Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

This One Seems Bery Bad


  • This topic is locked This topic is locked
4 replies to this topic

#1 danonne

danonne

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:10:41 PM

Posted 24 June 2008 - 03:00 AM

Hi Everybody

Here is the story so far:
2 Days ago I got my computer infected... It was entirely my fault - I downloaded a file, it looked suspicious but after scanning it with AVG came up with nothing so i ran it...
I though of this a bit and I cannot put it in to a coherent paragraph so I will just put down as many facts as I can remember atm:
  • AVG then picked up an I-Worm/Bagle, sent it to vault and then I deleted it. This happend once or twice more. I noticed a process hldrrr.exe running... i killed it and it seems like its gone now.
  • I also downloaded (and paid for) Process Master which shows me a ?? process everytime i restart the computer.
  • I went to AVG site and used their tools to try and get rid of this thing... the tools either did not find anything or keep crashing (probably being closed by the malware).
  • I also Symantecs removal tools - same as above.
  • Safe mode goes to blue screen
  • A friend recomened trying HijackThis but once we copied it to my computer it wouldnt run - error says it is not a Win32 application. (my guess is its corrupted by the virus, or whatewver it is)
  • I since downloaded the file again and scanned it with VirSCAN.org - all but 2 results came back ok. The two that were not are: ClamAV - said it is "PUA.Packed.Themida" and CP Secure - identified it asthe "Troj.Downloader.W32.Bagle.in"
  • I checked on google and from the simptoms I get it seems like the PUA.Packed.Themida is more likely since I did everything i could to remove the I-Worm/Bagle
  • I cannot run DSS unless i kill the ?? process with Process Master. It closes within seconds of starting.
  • DSS cannot download the HijackThis part - I turned off the firewall, and once it managed to actually download it but said that it did not match what was expected.
  • Using internal DSS scanner the following was returned:
Main.txt

Deckard's System Scanner v20071014.68
Run by DM on 2008-06-24 09:29:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-06-24 07:29:28 UTC - RP347 - Deckard's System Scanner Restore Point
1: 2008-06-23 13:58:17 UTC - RP346 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 12.11 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-24 09:34:13
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alias\Maya6.5\docs\wrapper.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
C:\wamp\Apache2\bin\Apache.exe
C:\wamp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\explorer.exe
C:\wamp\Apache2\bin\Apache.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Microsoft ActiveSync\rapimgr.exe
C:\wamp\wampserver.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\IPWireless Inc\IPWireless PC Software\UEStatus.exe
C:\Program Files\Process Master\procmast.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DM\Desktop\dss.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: ConnectionServices module - {6D7B211A-88EA-490c-BAB9-3600D8D7C503} - C:\Program Files\ConnectionServices\ConnectionServices.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Policies\Explorer\Run: [Windows Security Tool] WinSecure.exe
O4 - Startup: WampServer.lnk = C:\wamp\wampserver.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_02) - http://java.sun.com/update/1.6.0/jinstall-...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{2244AD1A-A9E7-4D36-80B3-99CC781CD0D2}: NameServer = 192.168.0.1
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{615A2149-6D75-4140-A123-BC306A171168}: NameServer = 66.18.68.1 66.18.65.1
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{AB7F5FE6-B1C5-4051-B60D-85B19B29CB0B}: NameServer = 192.168.2.1
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{D0B304C1-B01E-4018-B91A-F9BEACE65298}: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program Files\Alias\Maya6.5\docs\wrapper.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: wampapache - Apache Software Foundation - C:\wamp\Apache2\bin\Apache.exe
O23 - Service: wampmysqld - Unknown owner - C:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe


--
End of file - 9621 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.9.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.9.0>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
R3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; Politecnico di Torino; NPF Driver>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 RMSPPPOE (WAN Miniport (PPP over Ethernet Protocol)) - c:\windows\system32\drivers\rmspppoe.sys <Not Verified; Robert Schlabbach; PPP over Ethernet Protocol>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S2 DS1410D - c:\windows\system32\drivers\ds1410d.sys (file missing)
S3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
S3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
S3 BTNetFilter (Bluetooth Network Filter) - c:\windows\system32\drivers\btnetfilter.sys
S3 Sntnlusb (Rainbow USB SuperPro) - c:\windows\system32\drivers\sntnlusb.sys <Not Verified; Rainbow Technologies Inc.; Rainbow Technologies USB Security Device Driver>
S3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 maya65docserver (Maya 6.5 Documentation Server) - "c:\program files\alias\maya6.5\docs\wrapper.exe" -s "c:\program files\alias\maya6.5\docs\wrapper.conf"
R2 nlsvc (NetLimiter) - "c:\program files\netlimiter 2 pro\nlsvc.exe" <Not Verified; Locktime Software; NetLimiter 2 Pro>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 wampapache - "c:\wamp\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R2 wampmysqld - c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>

S2 avg8wd (AVG8 WatchDog) - c:\progra~1\avg\avg8\avgwdsvc.exe (file missing)
S3 AdobeVersionCue - c:\program files\adobe\adobe version cue\service\versioncue.exe <Not Verified; Adobe Sytems; Adobe Version Cue™>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; NetGroup - Politecnico di Torino; Remote Packet Capture Daemon>
S4 Babelpvnpsma -


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&277104FA&0&0102
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&277104FA&0&0102
Service:


-- Files created between 2008-05-24 and 2008-06-24 -----------------------------

2008-06-23 15:57:16 0 d-------- C:\WINDOWS\pss
2008-06-23 15:54:35 0 d--h----- C:\Documents and Settings\DM\Application Data\m
2008-06-23 15:32:38 0 d-------- C:\Program Files\Process Master
2008-06-23 10:38:58 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-23 10:11:11 0 d-------- C:\Documents and Settings\DM\Application Data\AVGTOOLBAR
2008-06-19 16:44:49 0 d-------- C:\WINDOWS\system32\LogFiles
2008-06-18 14:08:33 0 d-------- C:\PrinceFoundation
2008-06-18 14:08:25 442368 --a------ C:\WINDOWS\UniInstall34.exe <Not Verified; MatchWare; UniInst>
2008-06-13 17:31:47 0 d-------- C:\Program Files\Vodafone
2008-06-10 11:28:42 266240 --a------ C:\WINDOWS\system32\dXPSystm.dll <Not Verified; Developer Express Inc.; XpressPrinting System>
2008-06-10 11:28:42 1667072 --a------ C:\WINDOWS\system32\DXdbGrid.dll <Not Verified; Developer Express Inc.; XpressQuantumGrid>
2008-06-10 11:28:39 0 d-------- C:\Program Files\MBTrading
2008-06-08 16:01:06 0 d--hs---- C:\WINDOWS\ftpcache
2008-06-07 17:59:05 0 d-------- C:\Program Files\Atari800WinPLus
2008-05-29 07:33:17 0 d-------- C:\Program Files\VirtualNetwork
2008-05-28 18:29:01 0 d-------- C:\Program Files\ZIO
2008-05-28 09:03:05 0 d-------- C:\Program Files\CoreCodec
2008-05-27 19:19:49 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-27 19:19:32 0 d-------- C:\Program Files\Windows Mobile Resources
2008-05-26 11:15:36 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8


-- Find3M Report ---------------------------------------------------------------

2008-06-23 16:11:26 0 d-------- C:\Documents and Settings\DM\Application Data\Skype
2008-06-23 16:11:11 0 d-------- C:\Documents and Settings\DM\Application Data\skypePM
2008-06-23 13:32:19 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-06-23 10:10:24 0 d-------- C:\Documents and Settings\DM\Application Data\Adobe
2008-06-22 19:52:33 61154 --a------ C:\WINDOWS\system32\nvModes.dat
2008-06-19 14:35:51 0 d-------- C:\Documents and Settings\DM\Application Data\BitTorrent
2008-06-17 12:33:38 0 d-------- C:\Documents and Settings\DM\Application Data\dvdcss
2008-06-13 17:31:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 19:21:26 2528 --a------ C:\Documents and Settings\DM\Application Data\$_hpcst$.hpc
2008-05-20 12:24:15 0 d-------- C:\Documents and Settings\DM\Application Data\Video DVD Maker FREE
2008-05-20 12:23:36 0 d-------- C:\Program Files\AVStoDVD
2008-05-20 12:23:32 0 d-------- C:\Program Files\AviSynth 2.5
2008-05-19 15:46:03 0 d-------- C:\Program Files\Groschengrab 2
2008-05-02 13:53:36 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D7B211A-88EA-490c-BAB9-3600D8D7C503}]
C:\Program Files\ConnectionServices\ConnectionServices.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [03/24/2006 08:30 AM C:\WINDOWS\stsystra.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/01/2006 06:46 AM]
"nwiz"="nwiz.exe" [05/01/2006 06:46 AM C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [05/01/2006 06:46 AM C:\WINDOWS\system32\nvhotkey.dll]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [01/14/2004 02:10 PM]
"AdobeVersionCue"="C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [09/11/2003 09:22 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [12/28/2005 11:55 AM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [12/28/2005 11:56 AM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 12:00 PM C:\WINDOWS\system32\bthprops.cpl]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [09/18/2007 04:16 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:00 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM]

C:\Documents and Settings\DM\Start Menu\Programs\Startup\
WampServer.lnk - C:\wamp\wampserver.exe [6/27/2004 9:57:36 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [7/16/2007 9:33:04 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 10:15:54 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"Windows Security Tool"=WinSecure.exe

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bed5be9-6d22-11dc-9926-0015c51594ff}]
Auto\command- F:\RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1848141-0ba6-11dc-8b74-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cec68e66-395d-11dd-99c8-0015c51594ff}]
AutoRun\command- F:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cec68e67-395d-11dd-99c8-0015c51594ff}]
AutoRun\command- F:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e45c8d64-0c1f-11dc-98cf-d9cdad6fed9d}]
AutoRun\command- F:\nideiect.com
explore\Command- F:\nideiect.com
open\Command- F:\nideiect.com




-- End of Deckard's System Scanner: finished at 2008-06-24 09:35:22 ------------






extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2500 @ 2.00GHz
CPU 1: Genuine Intel® CPU T2500 @ 2.00GHz
Percentage of Memory in Use: 42%
Physical Memory (total/avail): 1022.05 MiB / 586.67 MiB
Pagefile Memory (total/avail): 2458.56 MiB / 1933.5 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1915.85 MiB

C: is Fixed (NTFS) - 93.16 GiB total, 12.11 GiB free.
D: is CDROM (CDFS)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST910021AS - 93.16 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 93.16 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALIAS_TRANSLATION_SERVICE_LOCATION=C:\Program Files\Alias\DirectConnect 1.0\
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\DM\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DANIELPLAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\DM
LOGONSERVER=\\DANIELPLAPTOP
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\PROGRA~1\Java\JRE16~1.0_0\bin;C:\Program Files\Internet Explorer;;C:\Program Files\Alias\Maya6.5\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\backburner 2\;C:\Program Files\MBTrading\MBT Navigator;.
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DM\LOCALS~1\Temp
TMP=C:\DOCUME~1\DM\LOCALS~1\Temp
USERDOMAIN=DANIELPLAPTOP
USERNAME=DM
USERPROFILE=C:\Documents and Settings\DM
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Digital_Magic (admin)
DM (admin)
Administrator.DANIELPLAPTOP (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\InstallShield Installation Information\{01958032-9877-4118-B87F-9EFA74B3F15F}\setup.exe"
--> MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe Captivate 3 --> MsiExec.exe /X{2E7B6B00-5ECD-49A1-8FD4-4B647C5D8027}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color Common Settings --> C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings --> MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Creative Suite --> C:\PROGRA~1\INSTAL~1\{D52EC~1\setup.exe /Relaunched=yes /Uninstall /Relaunched=yes
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{77D2A9D3-5800-43E3-B274-87841BC87DB2}
Adobe Flash CS3 --> MsiExec.exe /I{C614ED97-4594-4BE7-B6A4-471CDB77E8E0}
Adobe Flash CS3 Professional --> C:\Program Files\Common Files\Adobe\Installers\aef45239e3987fdf2a5e406d559eb22\Setup.exe
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}
Adobe Flash Player 9 Plugin --> MsiExec.exe /X{88D422DB-E9C7-4E16-9D80-2999F4FD6AD9}
Adobe Flash Video Encoder --> MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe InDesign CS --> RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{416DFEDD-9F1B-4EFC-AF70-FCA891AE0251}\zidxp.exe"
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Setup --> MsiExec.exe /I{2274624C-5B38-41AD-AD27-CEC0924EB628}
Adobe Setup --> MsiExec.exe /I{5D346AB1-7910-4115-B61B-468237D86C6B}
Adobe Setup --> MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup --> MsiExec.exe /I{8AE03988-8C8C-40EE-BDC7-76781BEF1B1D}
Adobe Stock Photos CS3 --> C:\Program Files\Common Files\Adobe\Installers\cbb2ea61da9c780bd7e47a5230a9ed7\Setup.exe
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
African Palace Casino --> "C:\Casino\African Palace Casino\_SetupCasino.exe" /uninstall
AstroPop 1.0.0.1 --> C:\WINDOWS\iun6002.exe "C:\AstroPop\irunin.ini"
Atari800Win PLus 4.0 --> C:\Program Files\Atari800WinPLus\Uninstall.exe
Atmosphere Deluxe v6.0 --> "C:\Program Files\Atmosphere Deluxe\unins000.exe"
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
AVStoDVD --> C:\Program Files\AVStoDVD\uninstall.exe
Azgard --> C:\Program Files\Microsoft ActiveSync\Azgard\Uninstall.exe Azgard
BitTorrent 6.0 --> C:\Program Files\BitTorrent\uninst.exe
Canon PIXMA iP1000 --> C:\WINDOWS\system32\CNMCP6e.exe "-PRINTERNAMECanon PIXMA iP1000" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1000 Installer\Inst2\cnmi0409.dll"
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe C:\Program Files\Canon\Easy-PhotoPrint\uninst.ini
Canon Utilities Easy-PrintToolBox --> C:\WINDOWS\BJPSUNST.EXE
CorePlayer Mobile for PocketPC (remove only) --> C:\Program Files\CoreCodec\CorePlayer Mobile for PocketPC\Uninstall.exe
Dreamway for Pocket PC --> "C:\Program Files\Microsoft ActiveSync\Dreamway\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
EVE-ONLINE (remove only) --> C:\Program Files\CCP\EVE\Uninstall.exe
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Groschengrab 2 --> C:\Program Files\Groschengrab 2\Uninstal.exe
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
IPWireless PC Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F44A780-2D5D-11D4-AD0C-00C04F619538}\setup.exe" -l0x9
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Joost ™ 0.12.0 --> C:\Program Files\Joost\uninst.exe
K-Lite Codec Pack 3.1.0 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash 8 Video Encoder --> MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash Player 8 --> MsiExec.exe /X{885A63EA-382B-4DD4-A755-14809B8557D6}
Macromedia Flash Player 8 Plugin --> MsiExec.exe /X{91057632-CA70-413C-B628-2D3CDBBB906B}
Maya 6.5 --> MsiExec.exe /I{17B41A19-7FD5-4B0C-A2AB-1A065669F8A3}
MBT Navigator --> C:\PROGRA~1\MBTRAD~1\MBTNAV~1\UNWISE.EXE C:\PROGRA~1\MBTRAD~1\MBTNAV~1\INSTALL.LOG
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Office 2000 SR-1 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Miranda IM 0.6.8 --> C:\Program Files\Miranda IM\uninstall.exe
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NetLimiter 2 Pro (remove only) --> "C:\Program Files\NetLimiter 2 Pro\nl2uninst.exe"
NingPo MahJong Deluxe 1.04 --> C:\Program Files\PopCap Games\NingPo MahJong Deluxe\UnGins.exe "C:\Program Files\PopCap Games\NingPo MahJong Deluxe\install.log"
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OmniGSoft Super-G Stunt 1.0 --> C:\Program Files\Microsoft ActiveSync\OmniGSoft Super-G Stunt 1.0\Uninstall.exe OmniGSoft Super-G Stunt 1.0
OZ776 SCR CardBus Windows Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{2D91C34E-12CC-4B1B-90D5-31DAD47B6F48} /l1033
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Peggle (remove only) --> C:\Program Files\Peggle\Uninstall.exe
Pixelus Deluxe 1.0 --> C:\Program Files\PopCap Games\Pixelus Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Pixelus Deluxe\Install.log"
PPP over Ethernet Protocol 0.98 --> C:\WINDOWS\system32\RASPPPOE.EXE /REMOVE
Process Master 1.1 --> "C:\Program Files\Process Master\unins000.exe"
Real Alternative 1.22 --> "C:\Program Files\Real Alternative\unins000.exe"
Rocket Mania 1.0 --> C:\Program Files\PopCap Games\Rocket Mania Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Rocket Mania Deluxe\Install.log"
Sentinel System Driver --> C:\WINDOWS\SYSTEM32\RNBOSENT\SETUPX86.EXE /U /q
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Simcity 2000 for Pocket PC --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft ActiveSync\ZIO\Simcity 2000 for Pocket PC\Uninst.isu"
SimCity 4 Rush Hour --> C:\Program Files\Maxis\SimCity 4\EAUninstall.exe
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Skype™ for Pocket PC 2.2 --> "C:\Program Files\Microsoft ActiveSync\Skype for Pocket PC\unins000.exe"
Snake Deluxe --> C:\Program Files\Microsoft ActiveSync\Snake Deluxe\Uninstall.exe Snake Deluxe
Spb Quadronica --> C:\Program Files\Microsoft ActiveSync\Spb Quadronica\Uninstall.exe Spb Quadronica
TightVNC 1.2.9 --> "C:\Program Files\TightVNC\unins000.exe"
UV DirectShow Pack --> "C:\WINDOWS\Uninstall_UV_DirectShow_Pack.exe"
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Video Converter 3 --> C:\Program Files\Xilisoft\Video Converter 3\Uninstall.exe
VideoLAN VLC media player 0.8.2 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
VirtualNetwork --> "C:\Program Files\VirtualNetwork\Uninstall.exe"
Vodafone Mobile Connect Lite Runtime Components --> MsiExec.exe /X{B2974D26-9080-4FA4-B344-DA2D314F41DC}
WAMP5 1.6.5 --> c:\wamp\unins000.exe
Windows Mobile Resources --> C:\Program Files\Windows Mobile Resources\Windows Mobile Device Handbook\Bin\DHUninstall.exe
WinPcap 3.01 alpha --> "C:\Program Files\WinPcap\Uninstall.exe" "C:\Program Files\WinPcap\install.log"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
ZBrush3 --> MsiExec.exe /I{6084D038-3401-4C9D-A216-86E6EEA25AFB}


-- Application Event Log -------------------------------------------------------

Event Record #/Type4575 / Error
Event Submitted/Written: 06/22/2008 08:18:07 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application nlclient.exe, version 1.0.14.1, faulting module rpcrt4.dll, version 5.1.2600.3173, fault address 0x000085f7.
Processing media-specific event for [nlclient.exe!ws!]

Event Record #/Type4567 / Error
Event Submitted/Written: 06/22/2008 08:11:46 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application notepad.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type4566 / Error
Event Submitted/Written: 06/22/2008 08:07:46 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application notepad.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type4558 / Error
Event Submitted/Written: 06/21/2008 05:38:15 PM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type4547 / Error
Event Submitted/Written: 06/21/2008 08:54:14 AM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type100805 / Warning
Event Submitted/Written: 06/24/2008 09:28:15 AM
Event ID/Source: 30 / RMSPPPOE
Event Description:
Received a PPPoE Active Discovery Session-confirmation packet without a Host Unique ID tag.
Ignoring this packet.

Event Record #/Type100803 / Warning
Event Submitted/Written: 06/24/2008 09:28:13 AM
Event ID/Source: 30 / RMSPPPOE
Event Description:
Received a PPPoE Active Discovery Session-confirmation packet without a Host Unique ID tag.
Ignoring this packet.

Event Record #/Type100801 / Warning
Event Submitted/Written: 06/24/2008 09:28:11 AM
Event ID/Source: 30 / RMSPPPOE
Event Description:
Received a PPPoE Active Discovery Session-confirmation packet without a Host Unique ID tag.
Ignoring this packet.

Event Record #/Type100799 / Warning
Event Submitted/Written: 06/24/2008 09:28:09 AM
Event ID/Source: 30 / RMSPPPOE
Event Description:
Received a PPPoE Active Discovery Session-confirmation packet without a Host Unique ID tag.
Ignoring this packet.

Event Record #/Type100797 / Warning
Event Submitted/Written: 06/24/2008 09:28:07 AM
Event ID/Source: 30 / RMSPPPOE
Event Description:
Received a PPPoE Active Discovery Session-confirmation packet without a Host Unique ID tag.
Ignoring this packet.



-- End of Deckard's System Scanner: finished at 2008-06-24 09:35:22 ------------

Edited by danonne, 24 June 2008 - 03:04 AM.


BC AdBot (Login to Remove)

 


m

#2 danonne

danonne
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:10:41 PM

Posted 25 June 2008 - 03:26 AM

Hello again,

THe reason I am posting a reply to my own post is I want it off the "needs attention" list.
I decided to go the route of formatting my harddrive. I backed up the fiels I need and am now in the process of reinstalling windows (after having done a full NTFS format). However if anybody can shed some light on what the hell this thing was - please let me know. epecially if you can help me with the following questions:

I want to make sure that this ting did not keep itself in the MBR - anything i can do to clean it or fix it or at least check? (other than low - level format)

I copied all the fiels i wanted to keep (videos, music, stand alone programs) to an external HD. I know exactly what file the visrus came from so I didnt copy that one and I obviously did not copy and system or program files. Is there a high chance of the malware coming across with the other files?

Once I reinstall windows and get an antivirus program on it, and I plug in the external drive - if the virus is there will it jump accross or will i be able to safely scan the drive before doing anything?

Thank you all for your help and keep up the good work!

Dan

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:04:41 PM

Posted 17 July 2008 - 02:58 PM

Welcome to the BleepingComputer Forums. Since it has been a few days, please post a new Deckard's System Scanner which includes the HijackThis log. Please see Preparation Guide for use before posting about your potential Malware problem. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 danonne

danonne
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:10:41 PM

Posted 18 July 2008 - 02:12 AM

Hey,

Since then, I have already formatted my computer and reinstalled everything I need... I felt that my computer needed a fresh start anyway.
So thanks for your reply but I am sorted now!

Keep up the good work!

#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:04:41 PM

Posted 19 July 2008 - 07:04 PM

Thank you for letting me know. If we can help you in the future, please let us know.

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users