Didn't make group\New Folder (2)\New Folder\Ocean Drive - Johnta Austin (Dec-2006) by elite9\Ocean Drive - Johnta Austin (Dec-2006) by elite9.zip/Ocean Drive - Johnta Austin (Dec-2006) by elite9/Ocean Drive - Johnta Austin (Dec-2006) by elite9.zip: is password protected.
5/16/2008 4:34:12 AM File D:\MP3s\Destop Didn't make group\New Folder (2)\New Folder\Ocean Drive - Johnta Austin (Dec-2006) by elite9\Ocean Drive - Johnta Austin (Dec-2006) by elite9.zip/Ocean Drive - Johnta Austin (Dec-2006) by elite9/Ocean Drive - Johnta Austin (Dec-2006) by elite9.zip: is password protected.
5/16/2008 5:05:58 AM File c:\users\hang\appdata\local\microsoft\windows\temporary internet files\content.ie5\r812h5dt\query[1]: detected: adware 'not-a-virus:AdWare.Win32.SuperJuan.bdb'.
5/16/2008 5:06:09 AM File c:\users\hang\appdata\local\microsoft\windows\temporary internet files\content.ie5\r812h5dt\query[1]: detected: adware 'not-a-virus:AdWare.Win32.SuperJuan.bdb'.
5/16/2008 5:42:32 AM Update completed successfully
5/16/2008 6:33:47 AM Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 58.20.222.30. Protocol/service: UDP on local port 1434. Time: 5/16/2008 6:33:47 AM
5/16/2008 8:02:16 AM Update completed successfully
5/16/2008 8:38:03 AM File c:\users\hang\appdata\local\microsoft\windows\temporary internet files\content.ie5\r812h5dt\query[1]: deleted.
5/16/2008 8:38:03 AM File c:\users\hang\appdata\local\microsoft\windows\temporary internet files\content.ie5\r812h5dt\query[1] cannot be deleted.
5/16/2008 8:38:03 AM File c:\users\hang\appdata\local\temp\ttoixonb.dll//PE_Patch: detected: Trojan program 'Trojan.Win32.Monder.gen'.
5/16/2008 8:58:58 AM File c:\users\hang\appdata\local\temp\ttoixonb.dll//PE_Patch: detected: Trojan program 'Trojan.Win32.Monder.gen'.
5/16/2008 8:59:13 AM File c:\users\hang\appdata\local\temp\ttoixonb.dll//PE_Patch: is still infected, cannot be disinfected.
5/16/2008 8:59:14 AM File c:\users\hang\appdata\local\temp\ttoixonb.dll//PE_Patch: is still infected, cannot be disinfected.
5/16/2008 8:59:17 AM File c:\users\hang\appdata\local\temp\ttoixonb.dll: deleted.
5/16/2008 8:59:18 AM File c:\users\hang\appdata\local\temp\ttoixonb.dll//PE_Patch cannot be deleted.
5/16/2008 9:00:12 AM File c:\users\hang\downloads\kaspersky internet security v7.0.1.325 + genuine keys.rar/KASPERSKY INTERNET SECURITY v7.0.1.325 + GENUINE KEYS\kis_7.0.1.325_eng.EXE//data0000.cab/1508~1.EXE//PE_Patch: detected: Trojan program 'Trojan.Win32.Monder.gen'.
5/16/2008 9:00:12 AM File c:\users\hang\downloads\kaspersky internet security v7.0.1.325 + genuine keys.rar/KASPERSKY INTERNET SECURITY v7.0.1.325 + GENUINE KEYS\kis_7.0.1.325_eng.EXE//data0000.cab/1508~1.EXE//PE_Patch: detected: Trojan program 'Trojan.Win32.Monder.gen'.
5/16/2008 9:02:47 AM File c:\users\hang\downloads\kaspersky internet security v7.0.1.325 + genuine keys.rar/KASPERSKY INTERNET SECURITY v7.0.1.325 + GENUINE KEYS\kis_7.0.1.325_eng.EXE: deleted.
5/16/2008 9:02:52 AM File c:\users\hang\downloads\kaspersky internet security v7.0.1.325 + genuine keys.rar/KASPERSKY INTERNET SECURITY v7.0.1.325 + GENUINE KEYS\kis_7.0.1.325_eng.EXE: deleted.
5/16/2008 9:05:35 AM Process C:\Windows\Explorer.EXE (PID: 1188): attempt to perform suspicious actions is blocked.
5/16/2008 9:05:50 AM Process C:\Windows\Explorer.EXE (PID: 1188): attempt to perform suspicious actions is blocked.
5/16/2008 9:11:27 AM Protection of your computer is not running. You are advised to resume protection.
5/16/2008 9:13:06 AM Protection of your computer is enabled.
5/16/2008 11:35:29 AM Protection of your computer is not running. You are advised to resume protection.
5/16/2008 11:37:05 AM Protection of your computer is enabled.
5/16/2008 11:38:38 AM Update completed successfully
5/16/2008 12:38:42 PM Process C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (PID 2140) successfully completed.
5/16/2008 12:38:50 PM Error placing C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe in quarantine (access denied or object not found)
5/16/2008 1:07:19 PM Protection of your computer is enabled.
5/16/2008 4:28:09 PM Protection of your computer is not running. You are advised to resume protection.
5/16/2008 4:29:21 PM Protection of your computer is enabled.
5/16/2008 4:51:58 PM Protection of your computer is not running. You are advised to resume protection.
5/16/2008 4:53:09 PM Protection of your computer is enabled.
5/16/2008 4:55:53 PM Update completed successfully
5/16/2008 5:03:09 PM Your evaluation period will end in 29 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
5/16/2008 5:34:35 PM Process C:\Windows\Explorer.EXE (PID 3068) successfully completed.
5/16/2008 5:41:17 PM Error placing C:\Windows\Explorer.EXE in quarantine (access denied or object not found)
5/16/2008 6:50:12 PM Protection of your computer is not running. You are advised to resume protection.
5/16/2008 6:51:25 PM Your evaluation period will end in 29 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
5/16/2008 6:51:25 PM Protection of your computer is enabled.
5/16/2008 8:11:55 PM Protection of your computer is not running. You are advised to resume protection.
5/16/2008 9:27:32 PM Your evaluation period will end in 29 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
5/16/2008 9:27:33 PM Protection of your computer is enabled.


Backup:
Infected: Trojan program Trojan.Win32.Monder.gen c:\users\hang\appdata\local\temp\ttoixonb.dll 104.6 KB
Infected: Trojan program Trojan.Win32.Monder.gen c:\users\hang\downloads\kaspersky internet security v7.0.1.325 + genuine keys.rar 32.8 MB
Infected: adware not-a-virus:AdWare.Win32.SuperJuan.bdb c:\users\hang\appdata\local\microsoft\windows\temporary internet files\content.ie5\r812h5dt\query[1] 99.5 KB




DSS Log
Deckard's System Scanner v20071014.68
Run by Hang on 2008-05-16 21:37:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
9: 2008-05-16 09:15:26 UTC - RP185 - Windows Update
8: 2008-05-16 07:50:47 UTC - RP184 - Installed Kaspersky Internet Security 7.0.
7: 2008-05-16 07:44:42 UTC - RP183 - Removed ESET NOD32 Antivirus
6: 2008-05-16 05:08:45 UTC - RP182 - Installed ESET NOD32 Antivirus
5: 2008-05-16 05:07:38 UTC - RP181 - Installed ESET Smart Security


-- First Restore Point --
1: 2008-05-15 08:58:23 UTC - RP177 - Windows Update


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 12.63 GiB (less than 15%) free.


-- HijackThis (run as Hang.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:48 PM, on 5/16/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Hang\Desktop\dss.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\conime.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Hang.exe
C:\Windows\system32\wbem\wmiprvse.exe

O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [dc58086c] rundll32.exe "C:\Users\Hang\AppData\Local\Temp\pgjoasbh.dll",b
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Hang\AppData\Local\Temp\jkkijGVM.dll,c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [dc58086c] rundll32.exe "C:\Users\Hang\AppData\Local\Temp\pgjoasbh.dll",b
O4 - HKCU\..\Run: [BMdf6b3bf0] Rundll32.exe "C:\Users\Hang\AppData\Local\Temp\guynbvya.dll",s
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...000096.000001de
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL1 (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10937 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 dvd43llh - c:\windows\system32\drivers\dvd43llh.sys <Not Verified; RIF; DVD For Free>

S0 OemBiosDevice (Royalty OEM BIOS Extension) - c:\windows\system32\drivers\royal.sys <Not Verified; PARADOX; SLP Kernel-Mode Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_50011458&REV_02\3&13C0B0C5&1&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_50011458&REV_02\3&13C0B0C5&1&FB
Service:

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Stylus Storage
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_EPSON&PROD_STYLUS_STORAGE&REV_1.00#7&365FFACD&0&BA0000000000000000&0#
Manufacturer: EPSON
Name: Stylus Storage
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_EPSON&PROD_STYLUS_STORAGE&REV_1.00#7&365FFACD&0&BA0000000000000000&0#
Service: WUDFRd

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: DataTraveler 2.0
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_1.00#0000002709&0#
Manufacturer: Kingston
Name: DataTraveler 2.0
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_1.00#0000002709&0#
Service: WUDFRd


-- Files created between 2008-04-16 and 2008-05-16 -----------------------------

2020-01-01 11:03:36 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-16 18:52:28 0 d-------- C:\Program Files\Trend Micro
2008-05-16 13:03:04 0 d-------- C:\Program Files\Common Files\PC Tools
2008-05-16 11:15:15 0 d-------- C:\Program Files\Spyware Doctor
2008-05-16 10:59:57 63 --a------ C:\Windows\system\SysSD.dll
2008-05-16 10:54:37 0 d-------- C:\Program Files\SpywareDetector
2008-05-16 00:54:52 96645 --a------ C:\Windows\system32\drivers\klin.dat
2008-05-16 00:54:52 87941 --a------ C:\Windows\system32\drivers\klick.dat
2008-05-16 00:52:14 110387232 --ahs---- C:\Windows\system32\drivers\fidbox.dat
2008-05-16 00:52:02 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-15 21:00:38 0 d-------- C:\kav
2008-05-04 20:57:14 0 --a------ C:\Windows\nsreg.dat
2008-05-02 19:51:25 0 d-------- C:\Windows\system32\appmgmt


-- Find3M Report ---------------------------------------------------------------

2008-05-16 20:11:54 836 --a------ C:\Windows\bthservsdp.dat
2008-05-16 13:05:36 0 d-------- C:\Users\Hang\AppData\Roaming\BitTorrent
2008-05-16 13:03:04 0 d-------- C:\Program Files\Common Files
2008-05-16 11:15:15 0 d-------- C:\Users\Hang\AppData\Roaming\PC Tools
2008-05-16 11:02:41 0 d-------- C:\Program Files\Kingsoft
2008-05-15 02:00:20 0 d-------- C:\Program Files\Windows Mail
2008-05-08 23:50:01 174 --ahs---- C:\Program Files\desktop.ini
2008-05-08 23:40:39 0 d-------- C:\Program Files\Windows Sidebar
2008-05-08 23:40:39 0 d-------- C:\Program Files\Windows Calendar
2008-05-08 23:40:39 0 d-------- C:\Program Files\Movie Maker
2008-05-08 23:40:36 0 d-------- C:\Program Files\Windows Collaboration
2008-05-08 23:40:35 0 d-------- C:\Program Files\Windows Photo Gallery
2008-05-08 23:40:35 0 d-------- C:\Program Files\Windows Journal
2008-05-08 23:40:29 0 d-------- C:\Program Files\Windows Defender
2008-05-08 23:28:10 413696 --a------ C:\Windows\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-05-08 23:28:10 110592 --a------ C:\Windows\system32\OpenAL32.dll <Not Verified; Portions Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2008-05-04 20:57:50 0 d-------- C:\Users\Hang\AppData\Roaming\Talkback
2008-05-04 20:57:10 0 d-------- C:\Users\Hang\AppData\Roaming\Mozilla
2008-03-25 20:02:50 0 d-------- C:\Users\Hang\AppData\Roaming\Real


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"MSConfig"="C:\Windows\system32\msconfig.exe" [01/19/2008 12:33 AM]
"CTHelper"="CTHELPER.EXE" [10/25/2007 10:56 PM C:\Windows\System32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [10/25/2007 10:56 PM C:\Windows\System32\CTXFIHLP.EXE]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [09/12/2007 06:28 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [09/12/2007 06:28 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [09/12/2007 06:28 AM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [02/08/2008 06:36 PM]
"dc58086c"="C:\Users\Hang\AppData\Local\Temp\pgjoasbh.dll" []
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [04/10/2008 03:14 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 12:33 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 06:43 PM]
"cmds"="C:\Users\Hang\AppData\Local\Temp\jkkijGVM.dll,c" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 12:33 AM]
"dc58086c"="C:\Users\Hang\AppData\Local\Temp\pgjoasbh.dll,b" []
"BMdf6b3bf0"="C:\Users\Hang\AppData\Local\Temp\guynbvya.dll,s" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
@=C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...000096.000001de

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CtxfiReg"=CTXFIREG.exe /FAIL1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\Program Files\DVD Region+CSS Free\DVDShell.dll [10/09/2004 04:18 PM 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\Windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Users\Hang\Program Files\BitTorrent_DNA\dna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMdf6b3bf0]
Rundll32.exe "C:\Users\Hang\AppData\Local\Temp\dctbrgll.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
rundll32.exe C:\Users\Hang\AppData\Local\Temp\jkkijGVM.dll,c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
"C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rasputin]
c:\windows\msnmsg.exe l

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
D:\Program Files\Ulead VideoStudio\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
bthsvcs BthServ
GPSvcGroup GPSvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-16 21:46:15 ------------

Edited by peterlu84, 17 May 2008 - 12:07 PM.


BC AdBot (Login to Remove)

 


m

#2 peterlu84

peterlu84
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 17 May 2008 - 11:51 AM

Could Anyone Pleasse Help.....

#3 peterlu84

peterlu84
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 18 May 2008 - 01:05 PM

Dear Everone in BleepingComputer forum. I used some software, Call CCleaner and SUPERAntiSpyware to clean my computer. and now seems the problem has gone away. I'm not sure if all the virus has been solve yet or if there are still problems in my computer, here i post a new log hope you guys can help me check it.. Thanks so much.



Deckard's System Scanner v20071014.68
Run by Hang on 2008-05-18 10:51:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Hang.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:52 AM, on 5/18/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Hang\Desktop\backup for Detection\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Hang.exe
C:\Windows\system32\wbem\wmiprvse.exe

O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL1 (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10434 bytes

-- Files created between 2008-04-18 and 2008-05-18 -----------------------------

2020-01-01 11:03:36 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-17 16:28:29 0 d-------- C:\VundoFix Backups
2008-05-17 15:20:53 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-17 14:51:27 0 d-------- C:\Program Files\CCleaner
2008-05-16 18:52:28 0 d-------- C:\Program Files\Trend Micro
2008-05-16 13:03:04 0 d-------- C:\Program Files\Common Files\PC Tools
2008-05-16 11:15:15 0 d-------- C:\Program Files\Spyware Doctor
2008-05-16 10:59:57 63 --a------ C:\Windows\system\SysSD.dll
2008-05-16 10:54:37 0 d-------- C:\Program Files\SpywareDetector
2008-05-16 00:54:52 96645 --a------ C:\Windows\system32\drivers\klin.dat
2008-05-16 00:54:52 87941 --a------ C:\Windows\system32\drivers\klick.dat
2008-05-16 00:52:14 124368416 --ahs---- C:\Windows\system32\drivers\fidbox.dat
2008-05-16 00:52:02 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-15 21:00:38 0 d-------- C:\kav
2008-05-04 20:57:14 0 --a------ C:\Windows\nsreg.dat
2008-05-02 19:51:25 0 d-------- C:\Windows\system32\appmgmt


-- Find3M Report ---------------------------------------------------------------

2008-05-18 10:44:11 836 --a------ C:\Windows\bthservsdp.dat
2008-05-17 15:20:53 0 d-------- C:\Users\Hang\AppData\Roaming\SUPERAntiSpyware.com
2008-05-17 15:20:04 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 13:05:36 0 d-------- C:\Users\Hang\AppData\Roaming\BitTorrent
2008-05-16 13:03:04 0 d-------- C:\Program Files\Common Files
2008-05-16 11:15:15 0 d-------- C:\Users\Hang\AppData\Roaming\PC Tools
2008-05-16 11:02:41 0 d-------- C:\Program Files\Kingsoft
2008-05-15 02:00:20 0 d-------- C:\Program Files\Windows Mail
2008-05-08 23:50:01 174 --ahs---- C:\Program Files\desktop.ini
2008-05-08 23:40:39 0 d-------- C:\Program Files\Windows Sidebar
2008-05-08 23:40:39 0 d-------- C:\Program Files\Windows Calendar
2008-05-08 23:40:39 0 d-------- C:\Program Files\Movie Maker
2008-05-08 23:40:36 0 d-------- C:\Program Files\Windows Collaboration
2008-05-08 23:40:35 0 d-------- C:\Program Files\Windows Photo Gallery
2008-05-08 23:40:35 0 d-------- C:\Program Files\Windows Journal
2008-05-08 23:40:29 0 d-------- C:\Program Files\Windows Defender
2008-05-08 23:28:10 413696 --a------ C:\Windows\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-05-08 23:28:10 110592 --a------ C:\Windows\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2008-05-04 20:57:50 0 d-------- C:\Users\Hang\AppData\Roaming\Talkback
2008-05-04 20:57:10 0 d-------- C:\Users\Hang\AppData\Roaming\Mozilla
2008-03-25 20:02:50 0 d-------- C:\Users\Hang\AppData\Roaming\Real


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"CTHelper"="CTHELPER.EXE" [10/25/2007 10:56 PM C:\Windows\System32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [10/25/2007 10:56 PM C:\Windows\System32\CTXFIHLP.EXE]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [09/12/2007 06:28 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [09/12/2007 06:28 AM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [09/12/2007 06:28 AM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [02/08/2008 06:36 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [04/10/2008 03:14 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/29/2007 05:04 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 12:33 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 06:43 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 12:33 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CtxfiReg"=CTXFIREG.exe /FAIL1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\Program Files\DVD Region+CSS Free\DVDShell.dll [10/09/2004 04:18 PM 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\Windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Users\Hang\Program Files\BitTorrent_DNA\dna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMdf6b3bf0]
Rundll32.exe "C:\Users\Hang\AppData\Local\Temp\dctbrgll.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
rundll32.exe C:\Users\Hang\AppData\Local\Temp\jkkijGVM.dll,c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
"C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
"C:\Program Files\Spyware Doctor\pctsTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rasputin]
c:\windows\msnmsg.exe l

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
D:\Program Files\Ulead VideoStudio\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
bthsvcs BthServ
GPSvcGroup GPSvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-18 10:54:13 ------------

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:09:27 PM

Posted 12 June 2008 - 01:17 PM

Welcome to the BleepingComputer Forums.

The following entry shows that the Microsoft System Configuration Utility is in use and indicates you are using a Selective Startup:

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

This means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to enable those startup entries by doing the following:

Please go to:
  • Start > Run, and type: MSConfig . Press Enter
  • In the General tab, Startup Selection, choose: Normal Startup-load all device drivers and services
  • Press OK until you are out of the program.
  • Reboot and post a new HijackThis log.
If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:09:27 PM

Posted 23 June 2008 - 02:01 PM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users